diff options
Diffstat (limited to 'src')
635 files changed, 43513 insertions, 15935 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 8d4dd2e37..0edddc9fc 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -12,6 +12,10 @@ if USE_SIMAKA SUBDIRS += libsimaka endif +if USE_TLS + SUBDIRS += libtls +endif + if USE_FILE_CONFIG SUBDIRS += libfreeswan starter ipsec _copyright endif diff --git a/src/Makefile.in b/src/Makefile.in index 0bd728397..cb688d795 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -36,17 +36,18 @@ host_triplet = @host@ @USE_LIBSTRONGSWAN_TRUE@am__append_1 = libstrongswan @USE_LIBHYDRA_TRUE@am__append_2 = libhydra @USE_SIMAKA_TRUE@am__append_3 = libsimaka -@USE_FILE_CONFIG_TRUE@am__append_4 = libfreeswan starter ipsec _copyright -@USE_PLUTO_TRUE@am__append_5 = pluto whack -@USE_CHARON_TRUE@am__append_6 = libcharon charon -@USE_STROKE_TRUE@am__append_7 = stroke -@USE_UPDOWN_TRUE@am__append_8 = _updown _updown_espmark -@USE_TOOLS_TRUE@am__append_9 = libfreeswan openac scepclient pki -@USE_DUMM_TRUE@am__append_10 = dumm -@USE_FAST_TRUE@am__append_11 = libfast -@USE_MANAGER_TRUE@am__append_12 = manager -@USE_MEDSRV_TRUE@am__append_13 = medsrv -@USE_INTEGRITY_TEST_TRUE@am__append_14 = checksum +@USE_TLS_TRUE@am__append_4 = libtls +@USE_FILE_CONFIG_TRUE@am__append_5 = libfreeswan starter ipsec _copyright +@USE_PLUTO_TRUE@am__append_6 = pluto whack +@USE_CHARON_TRUE@am__append_7 = libcharon charon +@USE_STROKE_TRUE@am__append_8 = stroke +@USE_UPDOWN_TRUE@am__append_9 = _updown _updown_espmark +@USE_TOOLS_TRUE@am__append_10 = libfreeswan openac scepclient pki +@USE_DUMM_TRUE@am__append_11 = dumm +@USE_FAST_TRUE@am__append_12 = libfast +@USE_MANAGER_TRUE@am__append_13 = manager +@USE_MEDSRV_TRUE@am__append_14 = medsrv +@USE_INTEGRITY_TEST_TRUE@am__append_15 = checksum subdir = src DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -57,6 +58,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -79,10 +81,10 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libfreeswan \ - starter ipsec _copyright pluto whack libcharon charon stroke \ - _updown _updown_espmark openac scepclient pki dumm libfast \ - manager medsrv checksum +DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libtls \ + libfreeswan starter ipsec _copyright pluto whack libcharon \ + charon stroke _updown _updown_espmark openac scepclient pki \ + dumm libfast manager medsrv checksum DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -174,6 +176,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -205,14 +209,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -227,24 +234,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -252,7 +266,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -268,7 +285,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_4) $(am__append_5) $(am__append_6) \ $(am__append_7) $(am__append_8) $(am__append_9) \ $(am__append_10) $(am__append_11) $(am__append_12) \ - $(am__append_13) $(am__append_14) + $(am__append_13) $(am__append_14) $(am__append_15) EXTRA_DIST = strongswan.conf all: all-recursive diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index eb52fc52e..58ebb523c 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c index 9f0ad9785..072998345 100644 --- a/src/_copyright/_copyright.c +++ b/src/_copyright/_copyright.c @@ -20,7 +20,9 @@ #include <string.h> #include <unistd.h> #include <getopt.h> + #include <freeswan.h> +#include <library.h> char usage[] = "Usage: ipsec _copyright"; struct option opts[] = { @@ -40,6 +42,9 @@ main(int argc, char *argv[]) const char **notice = ipsec_copyright_notice(); const char **co; + library_init(NULL); + atexit(library_deinit); + while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF) switch (opt) { case 'h': /* help */ diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index 73ecf1abb..44c058d03 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -145,6 +146,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -176,14 +179,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -198,24 +204,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -223,7 +236,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index 430a0cff6..2c742c010 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -124,7 +124,7 @@ # PLUTO_MARK_OUT # is an optional XFRM mark set on the outbound IPsec SA # -# PLUTO_ESP_ENC +# PLUTO_UDP_ENC # contains the remote UDP port in the case of ESP_IN_UDP # encapsulation # diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index 10ea4312f..db44ee74e 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -145,6 +146,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -176,14 +179,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -198,24 +204,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -223,7 +236,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark index 42cd3607b..e078dc245 100644 --- a/src/_updown_espmark/_updown_espmark +++ b/src/_updown_espmark/_updown_espmark @@ -124,7 +124,7 @@ # PLUTO_MARK_OUT # is an optional XFRM mark set on the outbound IPsec SA # -# PLUTO_ESP_ENC +# PLUTO_UDP_ENC # contains the remote UDP port in the case of ESP_IN_UDP # encapsulation # diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index 72abca97e..5a60af3d8 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -144,6 +145,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -175,14 +178,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -197,24 +203,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -222,7 +235,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/charon/charon.c b/src/charon/charon.c index 84cd54615..fd255e919 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -283,7 +283,7 @@ static void usage(const char *msg) " [--version]\n" " [--use-syslog]\n" " [--debug-<type> <level>]\n" - " <type>: log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n" + " <type>: log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|tnc|tls|lib)\n" " <level>: log verbosity (-1 = silent, 0 = audit, 1 = control,\n" " 2 = controlmore, 3 = raw, 4 = private)\n" "\n" @@ -355,6 +355,8 @@ int main(int argc, char *argv[]) { "debug-knl", required_argument, &group, DBG_KNL }, { "debug-net", required_argument, &group, DBG_NET }, { "debug-enc", required_argument, &group, DBG_ENC }, + { "debug-tnc", required_argument, &group, DBG_TNC }, + { "debug-tls", required_argument, &group, DBG_TLS }, { "debug-lib", required_argument, &group, DBG_LIB }, { 0,0,0,0 } }; diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am index ad2923799..3aded1d9e 100644 --- a/src/checksum/Makefile.am +++ b/src/checksum/Makefile.am @@ -14,13 +14,13 @@ checksum_builder_LDADD = \ BUILT_SOURCES = checksum.c CLEANFILES = checksum.c INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -rdynamic +AM_CFLAGS = -rdynamic \ + -DS_PLUGINS=\""${s_plugins}\"" -DS_PATH=\""${top_builddir}/src/libstrongswan/plugins\"" \ + -DH_PLUGINS=\""${h_plugins}\"" -DH_PATH=\""${top_builddir}/src/libhydra/plugins\"" \ + -DP_PLUGINS=\""${p_plugins}\"" -DP_PATH=\""${top_builddir}/src/pluto/plugins\"" \ + -DC_PLUGINS=\""${c_plugins}\"" -DC_PATH=\""${top_builddir}/src/libcharon/plugins\"" -libs = $(shell find $(top_builddir)/src/libstrongswan \ - $(top_builddir)/src/libcharon \ - $(top_builddir)/src/libhydra \ - $(top_builddir)/src/pluto \ - -name 'libstrongswan*.so') +libs = $(top_builddir)/src/libstrongswan/.libs/libstrongswan.so if USE_LIBHYDRA libs += $(top_builddir)/src/libhydra/.libs/libhydra.so diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index 05e90a9a1..61bfc1a9d 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -55,6 +55,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -182,6 +183,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -213,14 +216,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -235,24 +241,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -260,7 +273,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -285,10 +301,13 @@ checksum_builder_LDADD = \ BUILT_SOURCES = checksum.c CLEANFILES = checksum.c INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -rdynamic -libs = $(shell find $(top_builddir)/src/libstrongswan \ - $(top_builddir)/src/libcharon $(top_builddir)/src/libhydra \ - $(top_builddir)/src/pluto -name 'libstrongswan*.so') \ +AM_CFLAGS = -rdynamic \ + -DS_PLUGINS=\""${s_plugins}\"" -DS_PATH=\""${top_builddir}/src/libstrongswan/plugins\"" \ + -DH_PLUGINS=\""${h_plugins}\"" -DH_PATH=\""${top_builddir}/src/libhydra/plugins\"" \ + -DP_PLUGINS=\""${p_plugins}\"" -DP_PATH=\""${top_builddir}/src/pluto/plugins\"" \ + -DC_PLUGINS=\""${c_plugins}\"" -DC_PATH=\""${top_builddir}/src/libcharon/plugins\"" + +libs = $(top_builddir)/src/libstrongswan/.libs/libstrongswan.so \ $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_4) $(am__append_5) all: $(BUILT_SOURCES) diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c index 2db68054e..dc1de99c3 100644 --- a/src/checksum/checksum_builder.c +++ b/src/checksum/checksum_builder.c @@ -19,14 +19,113 @@ #include <dlfcn.h> #include <library.h> +#include <utils/enumerator.h> /* we need to fake the pluto symbol to dlopen() the xauth plugin */ void *pluto; +/** + * Integrity checker + */ +integrity_checker_t *integrity; + +/** + * Create the checksum of a binary, using name and a symbol name + */ +static void build_checksum(char *path, char *name, char *sname) +{ + void *handle, *symbol; + u_int32_t fsum, ssum; + size_t fsize = 0; + size_t ssize = 0; + + fsum = integrity->build_file(integrity, path, &fsize); + ssum = 0; + if (sname) + { + handle = dlopen(path, RTLD_LAZY); + if (handle) + { + symbol = dlsym(handle, sname); + if (symbol) + { + ssum = integrity->build_segment(integrity, symbol, &ssize); + } + else + { + fprintf(stderr, "symbol lookup failed: %s\n", dlerror()); + } + dlclose(handle); + } + else + { + fprintf(stderr, "dlopen failed: %s\n", dlerror()); + } + } + printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n", + name, fsize, fsum, ssize, ssum); + fprintf(stderr, "\"%-20s%7u / 0x%08x %6u / 0x%08x\n", + name, fsize, fsum, ssize, ssum); +} + +/** + * Build checksums for a set of plugins in a given path prefix + */ +static void build_plugin_checksums(char *plugins, char *prefix) +{ + enumerator_t *enumerator; + char *plugin, path[256], under[128], sname[128], name[128]; + + enumerator = enumerator_create_token(plugins, " ", " "); + while (enumerator->enumerate(enumerator, &plugin)) + { + snprintf(under, sizeof(under), "%s", plugin); + translate(under, "-", "_"); + snprintf(path, sizeof(path), "%s/%s/.libs/libstrongswan-%s.so", + prefix, under, plugin); + snprintf(sname, sizeof(sname), "%s_plugin_create", under); + snprintf(name, sizeof(name), "%s\",", plugin); + build_checksum(path, name, sname); + } + enumerator->destroy(enumerator); +} + +/** + * Build checksums for a binary/library found at path + */ +static void build_binary_checksum(char *path) +{ + char *binary, *pos, name[128], sname[128]; + + binary = strrchr(path, '/'); + if (binary) + { + binary++; + pos = strrchr(binary, '.'); + if (pos && streq(pos, ".so")) + { + snprintf(name, sizeof(name), "%.*s\",", pos - binary, binary); + if (streq(name, "libstrongswan\",")) + { + snprintf(sname, sizeof(sname), "%s", "library_init"); + } + else + { + snprintf(sname, sizeof(sname), "%.*s_init", pos - binary, binary); + } + build_checksum(path, name, sname); + } + else + { + snprintf(name, sizeof(name), "%s\",", binary); + build_checksum(path, name, NULL); + } + } +} + int main(int argc, char* argv[]) { int i; - integrity_checker_t *integrity; /* avoid confusing leak reports in build process */ setenv("LEAK_DETECTIVE_DISABLE", "1", 0); @@ -47,105 +146,13 @@ int main(int argc, char* argv[]) fprintf(stderr, "module name, file size / checksum segment size / checksum\n"); for (i = 1; i < argc; i++) { - char *name, *path, *sname = NULL; - void *handle, *symbol; - u_int32_t fsum, ssum; - size_t fsize = 0; - size_t ssize = 0; - - path = argv[i]; - - if ((name = strstr(path, "libstrongswan-"))) - { - name = strdup(name + strlen("libstrongswan-")); - name[strlen(name) - 3] = '"'; - name[strlen(name) - 2] = ','; - name[strlen(name) - 1] = '\0'; - if (asprintf(&sname, "%.*s_plugin_create", strlen(name) - 2, - name) < 0) - { - fprintf(stderr, "failed to format plugin constructor " - "for '%s', ignored", path); - free(name); - continue; - } - translate(sname, "-", "_"); - } - else if (strstr(path, "libstrongswan.so")) - { - name = strdup("libstrongswan\","); - sname = strdup("library_init"); - } - else if (strstr(path, "libhydra.so")) - { - name = strdup("libhydra\","); - sname = strdup("libhydra_init"); - } - else if (strstr(path, "libcharon.so")) - { - name = strdup("libcharon\","); - sname = strdup("libcharon_init"); - } - else if (strstr(path, "pool")) - { - name = strdup("pool\","); - } - else if (strstr(path, "charon")) - { - name = strdup("charon\","); - } - else if (strstr(path, "pluto")) - { - name = strdup("pluto\","); - } - else if (strstr(path, "openac")) - { - name = strdup("openac\","); - } - else if (strstr(path, "scepclient")) - { - name = strdup("scepclient\","); - } - else if (strstr(path, "pki")) - { - name = strdup("pki\","); - } - else - { - fprintf(stderr, "don't know how to handle '%s', ignored", path); - continue; - } - - fsum = integrity->build_file(integrity, path, &fsize); - ssum = 0; - if (sname) - { - handle = dlopen(path, RTLD_LAZY); - if (handle) - { - symbol = dlsym(handle, sname); - if (symbol) - { - ssum = integrity->build_segment(integrity, symbol, &ssize); - } - else - { - fprintf(stderr, "symbol lookup failed: %s\n", dlerror()); - } - dlclose(handle); - } - else - { - fprintf(stderr, "dlopen failed: %s\n", dlerror()); - } - } - printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n", - name, fsize, fsum, ssize, ssum); - fprintf(stderr, "\"%-20s%7u / 0x%08x %6u / 0x%08x\n", - name, fsize, fsum, ssize, ssum); - free(sname); - free(name); + build_binary_checksum(argv[i]); } + build_plugin_checksums(S_PLUGINS, S_PATH); + build_plugin_checksums(H_PLUGINS, H_PATH); + build_plugin_checksums(P_PLUGINS, P_PATH); + build_plugin_checksums(C_PLUGINS, C_PATH); + printf("};\n"); printf("\n"); printf("int checksum_count = countof(checksums);\n"); diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index 37751b856..7c22f5ec5 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -202,14 +205,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -249,7 +262,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/dumm/cowfs.c b/src/dumm/cowfs.c index 70767890b..b92be53e0 100644 --- a/src/dumm/cowfs.c +++ b/src/dumm/cowfs.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2009 Tobias Brunner * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * Copyright (C) 2001-2007 Miklos Szeredi @@ -35,6 +36,8 @@ #include <library.h> #include <debug.h> #include <threading/thread.h> +#include <threading/rwlock.h> +#include <utils/linked_list.h> /** define _XOPEN_SOURCE 500 fails when using libstrongswan, define popen */ extern ssize_t pread(int fd, void *buf, size_t count, off_t offset); @@ -55,18 +58,66 @@ struct private_cowfs_t { char *master; /** host filesystem path */ char *host; - /** overlay filesystem path */ - char *over; + /** overlay filesystems */ + linked_list_t *overlays; + /** lock for overlays */ + rwlock_t *lock; /** fd of read only master filesystem */ int master_fd; /** copy on write overlay to master */ int host_fd; - /** optional COW overlay */ - int over_fd; /** thread processing FUSE */ thread_t *thread; }; +typedef struct overlay_t overlay_t; + +/** + * data for overlay filesystems + */ +struct overlay_t { + /** path to overlay */ + char *path; + /** overlay fd */ + int fd; +}; + +/** + * destroy an overlay + */ +static void overlay_destroy(overlay_t *this) +{ + close(this->fd); + free(this->path); + free(this); +} + +/** + * compare two overlays by path + */ +static bool overlay_equals(overlay_t *this, overlay_t *other) +{ + return streq(this->path, other->path); +} + +/** + * remove and destroy the overlay with the given absolute path. + * returns FALSE, if not found. + */ +static bool overlay_remove(private_cowfs_t *this, char *path) +{ + overlay_t over, *current; + over.path = path; + if (this->overlays->find_first(this->overlays, + (linked_list_match_t)overlay_equals, (void**)¤t, &over) != SUCCESS) + { + return FALSE; + } + this->overlays->remove(this->overlays, current, NULL); + overlay_destroy(current); + return TRUE; +} + /** * get this pointer stored in fuse context */ @@ -95,12 +146,25 @@ static void rel(const char **path) */ static int get_rd(const char *path) { + overlay_t *over; + enumerator_t *enumerator; private_cowfs_t *this = get_this(); - if (this->over_fd > 0 && faccessat(this->over_fd, path, F_OK, 0) == 0) + this->lock->read_lock(this->lock); + enumerator = this->overlays->create_enumerator(this->overlays); + while (enumerator->enumerate(enumerator, (void**)&over)) { - return this->over_fd; + if (faccessat(over->fd, path, F_OK, 0) == 0) + { + int fd = over->fd; + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + return fd; + } } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + if (faccessat(this->host_fd, path, F_OK, 0) == 0) { return this->host_fd; @@ -113,12 +177,16 @@ static int get_rd(const char *path) */ static int get_wr(const char *path) { + overlay_t *over; private_cowfs_t *this = get_this(); - if (this->over_fd > 0) + int fd = this->host_fd; + this->lock->read_lock(this->lock); + if (this->overlays->get_first(this->overlays, (void**)&over) == SUCCESS) { - return this->over_fd; + fd = over->fd; } - return this->host_fd; + this->lock->unlock(this->lock); + return fd; } /** @@ -287,17 +355,29 @@ static DIR* get_dir(char *dir, const char *subdir) */ static bool contains_dir(DIR *d, char *dirname) { - if (d) + struct dirent *ent; + + rewinddir(d); + while ((ent = readdir(d))) { - struct dirent *ent; + if (streq(ent->d_name, dirname)) + { + return TRUE; + } + } + return FALSE; +} - rewinddir(d); - while ((ent = readdir(d))) +/** + * check if one of the higher overlays contains a directory + */ +static bool overlays_contain_dir(DIR **d, char *dirname) +{ + for (; *d; ++d) + { + if (contains_dir(*d, dirname)) { - if (streq(ent->d_name, dirname)) - { - return TRUE; - } + return TRUE; } } return FALSE; @@ -309,56 +389,54 @@ static bool contains_dir(DIR *d, char *dirname) static int cowfs_readdir(const char *path, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi) { +#define ADD_DIR(overlay, base, path) ({\ + DIR *dir = get_dir(base, path);\ + if (dir) { *(--overlay) = dir; }\ +}) private_cowfs_t *this = get_this(); - DIR *d1, *d2, *d3; + int count; + DIR **d, **overlays; struct stat st; struct dirent *ent; + overlay_t *over; + enumerator_t *enumerator; memset(&st, 0, sizeof(st)); - d1 = get_dir(this->master, path); - d2 = get_dir(this->host, path); - d3 = get_dir(this->over, path); + this->lock->read_lock(this->lock); + /* create a null-terminated array of DIR objects for all overlays (including + * the master and host layer). the order is from bottom to top */ + count = this->overlays->get_count(this->overlays) + 2; + overlays = calloc(count + 1, sizeof(DIR*)); + d = &overlays[count]; - if (d1) + enumerator = this->overlays->create_enumerator(this->overlays); + while (enumerator->enumerate(enumerator, (void**)&over)) { - while ((ent = readdir(d1))) - { - if (!contains_dir(d2, ent->d_name) && - !contains_dir(d3, ent->d_name)) - { - st.st_ino = ent->d_ino; - st.st_mode = ent->d_type << 12; - filler(buf, ent->d_name, &st, 0); - } - } - closedir(d1); + ADD_DIR(d, over->path, path); } - if (d2) + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + ADD_DIR(d, this->host, path); + ADD_DIR(d, this->master, path); + + for (; *d; ++d) { - rewinddir(d2); - while ((ent = readdir(d2))) + rewinddir(*d); + while((ent = readdir(*d))) { - if (!contains_dir(d3, ent->d_name)) + if (!overlays_contain_dir(d + 1, ent->d_name)) { st.st_ino = ent->d_ino; st.st_mode = ent->d_type << 12; filler(buf, ent->d_name, &st, 0); } } - closedir(d2); - } - if (d3) - { - rewinddir(d3); - while ((ent = readdir(d3))) - { - st.st_ino = ent->d_ino; - st.st_mode = ent->d_type << 12; - filler(buf, ent->d_name, &st, 0); - } - closedir(d3); + closedir(*d); } + + free(overlays); return 0; } @@ -758,30 +836,53 @@ static struct fuse_operations cowfs_operations = { }; /** - * Implementation of cowfs_t.set_overlay. + * Implementation of cowfs_t.add_overlay. */ -static bool set_overlay(private_cowfs_t *this, char *path) +static bool add_overlay(private_cowfs_t *this, char *path) { - if (this->over) - { - free(this->over); - this->over = NULL; - } - if (this->over_fd > 0) - { - close(this->over_fd); - this->over_fd = -1; - } - if (path) + overlay_t *over = malloc_thing(overlay_t); + over->fd = open(path, O_RDONLY | O_DIRECTORY); + if (over->fd < 0) + { + DBG1(DBG_LIB, "failed to open overlay directory '%s': %m", path); + free(over); + return FALSE; + } + over->path = realpath(path, NULL); + this->lock->write_lock(this->lock); + overlay_remove(this, over->path); + this->overlays->insert_first(this->overlays, over); + this->lock->unlock(this->lock); + return TRUE; +} + +/** + * Implementation of cowfs_t.del_overlay. + */ +static bool del_overlay(private_cowfs_t *this, char *path) +{ + bool removed; + char real[PATH_MAX]; + this->lock->write_lock(this->lock); + removed = overlay_remove(this, realpath(path, real)); + this->lock->unlock(this->lock); + return removed; +} + +/** + * Implementation of cowfs_t.pop_overlay. + */ +static bool pop_overlay(private_cowfs_t *this) +{ + overlay_t *over; + this->lock->write_lock(this->lock); + if (this->overlays->remove_first(this->overlays, (void**)&over) != SUCCESS) { - this->over_fd = open(path, O_RDONLY | O_DIRECTORY); - if (this->over_fd < 0) - { - DBG1(DBG_LIB, "failed to open overlay directory '%s': %m", path); - return FALSE; - } - this->over = strdup(path); + this->lock->unlock(this->lock); + return FALSE; } + this->lock->unlock(this->lock); + overlay_destroy(over); return TRUE; } @@ -794,16 +895,13 @@ static void destroy(private_cowfs_t *this) fuse_unmount(this->mount, this->chan); this->thread->join(this->thread); fuse_destroy(this->fuse); + this->lock->destroy(this->lock); + this->overlays->destroy_function(this->overlays, (void*)overlay_destroy); free(this->mount); free(this->master); free(this->host); - free(this->over); close(this->master_fd); close(this->host_fd); - if (this->over_fd > 0) - { - close(this->over_fd); - } free(this); } @@ -815,7 +913,9 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount) struct fuse_args args = {0, NULL, 0}; private_cowfs_t *this = malloc_thing(private_cowfs_t); - this->public.set_overlay = (bool(*)(cowfs_t*, char *path))set_overlay; + this->public.add_overlay = (bool(*)(cowfs_t*, char *path))add_overlay; + this->public.del_overlay = (bool(*)(cowfs_t*, char *path))del_overlay; + this->public.pop_overlay = (bool(*)(cowfs_t*))pop_overlay; this->public.destroy = (void(*)(cowfs_t*))destroy; this->master_fd = open(master, O_RDONLY | O_DIRECTORY); @@ -833,7 +933,6 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount) free(this); return NULL; } - this->over_fd = -1; this->chan = fuse_mount(mount, &args); if (this->chan == NULL) @@ -860,13 +959,16 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount) this->mount = strdup(mount); this->master = strdup(master); this->host = strdup(host); - this->over = NULL; + this->overlays = linked_list_create(); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->thread = thread_create((thread_main_t)fuse_loop, this->fuse); if (!this->thread) { DBG1(DBG_LIB, "creating thread to handle FUSE failed"); fuse_unmount(mount, this->chan); + this->lock->destroy(this->lock); + this->overlays->destroy(this->overlays); free(this->mount); free(this->master); free(this->host); diff --git a/src/dumm/cowfs.h b/src/dumm/cowfs.h index d430597a8..b9334dc96 100644 --- a/src/dumm/cowfs.h +++ b/src/dumm/cowfs.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2009 Tobias Brunner * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -27,12 +28,29 @@ typedef struct cowfs_t cowfs_t; struct cowfs_t { /** - * Set an additional copy on write overlay. + * Adds an additional copy on write overlay. + * + * If the path was already added as overlay, it is moved to the top. + * + * @param path path of the overlay + * @return FALSE, if failed + */ + bool (*add_overlay)(cowfs_t *this, char *path); + + /** + * Remove the specified copy on write overlay. * * @param path path of the overlay - * @return FALSE if failed + * @return FALSE, if not found + */ + bool (*del_overlay)(cowfs_t *this, char *path); + + /** + * Remove the most recently added copy on write overlay. + * + * @return FALSE, if no overlay was found */ - bool (*set_overlay)(cowfs_t *this, char *path); + bool (*pop_overlay)(cowfs_t *this); /** * Stop, umount and destroy a cowfs FUSE filesystem. diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c index 7ec340089..8cd413519 100644 --- a/src/dumm/dumm.c +++ b/src/dumm/dumm.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2009 Tobias Brunner * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -128,51 +128,145 @@ static void delete_bridge(private_dumm_t *this, bridge_t *bridge) } /** - * disable the currently enabled template + * Implementation of dumm_t.add_overlay. */ -static void clear_template(private_dumm_t *this) +static bool add_overlay(private_dumm_t *this, char *dir) { enumerator_t *enumerator; guest_t *guest; - free(this->template); - this->template = NULL; + if (dir == NULL) + { + return TRUE; + } + if (strlen(dir) > PATH_MAX) + { + DBG1(DBG_LIB, "overlay directory string '%s' is too long", dir); + return FALSE; + } + if (access(dir, F_OK) != 0) + { + if (!mkdir_p(dir, PERME)) + { + DBG1(DBG_LIB, "creating overlay directory '%s' failed: %m", dir); + return FALSE; + } + } + enumerator = this->guests->create_enumerator(this->guests); + while (enumerator->enumerate(enumerator, (void**)&guest)) + { + char guest_dir[PATH_MAX]; + int len = snprintf(guest_dir, sizeof(guest_dir), "%s/%s", dir, + guest->get_name(guest)); + if (len < 0 || len >= sizeof(guest_dir)) + { + goto error; + } + if (access(guest_dir, F_OK) != 0) + { + if (!mkdir_p(guest_dir, PERME)) + { + DBG1(DBG_LIB, "creating overlay directory for guest '%s' failed: %m", + guest->get_name(guest)); + goto error; + } + } + if (!guest->add_overlay(guest, guest_dir)) + { + goto error; + } + } + enumerator->destroy(enumerator); + return TRUE; +error: + enumerator->destroy(enumerator); + this->public.del_overlay(&this->public, dir); + return FALSE; +} + +/** + * Implementation of dumm_t.del_overlay. + */ +static bool del_overlay(private_dumm_t *this, char *dir) +{ + bool ret = FALSE; + enumerator_t *enumerator; + guest_t *guest; enumerator = this->guests->create_enumerator(this->guests); while (enumerator->enumerate(enumerator, (void**)&guest)) { - guest->load_template(guest, NULL); + char guest_dir[PATH_MAX]; + int len = snprintf(guest_dir, sizeof(guest_dir), "%s/%s", dir, + guest->get_name(guest)); + if (len < 0 || len >= sizeof(guest_dir)) + { + continue; + } + ret = guest->del_overlay(guest, guest_dir) || ret; } enumerator->destroy(enumerator); + return ret; } /** - * Implementation of dumm_t.load_template. + * Implementation of dumm_t.pop_overlay. */ -static bool load_template(private_dumm_t *this, char *dir) +static bool pop_overlay(private_dumm_t *this) { + bool ret = FALSE; enumerator_t *enumerator; guest_t *guest; - clear_template(this); + enumerator = this->guests->create_enumerator(this->guests); + while (enumerator->enumerate(enumerator, (void**)&guest)) + { + ret = guest->pop_overlay(guest) || ret; + } + enumerator->destroy(enumerator); + return ret; +} - if (dir == NULL) +/** + * disable the currently enabled template + */ +static void clear_template(private_dumm_t *this) +{ + if (this->template) + { + del_overlay(this, this->template); + free(this->template); + this->template = NULL; + } +} + +/** + * Implementation of dumm_t.load_template. + */ +static bool load_template(private_dumm_t *this, char *name) +{ + clear_template(this); + if (name == NULL) { return TRUE; } - if (strlen(dir) > PATH_MAX) + if (strlen(name) > PATH_MAX) { - DBG1(DBG_LIB, "template directory string '%s' is too long", dir); + DBG1(DBG_LIB, "template name '%s' is too long", name); return FALSE; } - - if (asprintf(&this->template, "%s/%s", TEMPLATE_DIR, dir) < 0) + if (strchr(name, '/') != NULL) + { + DBG1(DBG_LIB, "template name '%s' must not contain '/' characters", name); + return FALSE; + } + if (asprintf(&this->template, "%s/%s", TEMPLATE_DIR, name) < 0) { this->template = NULL; return FALSE; } if (access(this->template, F_OK) != 0) - { /* does not exist, create template */ + { if (!mkdir_p(this->template, PERME)) { DBG1(DBG_LIB, "creating template directory '%s' failed: %m", @@ -180,18 +274,7 @@ static bool load_template(private_dumm_t *this, char *dir) return FALSE; } } - enumerator = this->guests->create_enumerator(this->guests); - while (enumerator->enumerate(enumerator, (void**)&guest)) - { - if (!guest->load_template(guest, this->template)) - { - enumerator->destroy(enumerator); - clear_template(this); - return FALSE; - } - } - enumerator->destroy(enumerator); - return TRUE; + return add_overlay(this, this->template); } /** @@ -205,7 +288,7 @@ typedef struct { } template_enumerator_t; /** - * Implementation of template_enumerator_t.enumerate + * Implementation of template_enumerator_t.enumerate. */ static bool template_enumerate(template_enumerator_t *this, char **template) { @@ -224,7 +307,7 @@ static bool template_enumerate(template_enumerator_t *this, char **template) } /** - * Implementation of template_enumerator_t.destroy + * Implementation of template_enumerator_t.destroy. */ static void template_enumerator_destroy(template_enumerator_t *this) { @@ -233,22 +316,25 @@ static void template_enumerator_destroy(template_enumerator_t *this) } /** - * Implementation of dumm_t.create_template_enumerator + * Implementation of dumm_t.create_template_enumerator. */ static enumerator_t* create_template_enumerator(private_dumm_t *this) { template_enumerator_t *enumerator; - enumerator = malloc_thing(template_enumerator_t); enumerator->public.enumerate = (void*)template_enumerate; enumerator->public.destroy = (void*)template_enumerator_destroy; enumerator->inner = enumerator_create_directory(TEMPLATE_DIR); - + if (!enumerator->inner) + { + free(enumerator); + return enumerator_create_empty(); + } return &enumerator->public; } /** - * Implementation of dumm_t.destroy + * Implementation of dumm_t.destroy. */ static void destroy(private_dumm_t *this) { @@ -324,7 +410,10 @@ dumm_t *dumm_create(char *dir) this->public.create_bridge = (bridge_t*(*)(dumm_t*, char *name))create_bridge; this->public.create_bridge_enumerator = (enumerator_t*(*)(dumm_t*))create_bridge_enumerator; this->public.delete_bridge = (void(*)(dumm_t*,bridge_t*))delete_bridge; - this->public.load_template = (bool(*)(dumm_t*, char *name))load_template; + this->public.add_overlay = (bool(*)(dumm_t*,char*))add_overlay; + this->public.del_overlay = (bool(*)(dumm_t*,char*))del_overlay; + this->public.pop_overlay = (bool(*)(dumm_t*))pop_overlay; + this->public.load_template = (bool(*)(dumm_t*,char*))load_template; this->public.create_template_enumerator = (enumerator_t*(*)(dumm_t*))create_template_enumerator; this->public.destroy = (void(*)(dumm_t*))destroy; diff --git a/src/dumm/dumm.h b/src/dumm/dumm.h index 54c3fbc03..4bd20808c 100644 --- a/src/dumm/dumm.h +++ b/src/dumm/dumm.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2009 Tobias Brunner * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -83,12 +83,47 @@ struct dumm_t { void (*delete_bridge) (dumm_t *this, bridge_t *bridge); /** + * Add an overlay to all guests. + * + * Directories named after the guests are created, if they do not exist + * in the given overlay directory. + * + * If adding the overlay on at lest one guest fails, FALSE is returned and + * the overlay is again removed from all guests. + * + * @param dir dir to the overlay + * @return FALSE, on failure + */ + bool (*add_overlay)(dumm_t *this, char *dir); + + /** + * Removes an overlay from all guests. + * + * @param dir dir to the overlay + * @return FALSE, if the overlay was not found on any guest + */ + bool (*del_overlay)(dumm_t *this, char *dir); + + /** + * Remove the latest overlay from all guests. + * + * @return FALSE, if no overlay was found on any guest + */ + bool (*pop_overlay)(dumm_t *this); + + /** * Loads a template, create a new one if it does not exist. * - * @param name dir to the template, NULL to close + * This is basically a wrapper around add/del_overlay to simplify working + * with overlays. Templates are located in a predefined directory, so that + * only a name for the template has to be specified here. Only one template + * can be loaded at any one time (but other overlays can be added on top or + * below a template). + * + * @param name name of the template to load, NULL to unload * @return FALSE if load/create failed */ - bool (*load_template)(dumm_t *this, char *dir); + bool (*load_template)(dumm_t *this, char *name); /** * Create an enumerator over all available templates. diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c index 230e8ae68..a9c7cb8bd 100644 --- a/src/dumm/ext/dumm.c +++ b/src/dumm/ext/dumm.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -85,82 +85,108 @@ static void sigchld_handler(int signal, siginfo_t *info, void* ptr) enumerator->destroy(enumerator); } + /** - * Guest bindings + * Global Dumm bindings */ -static VALUE guest_find(VALUE class, VALUE key) +static VALUE dumm_add_overlay(VALUE class, VALUE dir) { - enumerator_t *enumerator; - guest_t *guest, *found = NULL; - - if (TYPE(key) == T_SYMBOL) + if (!dumm->add_overlay(dumm, StringValuePtr(dir))) { - key = rb_convert_type(key, T_STRING, "String", "to_s"); + rb_raise(rb_eRuntimeError, "loading overlay failed"); } + return class; +} + +static VALUE dumm_del_overlay(VALUE class, VALUE dir) +{ + return dumm->del_overlay(dumm, StringValuePtr(dir)) ? Qtrue : Qfalse; +} + +static VALUE dumm_pop_overlay(VALUE class) +{ + return dumm->pop_overlay(dumm) ? Qtrue : Qfalse; +} + +static void dumm_init() +{ + rbm_dumm = rb_define_module("Dumm"); + + rb_define_module_function(rbm_dumm, "add_overlay", dumm_add_overlay, 1); + rb_define_module_function(rbm_dumm, "del_overlay", dumm_del_overlay, 1); + rb_define_module_function(rbm_dumm, "pop_overlay", dumm_pop_overlay, 0); +} + +/** + * Guest bindings + */ +static VALUE guest_hash_create(VALUE class) +{ + enumerator_t *enumerator; + guest_t *guest; + VALUE hash = rb_hash_new(); enumerator = dumm->create_guest_enumerator(dumm); while (enumerator->enumerate(enumerator, &guest)) { - if (streq(guest->get_name(guest), StringValuePtr(key))) - { - found = guest; - break; - } + rb_hash_aset(hash, rb_str_new2(guest->get_name(guest)), + Data_Wrap_Struct(class, NULL, NULL, guest)); } enumerator->destroy(enumerator); - if (!found) + return hash; +} + +static VALUE guest_hash(VALUE class) +{ + ID id = rb_intern("@@guests"); + if (!rb_cvar_defined(class, id)) { - return Qnil; + VALUE hash = guest_hash_create(class); + rb_cvar_set(class, id, hash, 0); + return hash; } - return Data_Wrap_Struct(class, NULL, NULL, found); + return rb_cvar_get(class, id); } -static VALUE guest_get(VALUE class, VALUE key) +static VALUE guest_find(VALUE class, VALUE key) { - VALUE guest = guest_find(class, key); - if (NIL_P(guest)) + if (TYPE(key) != T_STRING) { - rb_raise(rb_eRuntimeError, "guest not found"); + key = rb_convert_type(key, T_STRING, "String", "to_s"); } - return guest; + return rb_hash_aref(guest_hash(class), key); } -static VALUE guest_each(int argc, VALUE *argv, VALUE class) +static VALUE guest_get(VALUE class, VALUE key) { - linked_list_t *list; - enumerator_t *enumerator; - guest_t *guest; + return guest_find(class, key); +} +static VALUE guest_each(int argc, VALUE *argv, VALUE class) +{ if (!rb_block_given_p()) { rb_raise(rb_eArgError, "must be called with a block"); } - list = linked_list_create(); - enumerator = dumm->create_guest_enumerator(dumm); - while (enumerator->enumerate(enumerator, &guest)) - { - list->insert_last(list, guest); - } - enumerator->destroy(enumerator); - while (list->remove_first(list, (void**)&guest) == SUCCESS) - { - rb_yield(Data_Wrap_Struct(class, NULL, NULL, guest)); - } - list->destroy(list); + rb_block_call(guest_hash(class), rb_intern("each_value"), 0, 0, + rb_yield, 0); return class; } static VALUE guest_new(VALUE class, VALUE name, VALUE kernel, VALUE master, VALUE args) { + VALUE self; guest_t *guest; - - guest = dumm->create_guest(dumm, StringValuePtr(name), StringValuePtr(kernel), - StringValuePtr(master), StringValuePtr(args)); + guest = dumm->create_guest(dumm, StringValuePtr(name), + StringValuePtr(kernel), StringValuePtr(master), + StringValuePtr(args)); if (!guest) { rb_raise(rb_eRuntimeError, "creating guest failed"); } - return Data_Wrap_Struct(class, NULL, NULL, guest); + self = Data_Wrap_Struct(class, NULL, NULL, guest); + rb_hash_aset(guest_hash(class), name, self); + return self; } static VALUE guest_to_s(VALUE self) @@ -214,11 +240,9 @@ static VALUE guest_exec(VALUE self, VALUE cmd) block = rb_block_given_p(); Data_Get_Struct(self, guest_t, guest); - if ((ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL, - "exec %s", StringValuePtr(cmd))) != 0) - { - rb_raise(rb_eRuntimeError, "executing command failed (%d)", ret); - } + ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL, + "exec %s", StringValuePtr(cmd)); + rb_iv_set(self, "@execstatus", INT2NUM(ret)); return self; } @@ -330,6 +354,34 @@ static VALUE guest_delete(VALUE self) return Qnil; } +static VALUE guest_add_overlay(VALUE self, VALUE dir) +{ + guest_t *guest; + + Data_Get_Struct(self, guest_t, guest); + if (!guest->add_overlay(guest, StringValuePtr(dir))) + { + rb_raise(rb_eRuntimeError, "loading overlay failed"); + } + return self; +} + +static VALUE guest_del_overlay(VALUE self, VALUE dir) +{ + guest_t *guest; + + Data_Get_Struct(self, guest_t, guest); + return guest->del_overlay(guest, StringValuePtr(dir)) ? Qtrue : Qfalse; +} + +static VALUE guest_pop_overlay(VALUE self) +{ + guest_t *guest; + + Data_Get_Struct(self, guest_t, guest); + return guest->pop_overlay(guest) ? Qtrue : Qfalse; +} + static void guest_init() { rbc_guest = rb_define_class_under(rbm_dumm , "Guest", rb_cObject); @@ -354,6 +406,11 @@ static void guest_init() rb_define_method(rbc_guest, "include?", guest_find_iface, 1); rb_define_method(rbc_guest, "iface?", guest_find_iface, 1); rb_define_method(rbc_guest, "delete", guest_delete, 0); + rb_define_method(rbc_guest, "add_overlay", guest_add_overlay, 1); + rb_define_method(rbc_guest, "del_overlay", guest_del_overlay, 1); + rb_define_method(rbc_guest, "pop_overlay", guest_pop_overlay, 0); + + rb_define_attr(rbc_guest, "execstatus", 1, 0); } /** @@ -711,8 +768,7 @@ void Init_dumm() dumm = dumm_create(NULL); - rbm_dumm = rb_define_module("Dumm"); - + dumm_init(); guest_init(); bridge_init(); iface_init(); diff --git a/src/dumm/ext/lib/dumm.rb b/src/dumm/ext/lib/dumm.rb index 25939e9f4..bb60aad8f 100644 --- a/src/dumm/ext/lib/dumm.rb +++ b/src/dumm/ext/lib/dumm.rb @@ -1,5 +1,5 @@ =begin - Copyright (C) 2008 Tobias Brunner + Copyright (C) 2008-2009 Tobias Brunner Hochschule fuer Technik Rapperswil This program is free software; you can redistribute it and/or modify it @@ -38,11 +38,11 @@ module Dumm end end - # unload templates, reset all guests and delete bridges + # unload template/overlays, reset all guests and delete bridges def reset Template.unload Guest.each { |guest| - guest.reset if guest.running? + guest.reset } Bridge.each { |bridge| bridge.delete diff --git a/src/dumm/ext/lib/dumm/guest.rb b/src/dumm/ext/lib/dumm/guest.rb index 936f512dd..7488f1358 100644 --- a/src/dumm/ext/lib/dumm/guest.rb +++ b/src/dumm/ext/lib/dumm/guest.rb @@ -1,5 +1,5 @@ =begin - Copyright (C) 2008 Tobias Brunner + Copyright (C) 2008-2010 Tobias Brunner Hochschule fuer Technik Rapperswil This program is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ module Dumm end Guest[id] end - + # accessor for interfaces # e.g. guest.eth0 instead of guest["eth0"] def method_missing(id, *args) @@ -32,24 +32,21 @@ module Dumm end self[id] end - - # delete all interfaces + + # remove all overlays, delete all interfaces def reset + while pop_overlay; end each {|i| i.delete } end - + # has the guest booted up? def booted? - begin - exec("pgrep getty") - rescue - return false - end - return true + exec("pgrep getty") + execstatus == 0 end - + # wait until the guest has booted def boot while not booted? diff --git a/src/dumm/guest.c b/src/dumm/guest.c index ebd87769a..36d048dcf 100644 --- a/src/dumm/guest.c +++ b/src/dumm/guest.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2009 Tobias Brunner * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -297,37 +297,42 @@ static bool start(private_guest_t *this, invoke_function_t invoke, void* data, } /** - * Implementation of guest_t.load_template. + * Implementation of guest_t.add_overlay. */ -static bool load_template(private_guest_t *this, char *path) +static bool add_overlay(private_guest_t *this, char *path) { - char dir[PATH_MAX]; - size_t len; - if (path == NULL) { - return this->cowfs->set_overlay(this->cowfs, NULL); - } - - len = snprintf(dir, sizeof(dir), "%s/%s", path, this->name); - if (len < 0 || len >= sizeof(dir)) - { return FALSE; } - if (access(dir, F_OK) != 0) + + if (access(path, F_OK) != 0) { - if (!mkdir_p(dir, PERME)) + if (!mkdir_p(path, PERME)) { DBG1(DBG_LIB, "creating overlay for guest '%s' failed: %m", this->name); return FALSE; } } - if (!this->cowfs->set_overlay(this->cowfs, dir)) - { - return FALSE; - } - return TRUE; + + return this->cowfs->add_overlay(this->cowfs, path); +} + +/** + * Implementation of guest_t.del_overlay. + */ +static bool del_overlay(private_guest_t *this, char *path) +{ + return this->cowfs->del_overlay(this->cowfs, path); +} + +/** + * Implementation of guest_t.pop_overlay. + */ +static bool pop_overlay(private_guest_t *this) +{ + return this->cowfs->pop_overlay(this->cowfs); } /** @@ -567,7 +572,9 @@ static private_guest_t *guest_create_generic(char *parent, char *name, this->public.create_iface_enumerator = (enumerator_t*(*)(guest_t*))create_iface_enumerator; this->public.start = (void*)start; this->public.stop = (void*)stop; - this->public.load_template = (bool(*)(guest_t*, char *path))load_template; + this->public.add_overlay = (bool(*)(guest_t*,char*))add_overlay; + this->public.del_overlay = (bool(*)(guest_t*,char*))del_overlay; + this->public.pop_overlay = (bool(*)(guest_t*))pop_overlay; this->public.exec = (int(*)(guest_t*, void(*cb)(void*,char*,size_t),void*,char*,...))exec; this->public.exec_str = (int(*)(guest_t*, void(*cb)(void*,char*),bool,void*,char*,...))exec_str; this->public.sigchild = (void(*)(guest_t*))sigchild; diff --git a/src/dumm/guest.h b/src/dumm/guest.h index 5f812f8eb..789f2310e 100644 --- a/src/dumm/guest.h +++ b/src/dumm/guest.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2009 Tobias Brunner * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -134,12 +134,27 @@ struct guest_t { enumerator_t* (*create_iface_enumerator)(guest_t *this); /** - * Set the template COWFS overlay to use. + * Adds a COWFS overlay. The directory is created if it does not exist. * - * @param parent parent directory where template diff should point to - * @return FALSE if failed + * @param dir directory where overlay diff should point to + * @return FALSE, if failed */ - bool (*load_template)(guest_t *this, char *parent); + bool (*add_overlay)(guest_t *this, char *dir); + + /** + * Removes the specified COWFS overlay. + * + * @param dir directory where overlay diff points to + * @return FALSE, if no found + */ + bool (*del_overlay)(guest_t *this, char *dir); + + /** + * Removes the latest COWFS overlay. + * + * @return FALSE, if no overlay was found + */ + bool (*pop_overlay)(guest_t *this); /** * Execute a command on the guests mconsole. diff --git a/src/include/Makefile.in b/src/include/Makefile.in index c47e6e451..498fb17f1 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -43,6 +43,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -117,6 +118,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -148,14 +151,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -170,24 +176,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -195,7 +208,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 2b4b14b49..276d9f36d 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -145,6 +146,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -176,14 +179,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -198,24 +204,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -223,7 +236,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8 index 150fefc12..f995119aa 100644 --- a/src/ipsec/ipsec.8 +++ b/src/ipsec/ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2010-05-30" "4.4.1rc3" "strongSwan" +.TH IPSEC 8 "2010-05-30" "4.5.0rc1" "strongSwan" .SH NAME ipsec \- invoke IPsec utilities .SH SYNOPSIS diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk index 3297654e9..21a2b8ee6 100644 --- a/src/libcharon/Android.mk +++ b/src/libcharon/Android.mk @@ -40,16 +40,12 @@ encoding/payloads/transform_substructure.c encoding/payloads/transform_substruct encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \ encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \ encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \ -kernel/kernel_interface.c kernel/kernel_interface.h \ -kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ -kernel/kernel_net.h \ +kernel/kernel_handler.c kernel/kernel_handler.h \ network/packet.c network/packet.h \ network/receiver.c network/receiver.h \ network/sender.c network/sender.h \ network/socket_manager.c network/socket_manager.h network/socket.h \ -processing/jobs/job.h \ processing/jobs/acquire_job.c processing/jobs/acquire_job.h \ -processing/jobs/callback_job.c processing/jobs/callback_job.h \ processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \ processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \ processing/jobs/migrate_job.c processing/jobs/migrate_job.h \ @@ -62,8 +58,6 @@ processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \ processing/jobs/roam_job.c processing/jobs/roam_job.h \ processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \ -processing/scheduler.c processing/scheduler.h \ -processing/processor.c processing/processor.h \ sa/authenticators/authenticator.c sa/authenticators/authenticator.h \ sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \ sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \ @@ -94,7 +88,9 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \ sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \ -sa/tasks/task.c sa/tasks/task.h +sa/tasks/task.c sa/tasks/task.h \ +tnccs/tnccs.c tnccs/tnccs.h \ +tnccs/tnccs_manager.h tnccs/tnccs_manager.c # adding the plugin source files @@ -141,10 +137,6 @@ LOCAL_SRC_FILES += $(addprefix ../libsimaka/, \ ) endif -LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink) - -LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey) - LOCAL_SRC_FILES += $(call add_plugin, load-tester) LOCAL_SRC_FILES += $(call add_plugin, socket-default) diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 44501c0d0..2b7646327 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -38,16 +38,12 @@ encoding/payloads/transform_substructure.c encoding/payloads/transform_substruct encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \ encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \ encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \ -kernel/kernel_interface.c kernel/kernel_interface.h \ -kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ -kernel/kernel_net.h \ +kernel/kernel_handler.c kernel/kernel_handler.h \ network/packet.c network/packet.h \ network/receiver.c network/receiver.h \ network/sender.c network/sender.h \ network/socket_manager.c network/socket_manager.h network/socket.h \ -processing/jobs/job.h \ processing/jobs/acquire_job.c processing/jobs/acquire_job.h \ -processing/jobs/callback_job.c processing/jobs/callback_job.h \ processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \ processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \ processing/jobs/migrate_job.c processing/jobs/migrate_job.h \ @@ -60,8 +56,6 @@ processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \ processing/jobs/roam_job.c processing/jobs/roam_job.h \ processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \ -processing/scheduler.c processing/scheduler.h \ -processing/processor.c processing/processor.h \ sa/authenticators/authenticator.c sa/authenticators/authenticator.h \ sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \ sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \ @@ -92,7 +86,9 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \ sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \ -sa/tasks/task.c sa/tasks/task.h +sa/tasks/task.c sa/tasks/task.h \ +tnccs/tnccs.c tnccs/tnccs.h \ +tnccs/tnccs_manager.h tnccs/tnccs_manager.c daemon.lo : $(top_builddir)/config.status @@ -104,7 +100,8 @@ INCLUDES = \ AM_CFLAGS = \ -DIPSEC_DIR=\"${ipsecdir}\" \ - -DIPSEC_PIDDIR=\"${piddir}\" + -DIPSEC_PIDDIR=\"${piddir}\" \ + -DPLUGINS=\""${libcharon_plugins}\"" libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) @@ -135,51 +132,15 @@ else SUBDIRS = . endif -PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} - if USE_LOAD_TESTER SUBDIRS += plugins/load_tester - PLUGINS += load-tester if MONOLITHIC libcharon_la_LIBADD += plugins/load_tester/libstrongswan-load-tester.la endif endif -if USE_KERNEL_PFKEY - SUBDIRS += plugins/kernel_pfkey - PLUGINS += kernel-pfkey -if MONOLITHIC - libcharon_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la -endif -endif - -if USE_KERNEL_PFROUTE - SUBDIRS += plugins/kernel_pfroute - PLUGINS += kernel-pfroute -if MONOLITHIC - libcharon_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la -endif -endif - -if USE_KERNEL_KLIPS - SUBDIRS += plugins/kernel_klips - PLUGINS += kernel-klips -if MONOLITHIC - libcharon_la_LIBADD += plugins/kernel_klips/libstrongswan-kernel-klips.la -endif -endif - -if USE_KERNEL_NETLINK - SUBDIRS += plugins/kernel_netlink - PLUGINS += kernel-netlink -if MONOLITHIC - libcharon_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la -endif -endif - if USE_SOCKET_DEFAULT SUBDIRS += plugins/socket_default - PLUGINS += socket-default if MONOLITHIC libcharon_la_LIBADD += plugins/socket_default/libstrongswan-socket-default.la endif @@ -187,7 +148,6 @@ endif if USE_SOCKET_RAW SUBDIRS += plugins/socket_raw - PLUGINS += socket-raw if MONOLITHIC libcharon_la_LIBADD += plugins/socket_raw/libstrongswan-socket-raw.la endif @@ -195,7 +155,6 @@ endif if USE_SOCKET_DYNAMIC SUBDIRS += plugins/socket_dynamic - PLUGINS += socket-dynamic if MONOLITHIC libcharon_la_LIBADD += plugins/socket_dynamic/libstrongswan-socket-dynamic.la endif @@ -203,7 +162,6 @@ endif if USE_FARP SUBDIRS += plugins/farp - PLUGINS += farp if MONOLITHIC libcharon_la_LIBADD += plugins/farp/libstrongswan-farp.la endif @@ -211,7 +169,6 @@ endif if USE_STROKE SUBDIRS += plugins/stroke - PLUGINS += stroke if MONOLITHIC libcharon_la_LIBADD += plugins/stroke/libstrongswan-stroke.la endif @@ -219,7 +176,6 @@ endif if USE_SMP SUBDIRS += plugins/smp - PLUGINS += smp if MONOLITHIC libcharon_la_LIBADD += plugins/smp/libstrongswan-smp.la endif @@ -227,7 +183,6 @@ endif if USE_SQL SUBDIRS += plugins/sql - PLUGINS += sql if MONOLITHIC libcharon_la_LIBADD += plugins/sql/libstrongswan-sql.la endif @@ -235,7 +190,6 @@ endif if USE_UPDOWN SUBDIRS += plugins/updown - PLUGINS += updown if MONOLITHIC libcharon_la_LIBADD += plugins/updown/libstrongswan-updown.la endif @@ -243,7 +197,6 @@ endif if USE_EAP_IDENTITY SUBDIRS += plugins/eap_identity - PLUGINS += eap-identity if MONOLITHIC libcharon_la_LIBADD += plugins/eap_identity/libstrongswan-eap-identity.la endif @@ -251,7 +204,6 @@ endif if USE_EAP_SIM SUBDIRS += plugins/eap_sim - PLUGINS += eap-sim if MONOLITHIC libcharon_la_LIBADD += plugins/eap_sim/libstrongswan-eap-sim.la endif @@ -259,7 +211,6 @@ endif if USE_EAP_SIM_FILE SUBDIRS += plugins/eap_sim_file - PLUGINS += eap-sim-file if MONOLITHIC libcharon_la_LIBADD += plugins/eap_sim_file/libstrongswan-eap-sim-file.la endif @@ -267,7 +218,6 @@ endif if USE_EAP_SIMAKA_SQL SUBDIRS += plugins/eap_simaka_sql - PLUGINS += eap-simaka-sql if MONOLITHIC libcharon_la_LIBADD += plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la endif @@ -275,7 +225,6 @@ endif if USE_EAP_SIMAKA_PSEUDONYM SUBDIRS += plugins/eap_simaka_pseudonym - PLUGINS += eap-simaka-pseudonym if MONOLITHIC libcharon_la_LIBADD += plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la endif @@ -283,7 +232,6 @@ endif if USE_EAP_SIMAKA_REAUTH SUBDIRS += plugins/eap_simaka_reauth - PLUGINS += eap-simaka-reauth if MONOLITHIC libcharon_la_LIBADD += plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la endif @@ -291,7 +239,6 @@ endif if USE_EAP_AKA SUBDIRS += plugins/eap_aka - PLUGINS += eap-aka if MONOLITHIC libcharon_la_LIBADD += plugins/eap_aka/libstrongswan-eap-aka.la endif @@ -299,7 +246,6 @@ endif if USE_EAP_AKA_3GPP2 SUBDIRS += plugins/eap_aka_3gpp2 - PLUGINS += eap-aka-3gpp2 if MONOLITHIC libcharon_la_LIBADD += plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la endif @@ -314,7 +260,6 @@ endif if USE_EAP_MD5 SUBDIRS += plugins/eap_md5 - PLUGINS += eap-md5 if MONOLITHIC libcharon_la_LIBADD += plugins/eap_md5/libstrongswan-eap-md5.la endif @@ -322,7 +267,6 @@ endif if USE_EAP_GTC SUBDIRS += plugins/eap_gtc - PLUGINS += eap-gtc if MONOLITHIC libcharon_la_LIBADD += plugins/eap_gtc/libstrongswan-eap-gtc.la endif @@ -330,7 +274,6 @@ endif if USE_EAP_MSCHAPV2 SUBDIRS += plugins/eap_mschapv2 - PLUGINS += eap-mschapv2 if MONOLITHIC libcharon_la_LIBADD += plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la endif @@ -338,15 +281,69 @@ endif if USE_EAP_RADIUS SUBDIRS += plugins/eap_radius - PLUGINS += eap-radius if MONOLITHIC libcharon_la_LIBADD += plugins/eap_radius/libstrongswan-eap-radius.la endif endif +if USE_EAP_TLS + SUBDIRS += plugins/eap_tls +if MONOLITHIC + libcharon_la_LIBADD += plugins/eap_tls/libstrongswan-eap-tls.la +endif +endif + +if USE_EAP_TTLS + SUBDIRS += plugins/eap_ttls +if MONOLITHIC + libcharon_la_LIBADD += plugins/eap_ttls/libstrongswan-eap-ttls.la +endif +endif + +if USE_EAP_TNC + SUBDIRS += plugins/eap_tnc +if MONOLITHIC + libcharon_la_LIBADD += plugins/eap_tnc/libstrongswan-eap-tnc.la +endif +endif + +if USE_TLS +if MONOLITHIC + # otherwise this library is linked to eap_tls + libcharon_la_LIBADD += $(top_builddir)/src/libtls/libtls.la +endif +endif + +if USE_TNC_IMC + SUBDIRS += plugins/tnc_imc +if MONOLITHIC + libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc_imc.la +endif +endif + +if USE_TNC_IMV + SUBDIRS += plugins/tnc_imv +if MONOLITHIC + libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc_imv.la +endif +endif + +if USE_TNCCS_11 + SUBDIRS += plugins/tnccs_11 +if MONOLITHIC + libcharon_la_LIBADD += plugins/tnccs_11/libstrongswan-tnccs-11.la +endif +endif + +if USE_TNCCS_20 + SUBDIRS += plugins/tnccs_20 +if MONOLITHIC + libcharon_la_LIBADD += plugins/tnccs_20/libstrongswan-tnccs-20.la +endif +endif + if USE_MEDSRV SUBDIRS += plugins/medsrv - PLUGINS += medsrv if MONOLITHIC libcharon_la_LIBADD += plugins/medsrv/libstrongswan-medsrv.la endif @@ -354,7 +351,6 @@ endif if USE_MEDCLI SUBDIRS += plugins/medcli - PLUGINS += medcli if MONOLITHIC libcharon_la_LIBADD += plugins/medcli/libstrongswan-medcli.la endif @@ -362,7 +358,6 @@ endif if USE_NM SUBDIRS += plugins/nm - PLUGINS += nm if MONOLITHIC libcharon_la_LIBADD += plugins/nm/libstrongswan-nm.la endif @@ -370,7 +365,6 @@ endif if USE_DHCP SUBDIRS += plugins/dhcp - PLUGINS += dhcp if MONOLITHIC libcharon_la_LIBADD += plugins/dhcp/libstrongswan-dhcp.la endif @@ -378,23 +372,34 @@ endif if USE_ANDROID SUBDIRS += plugins/android - PLUGINS += android if MONOLITHIC libcharon_la_LIBADD += plugins/android/libstrongswan-android.la endif endif +if USE_MAEMO + SUBDIRS += plugins/maemo +if MONOLITHIC + libcharon_la_LIBADD += plugins/maemo/libstrongswan-maemo.la +endif +endif + if USE_HA SUBDIRS += plugins/ha - PLUGINS += ha if MONOLITHIC libcharon_la_LIBADD += plugins/ha/libstrongswan-ha.la endif endif +if USE_LED + SUBDIRS += plugins/led +if MONOLITHIC + libcharon_la_LIBADD += plugins/led/libstrongswan-led.la +endif +endif + if USE_UCI SUBDIRS += plugins/uci - PLUGINS += uci if MONOLITHIC libcharon_la_LIBADD += plugins/uci/libstrongswan-uci.la endif @@ -402,7 +407,6 @@ endif if USE_ADDRBLOCK SUBDIRS += plugins/addrblock - PLUGINS += addrblock if MONOLITHIC libcharon_la_LIBADD += plugins/uci/libstrongswan-addrblock.la endif @@ -410,11 +414,8 @@ endif if USE_UNIT_TESTS SUBDIRS += plugins/unit_tester - PLUGINS += unit-tester if MONOLITHIC libcharon_la_LIBADD += plugins/unit_tester/libstrongswan-unit-tester.la endif endif -AM_CFLAGS += -DPLUGINS=\""${PLUGINS}\"" - diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index 8e58b0e2e..8a7a99ddd 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -46,108 +46,85 @@ host_triplet = @host@ @USE_LIBCAP_TRUE@am__append_2 = -lcap @USE_LOAD_TESTER_TRUE@am__append_3 = plugins/load_tester -@USE_LOAD_TESTER_TRUE@am__append_4 = load-tester -@MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_5 = plugins/load_tester/libstrongswan-load-tester.la -@USE_KERNEL_PFKEY_TRUE@am__append_6 = plugins/kernel_pfkey -@USE_KERNEL_PFKEY_TRUE@am__append_7 = kernel-pfkey -@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_8 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la -@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute -@USE_KERNEL_PFROUTE_TRUE@am__append_10 = kernel-pfroute -@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_11 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la -@USE_KERNEL_KLIPS_TRUE@am__append_12 = plugins/kernel_klips -@USE_KERNEL_KLIPS_TRUE@am__append_13 = kernel-klips -@MONOLITHIC_TRUE@@USE_KERNEL_KLIPS_TRUE@am__append_14 = plugins/kernel_klips/libstrongswan-kernel-klips.la -@USE_KERNEL_NETLINK_TRUE@am__append_15 = plugins/kernel_netlink -@USE_KERNEL_NETLINK_TRUE@am__append_16 = kernel-netlink -@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_17 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la -@USE_SOCKET_DEFAULT_TRUE@am__append_18 = plugins/socket_default -@USE_SOCKET_DEFAULT_TRUE@am__append_19 = socket-default -@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_20 = plugins/socket_default/libstrongswan-socket-default.la -@USE_SOCKET_RAW_TRUE@am__append_21 = plugins/socket_raw -@USE_SOCKET_RAW_TRUE@am__append_22 = socket-raw -@MONOLITHIC_TRUE@@USE_SOCKET_RAW_TRUE@am__append_23 = plugins/socket_raw/libstrongswan-socket-raw.la -@USE_SOCKET_DYNAMIC_TRUE@am__append_24 = plugins/socket_dynamic -@USE_SOCKET_DYNAMIC_TRUE@am__append_25 = socket-dynamic -@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_26 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la -@USE_FARP_TRUE@am__append_27 = plugins/farp -@USE_FARP_TRUE@am__append_28 = farp -@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_29 = plugins/farp/libstrongswan-farp.la -@USE_STROKE_TRUE@am__append_30 = plugins/stroke -@USE_STROKE_TRUE@am__append_31 = stroke -@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_32 = plugins/stroke/libstrongswan-stroke.la -@USE_SMP_TRUE@am__append_33 = plugins/smp -@USE_SMP_TRUE@am__append_34 = smp -@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_35 = plugins/smp/libstrongswan-smp.la -@USE_SQL_TRUE@am__append_36 = plugins/sql -@USE_SQL_TRUE@am__append_37 = sql -@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_38 = plugins/sql/libstrongswan-sql.la -@USE_UPDOWN_TRUE@am__append_39 = plugins/updown -@USE_UPDOWN_TRUE@am__append_40 = updown -@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_41 = plugins/updown/libstrongswan-updown.la -@USE_EAP_IDENTITY_TRUE@am__append_42 = plugins/eap_identity -@USE_EAP_IDENTITY_TRUE@am__append_43 = eap-identity -@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_44 = plugins/eap_identity/libstrongswan-eap-identity.la -@USE_EAP_SIM_TRUE@am__append_45 = plugins/eap_sim -@USE_EAP_SIM_TRUE@am__append_46 = eap-sim -@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_47 = plugins/eap_sim/libstrongswan-eap-sim.la -@USE_EAP_SIM_FILE_TRUE@am__append_48 = plugins/eap_sim_file -@USE_EAP_SIM_FILE_TRUE@am__append_49 = eap-sim-file -@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_50 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la -@USE_EAP_SIMAKA_SQL_TRUE@am__append_51 = plugins/eap_simaka_sql -@USE_EAP_SIMAKA_SQL_TRUE@am__append_52 = eap-simaka-sql -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_53 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_54 = plugins/eap_simaka_pseudonym -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_55 = eap-simaka-pseudonym -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_56 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_57 = plugins/eap_simaka_reauth -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_58 = eap-simaka-reauth -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_59 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la -@USE_EAP_AKA_TRUE@am__append_60 = plugins/eap_aka -@USE_EAP_AKA_TRUE@am__append_61 = eap-aka -@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_62 = plugins/eap_aka/libstrongswan-eap-aka.la -@USE_EAP_AKA_3GPP2_TRUE@am__append_63 = plugins/eap_aka_3gpp2 -@USE_EAP_AKA_3GPP2_TRUE@am__append_64 = eap-aka-3gpp2 -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_65 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la -@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_66 = $(top_builddir)/src/libsimaka/libsimaka.la -@USE_EAP_MD5_TRUE@am__append_67 = plugins/eap_md5 -@USE_EAP_MD5_TRUE@am__append_68 = eap-md5 -@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_69 = plugins/eap_md5/libstrongswan-eap-md5.la -@USE_EAP_GTC_TRUE@am__append_70 = plugins/eap_gtc -@USE_EAP_GTC_TRUE@am__append_71 = eap-gtc -@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_72 = plugins/eap_gtc/libstrongswan-eap-gtc.la -@USE_EAP_MSCHAPV2_TRUE@am__append_73 = plugins/eap_mschapv2 -@USE_EAP_MSCHAPV2_TRUE@am__append_74 = eap-mschapv2 -@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_75 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la -@USE_EAP_RADIUS_TRUE@am__append_76 = plugins/eap_radius -@USE_EAP_RADIUS_TRUE@am__append_77 = eap-radius -@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_78 = plugins/eap_radius/libstrongswan-eap-radius.la -@USE_MEDSRV_TRUE@am__append_79 = plugins/medsrv -@USE_MEDSRV_TRUE@am__append_80 = medsrv -@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_81 = plugins/medsrv/libstrongswan-medsrv.la -@USE_MEDCLI_TRUE@am__append_82 = plugins/medcli -@USE_MEDCLI_TRUE@am__append_83 = medcli -@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_84 = plugins/medcli/libstrongswan-medcli.la -@USE_NM_TRUE@am__append_85 = plugins/nm -@USE_NM_TRUE@am__append_86 = nm -@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_87 = plugins/nm/libstrongswan-nm.la -@USE_DHCP_TRUE@am__append_88 = plugins/dhcp -@USE_DHCP_TRUE@am__append_89 = dhcp -@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_90 = plugins/dhcp/libstrongswan-dhcp.la -@USE_ANDROID_TRUE@am__append_91 = plugins/android -@USE_ANDROID_TRUE@am__append_92 = android -@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_93 = plugins/android/libstrongswan-android.la -@USE_HA_TRUE@am__append_94 = plugins/ha -@USE_HA_TRUE@am__append_95 = ha -@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_96 = plugins/ha/libstrongswan-ha.la -@USE_UCI_TRUE@am__append_97 = plugins/uci -@USE_UCI_TRUE@am__append_98 = uci -@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_99 = plugins/uci/libstrongswan-uci.la -@USE_ADDRBLOCK_TRUE@am__append_100 = plugins/addrblock -@USE_ADDRBLOCK_TRUE@am__append_101 = addrblock -@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_102 = plugins/uci/libstrongswan-addrblock.la -@USE_UNIT_TESTS_TRUE@am__append_103 = plugins/unit_tester -@USE_UNIT_TESTS_TRUE@am__append_104 = unit-tester -@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_105 = plugins/unit_tester/libstrongswan-unit-tester.la +@MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_4 = plugins/load_tester/libstrongswan-load-tester.la +@USE_SOCKET_DEFAULT_TRUE@am__append_5 = plugins/socket_default +@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_6 = plugins/socket_default/libstrongswan-socket-default.la +@USE_SOCKET_RAW_TRUE@am__append_7 = plugins/socket_raw +@MONOLITHIC_TRUE@@USE_SOCKET_RAW_TRUE@am__append_8 = plugins/socket_raw/libstrongswan-socket-raw.la +@USE_SOCKET_DYNAMIC_TRUE@am__append_9 = plugins/socket_dynamic +@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_10 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la +@USE_FARP_TRUE@am__append_11 = plugins/farp +@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_12 = plugins/farp/libstrongswan-farp.la +@USE_STROKE_TRUE@am__append_13 = plugins/stroke +@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_14 = plugins/stroke/libstrongswan-stroke.la +@USE_SMP_TRUE@am__append_15 = plugins/smp +@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_16 = plugins/smp/libstrongswan-smp.la +@USE_SQL_TRUE@am__append_17 = plugins/sql +@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_18 = plugins/sql/libstrongswan-sql.la +@USE_UPDOWN_TRUE@am__append_19 = plugins/updown +@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_20 = plugins/updown/libstrongswan-updown.la +@USE_EAP_IDENTITY_TRUE@am__append_21 = plugins/eap_identity +@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_22 = plugins/eap_identity/libstrongswan-eap-identity.la +@USE_EAP_SIM_TRUE@am__append_23 = plugins/eap_sim +@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_24 = plugins/eap_sim/libstrongswan-eap-sim.la +@USE_EAP_SIM_FILE_TRUE@am__append_25 = plugins/eap_sim_file +@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_26 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la +@USE_EAP_SIMAKA_SQL_TRUE@am__append_27 = plugins/eap_simaka_sql +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_28 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la +@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_29 = plugins/eap_simaka_pseudonym +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_30 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la +@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_31 = plugins/eap_simaka_reauth +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_32 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la +@USE_EAP_AKA_TRUE@am__append_33 = plugins/eap_aka +@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_34 = plugins/eap_aka/libstrongswan-eap-aka.la +@USE_EAP_AKA_3GPP2_TRUE@am__append_35 = plugins/eap_aka_3gpp2 +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_36 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la +@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_37 = $(top_builddir)/src/libsimaka/libsimaka.la +@USE_EAP_MD5_TRUE@am__append_38 = plugins/eap_md5 +@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_39 = plugins/eap_md5/libstrongswan-eap-md5.la +@USE_EAP_GTC_TRUE@am__append_40 = plugins/eap_gtc +@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_41 = plugins/eap_gtc/libstrongswan-eap-gtc.la +@USE_EAP_MSCHAPV2_TRUE@am__append_42 = plugins/eap_mschapv2 +@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_43 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la +@USE_EAP_RADIUS_TRUE@am__append_44 = plugins/eap_radius +@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_45 = plugins/eap_radius/libstrongswan-eap-radius.la +@USE_EAP_TLS_TRUE@am__append_46 = plugins/eap_tls +@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_47 = plugins/eap_tls/libstrongswan-eap-tls.la +@USE_EAP_TTLS_TRUE@am__append_48 = plugins/eap_ttls +@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_49 = plugins/eap_ttls/libstrongswan-eap-ttls.la +@USE_EAP_TNC_TRUE@am__append_50 = plugins/eap_tnc +@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_51 = plugins/eap_tnc/libstrongswan-eap-tnc.la +@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_52 = $(top_builddir)/src/libtls/libtls.la +@USE_TNC_IMC_TRUE@am__append_53 = plugins/tnc_imc +@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc_imc.la +@USE_TNC_IMV_TRUE@am__append_55 = plugins/tnc_imv +@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc_imv.la +@USE_TNCCS_11_TRUE@am__append_57 = plugins/tnccs_11 +@MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_58 = plugins/tnccs_11/libstrongswan-tnccs-11.la +@USE_TNCCS_20_TRUE@am__append_59 = plugins/tnccs_20 +@MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_60 = plugins/tnccs_20/libstrongswan-tnccs-20.la +@USE_MEDSRV_TRUE@am__append_61 = plugins/medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_62 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_63 = plugins/medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_64 = plugins/medcli/libstrongswan-medcli.la +@USE_NM_TRUE@am__append_65 = plugins/nm +@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_66 = plugins/nm/libstrongswan-nm.la +@USE_DHCP_TRUE@am__append_67 = plugins/dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_68 = plugins/dhcp/libstrongswan-dhcp.la +@USE_ANDROID_TRUE@am__append_69 = plugins/android +@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_70 = plugins/android/libstrongswan-android.la +@USE_MAEMO_TRUE@am__append_71 = plugins/maemo +@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_72 = plugins/maemo/libstrongswan-maemo.la +@USE_HA_TRUE@am__append_73 = plugins/ha +@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_74 = plugins/ha/libstrongswan-ha.la +@USE_LED_TRUE@am__append_75 = plugins/led +@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_76 = plugins/led/libstrongswan-led.la +@USE_UCI_TRUE@am__append_77 = plugins/uci +@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_78 = plugins/uci/libstrongswan-uci.la +@USE_ADDRBLOCK_TRUE@am__append_79 = plugins/addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_80 = plugins/uci/libstrongswan-addrblock.la +@USE_UNIT_TESTS_TRUE@am__append_81 = plugins/unit_tester +@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_82 = plugins/unit_tester/libstrongswan-unit-tester.la subdir = src/libcharon DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -158,6 +135,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -190,18 +168,20 @@ LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__append_5) $(am__append_8) \ - $(am__append_11) $(am__append_14) $(am__append_17) \ - $(am__append_20) $(am__append_23) $(am__append_26) \ - $(am__append_29) $(am__append_32) $(am__append_35) \ - $(am__append_38) $(am__append_41) $(am__append_44) \ - $(am__append_47) $(am__append_50) $(am__append_53) \ - $(am__append_56) $(am__append_59) $(am__append_62) \ - $(am__append_65) $(am__append_66) $(am__append_69) \ - $(am__append_72) $(am__append_75) $(am__append_78) \ - $(am__append_81) $(am__append_84) $(am__append_87) \ - $(am__append_90) $(am__append_93) $(am__append_96) \ - $(am__append_99) $(am__append_102) $(am__append_105) + $(am__DEPENDENCIES_1) $(am__append_4) $(am__append_6) \ + $(am__append_8) $(am__append_10) $(am__append_12) \ + $(am__append_14) $(am__append_16) $(am__append_18) \ + $(am__append_20) $(am__append_22) $(am__append_24) \ + $(am__append_26) $(am__append_28) $(am__append_30) \ + $(am__append_32) $(am__append_34) $(am__append_36) \ + $(am__append_37) $(am__append_39) $(am__append_41) \ + $(am__append_43) $(am__append_45) $(am__append_47) \ + $(am__append_49) $(am__append_51) $(am__append_52) \ + $(am__append_54) $(am__append_56) $(am__append_58) \ + $(am__append_60) $(am__append_62) $(am__append_64) \ + $(am__append_66) $(am__append_68) $(am__append_70) \ + $(am__append_72) $(am__append_74) $(am__append_76) \ + $(am__append_78) $(am__append_80) $(am__append_82) am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ bus/listeners/listener.h bus/listeners/file_logger.c \ bus/listeners/file_logger.h bus/listeners/sys_logger.c \ @@ -249,16 +229,12 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ encoding/payloads/unknown_payload.c \ encoding/payloads/unknown_payload.h \ encoding/payloads/vendor_id_payload.c \ - encoding/payloads/vendor_id_payload.h \ - kernel/kernel_interface.c kernel/kernel_interface.h \ - kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ - kernel/kernel_net.h network/packet.c network/packet.h \ + encoding/payloads/vendor_id_payload.h kernel/kernel_handler.c \ + kernel/kernel_handler.h network/packet.c network/packet.h \ network/receiver.c network/receiver.h network/sender.c \ network/sender.h network/socket_manager.c \ network/socket_manager.h network/socket.h \ - processing/jobs/job.h processing/jobs/acquire_job.c \ - processing/jobs/acquire_job.h processing/jobs/callback_job.c \ - processing/jobs/callback_job.h \ + processing/jobs/acquire_job.c processing/jobs/acquire_job.h \ processing/jobs/delete_child_sa_job.c \ processing/jobs/delete_child_sa_job.h \ processing/jobs/delete_ike_sa_job.c \ @@ -279,9 +255,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ processing/jobs/update_sa_job.c \ processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c \ - processing/jobs/inactivity_job.h processing/scheduler.c \ - processing/scheduler.h processing/processor.c \ - processing/processor.h sa/authenticators/authenticator.c \ + processing/jobs/inactivity_job.h \ + sa/authenticators/authenticator.c \ sa/authenticators/authenticator.h \ sa/authenticators/eap_authenticator.c \ sa/authenticators/eap_authenticator.h \ @@ -313,7 +288,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ - encoding/payloads/endpoint_notify.c \ + tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \ + tnccs/tnccs_manager.c encoding/payloads/endpoint_notify.c \ encoding/payloads/endpoint_notify.h \ processing/jobs/initiate_mediation_job.c \ processing/jobs/initiate_mediation_job.h \ @@ -334,22 +310,21 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \ notify_payload.lo payload.lo proposal_substructure.lo \ sa_payload.lo traffic_selector_substructure.lo \ transform_attribute.lo transform_substructure.lo ts_payload.lo \ - unknown_payload.lo vendor_id_payload.lo kernel_interface.lo \ - kernel_ipsec.lo packet.lo receiver.lo sender.lo \ - socket_manager.lo acquire_job.lo callback_job.lo \ - delete_child_sa_job.lo delete_ike_sa_job.lo migrate_job.lo \ - process_message_job.lo rekey_child_sa_job.lo \ + unknown_payload.lo vendor_id_payload.lo kernel_handler.lo \ + packet.lo receiver.lo sender.lo socket_manager.lo \ + acquire_job.lo delete_child_sa_job.lo delete_ike_sa_job.lo \ + migrate_job.lo process_message_job.lo rekey_child_sa_job.lo \ rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \ send_keepalive_job.lo roam_job.lo update_sa_job.lo \ - inactivity_job.lo scheduler.lo processor.lo authenticator.lo \ - eap_authenticator.lo eap_method.lo eap_manager.lo \ - sim_manager.lo psk_authenticator.lo pubkey_authenticator.lo \ - child_sa.lo ike_sa.lo ike_sa_id.lo ike_sa_manager.lo \ - task_manager.lo keymat.lo trap_manager.lo child_create.lo \ - child_delete.lo child_rekey.lo ike_auth.lo ike_cert_pre.lo \ - ike_cert_post.lo ike_config.lo ike_delete.lo ike_dpd.lo \ - ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \ - ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \ + inactivity_job.lo authenticator.lo eap_authenticator.lo \ + eap_method.lo eap_manager.lo sim_manager.lo \ + psk_authenticator.lo pubkey_authenticator.lo child_sa.lo \ + ike_sa.lo ike_sa_id.lo ike_sa_manager.lo task_manager.lo \ + keymat.lo trap_manager.lo child_create.lo child_delete.lo \ + child_rekey.lo ike_auth.lo ike_cert_pre.lo ike_cert_post.lo \ + ike_config.lo ike_delete.lo ike_dpd.lo ike_init.lo ike_natd.lo \ + ike_mobike.lo ike_rekey.lo ike_reauth.lo ike_auth_lifetime.lo \ + ike_vendor.lo task.lo tnccs.lo tnccs_manager.lo \ $(am__objects_1) libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ @@ -381,18 +356,19 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \ - plugins/kernel_pfroute plugins/kernel_klips \ - plugins/kernel_netlink plugins/socket_default \ +DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \ plugins/socket_raw plugins/socket_dynamic plugins/farp \ plugins/stroke plugins/smp plugins/sql plugins/updown \ plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \ plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \ plugins/eap_simaka_reauth plugins/eap_aka \ plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \ - plugins/eap_mschapv2 plugins/eap_radius plugins/medsrv \ - plugins/medcli plugins/nm plugins/dhcp plugins/android \ - plugins/ha plugins/uci plugins/addrblock plugins/unit_tester + plugins/eap_mschapv2 plugins/eap_radius plugins/eap_tls \ + plugins/eap_ttls plugins/eap_tnc plugins/tnc_imc \ + plugins/tnc_imv plugins/tnccs_11 plugins/tnccs_20 \ + plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \ + plugins/android plugins/maemo plugins/ha plugins/led \ + plugins/uci plugins/addrblock plugins/unit_tester DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -484,6 +460,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -515,14 +493,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -537,24 +518,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -562,7 +550,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -622,16 +613,12 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ encoding/payloads/unknown_payload.c \ encoding/payloads/unknown_payload.h \ encoding/payloads/vendor_id_payload.c \ - encoding/payloads/vendor_id_payload.h \ - kernel/kernel_interface.c kernel/kernel_interface.h \ - kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ - kernel/kernel_net.h network/packet.c network/packet.h \ + encoding/payloads/vendor_id_payload.h kernel/kernel_handler.c \ + kernel/kernel_handler.h network/packet.c network/packet.h \ network/receiver.c network/receiver.h network/sender.c \ network/sender.h network/socket_manager.c \ network/socket_manager.h network/socket.h \ - processing/jobs/job.h processing/jobs/acquire_job.c \ - processing/jobs/acquire_job.h processing/jobs/callback_job.c \ - processing/jobs/callback_job.h \ + processing/jobs/acquire_job.c processing/jobs/acquire_job.h \ processing/jobs/delete_child_sa_job.c \ processing/jobs/delete_child_sa_job.h \ processing/jobs/delete_ike_sa_job.c \ @@ -652,9 +639,8 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ processing/jobs/update_sa_job.c \ processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c \ - processing/jobs/inactivity_job.h processing/scheduler.c \ - processing/scheduler.h processing/processor.c \ - processing/processor.h sa/authenticators/authenticator.c \ + processing/jobs/inactivity_job.h \ + sa/authenticators/authenticator.c \ sa/authenticators/authenticator.h \ sa/authenticators/eap_authenticator.c \ sa/authenticators/eap_authenticator.h \ @@ -686,78 +672,78 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ - $(am__append_1) + tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \ + tnccs/tnccs_manager.c $(am__append_1) INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon -AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ - -DPLUGINS=\""${PLUGINS}\"" +AM_CFLAGS = \ + -DIPSEC_DIR=\"${ipsecdir}\" \ + -DIPSEC_PIDDIR=\"${piddir}\" \ + -DPLUGINS=\""${libcharon_plugins}\"" + libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \ - $(am__append_2) $(am__append_5) $(am__append_8) \ - $(am__append_11) $(am__append_14) $(am__append_17) \ - $(am__append_20) $(am__append_23) $(am__append_26) \ - $(am__append_29) $(am__append_32) $(am__append_35) \ - $(am__append_38) $(am__append_41) $(am__append_44) \ - $(am__append_47) $(am__append_50) $(am__append_53) \ - $(am__append_56) $(am__append_59) $(am__append_62) \ - $(am__append_65) $(am__append_66) $(am__append_69) \ - $(am__append_72) $(am__append_75) $(am__append_78) \ - $(am__append_81) $(am__append_84) $(am__append_87) \ - $(am__append_90) $(am__append_93) $(am__append_96) \ - $(am__append_99) $(am__append_102) $(am__append_105) + $(am__append_2) $(am__append_4) $(am__append_6) \ + $(am__append_8) $(am__append_10) $(am__append_12) \ + $(am__append_14) $(am__append_16) $(am__append_18) \ + $(am__append_20) $(am__append_22) $(am__append_24) \ + $(am__append_26) $(am__append_28) $(am__append_30) \ + $(am__append_32) $(am__append_34) $(am__append_36) \ + $(am__append_37) $(am__append_39) $(am__append_41) \ + $(am__append_43) $(am__append_45) $(am__append_47) \ + $(am__append_49) $(am__append_51) $(am__append_52) \ + $(am__append_54) $(am__append_56) $(am__append_58) \ + $(am__append_60) $(am__append_62) $(am__append_64) \ + $(am__append_66) $(am__append_68) $(am__append_70) \ + $(am__append_72) $(am__append_74) $(am__append_76) \ + $(am__append_78) $(am__append_80) $(am__append_82) EXTRA_DIST = Android.mk -@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_6) \ -@MONOLITHIC_FALSE@ $(am__append_9) $(am__append_12) \ -@MONOLITHIC_FALSE@ $(am__append_15) $(am__append_18) \ -@MONOLITHIC_FALSE@ $(am__append_21) $(am__append_24) \ -@MONOLITHIC_FALSE@ $(am__append_27) $(am__append_30) \ -@MONOLITHIC_FALSE@ $(am__append_33) $(am__append_36) \ -@MONOLITHIC_FALSE@ $(am__append_39) $(am__append_42) \ -@MONOLITHIC_FALSE@ $(am__append_45) $(am__append_48) \ -@MONOLITHIC_FALSE@ $(am__append_51) $(am__append_54) \ -@MONOLITHIC_FALSE@ $(am__append_57) $(am__append_60) \ -@MONOLITHIC_FALSE@ $(am__append_63) $(am__append_67) \ -@MONOLITHIC_FALSE@ $(am__append_70) $(am__append_73) \ -@MONOLITHIC_FALSE@ $(am__append_76) $(am__append_79) \ -@MONOLITHIC_FALSE@ $(am__append_82) $(am__append_85) \ -@MONOLITHIC_FALSE@ $(am__append_88) $(am__append_91) \ -@MONOLITHIC_FALSE@ $(am__append_94) $(am__append_97) \ -@MONOLITHIC_FALSE@ $(am__append_100) $(am__append_103) +@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_5) \ +@MONOLITHIC_FALSE@ $(am__append_7) $(am__append_9) \ +@MONOLITHIC_FALSE@ $(am__append_11) $(am__append_13) \ +@MONOLITHIC_FALSE@ $(am__append_15) $(am__append_17) \ +@MONOLITHIC_FALSE@ $(am__append_19) $(am__append_21) \ +@MONOLITHIC_FALSE@ $(am__append_23) $(am__append_25) \ +@MONOLITHIC_FALSE@ $(am__append_27) $(am__append_29) \ +@MONOLITHIC_FALSE@ $(am__append_31) $(am__append_33) \ +@MONOLITHIC_FALSE@ $(am__append_35) $(am__append_38) \ +@MONOLITHIC_FALSE@ $(am__append_40) $(am__append_42) \ +@MONOLITHIC_FALSE@ $(am__append_44) $(am__append_46) \ +@MONOLITHIC_FALSE@ $(am__append_48) $(am__append_50) \ +@MONOLITHIC_FALSE@ $(am__append_53) $(am__append_55) \ +@MONOLITHIC_FALSE@ $(am__append_57) $(am__append_59) \ +@MONOLITHIC_FALSE@ $(am__append_61) $(am__append_63) \ +@MONOLITHIC_FALSE@ $(am__append_65) $(am__append_67) \ +@MONOLITHIC_FALSE@ $(am__append_69) $(am__append_71) \ +@MONOLITHIC_FALSE@ $(am__append_73) $(am__append_75) \ +@MONOLITHIC_FALSE@ $(am__append_77) $(am__append_79) \ +@MONOLITHIC_FALSE@ $(am__append_81) # build optional plugins ######################## -@MONOLITHIC_TRUE@SUBDIRS = $(am__append_3) $(am__append_6) \ -@MONOLITHIC_TRUE@ $(am__append_9) $(am__append_12) \ -@MONOLITHIC_TRUE@ $(am__append_15) $(am__append_18) \ -@MONOLITHIC_TRUE@ $(am__append_21) $(am__append_24) \ -@MONOLITHIC_TRUE@ $(am__append_27) $(am__append_30) \ -@MONOLITHIC_TRUE@ $(am__append_33) $(am__append_36) \ -@MONOLITHIC_TRUE@ $(am__append_39) $(am__append_42) \ -@MONOLITHIC_TRUE@ $(am__append_45) $(am__append_48) \ -@MONOLITHIC_TRUE@ $(am__append_51) $(am__append_54) \ -@MONOLITHIC_TRUE@ $(am__append_57) $(am__append_60) \ -@MONOLITHIC_TRUE@ $(am__append_63) $(am__append_67) \ -@MONOLITHIC_TRUE@ $(am__append_70) $(am__append_73) \ -@MONOLITHIC_TRUE@ $(am__append_76) $(am__append_79) \ -@MONOLITHIC_TRUE@ $(am__append_82) $(am__append_85) \ -@MONOLITHIC_TRUE@ $(am__append_88) $(am__append_91) \ -@MONOLITHIC_TRUE@ $(am__append_94) $(am__append_97) \ -@MONOLITHIC_TRUE@ $(am__append_100) $(am__append_103) -PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} $(am__append_4) \ - $(am__append_7) $(am__append_10) $(am__append_13) \ - $(am__append_16) $(am__append_19) $(am__append_22) \ - $(am__append_25) $(am__append_28) $(am__append_31) \ - $(am__append_34) $(am__append_37) $(am__append_40) \ - $(am__append_43) $(am__append_46) $(am__append_49) \ - $(am__append_52) $(am__append_55) $(am__append_58) \ - $(am__append_61) $(am__append_64) $(am__append_68) \ - $(am__append_71) $(am__append_74) $(am__append_77) \ - $(am__append_80) $(am__append_83) $(am__append_86) \ - $(am__append_89) $(am__append_92) $(am__append_95) \ - $(am__append_98) $(am__append_101) $(am__append_104) +@MONOLITHIC_TRUE@SUBDIRS = $(am__append_3) $(am__append_5) \ +@MONOLITHIC_TRUE@ $(am__append_7) $(am__append_9) \ +@MONOLITHIC_TRUE@ $(am__append_11) $(am__append_13) \ +@MONOLITHIC_TRUE@ $(am__append_15) $(am__append_17) \ +@MONOLITHIC_TRUE@ $(am__append_19) $(am__append_21) \ +@MONOLITHIC_TRUE@ $(am__append_23) $(am__append_25) \ +@MONOLITHIC_TRUE@ $(am__append_27) $(am__append_29) \ +@MONOLITHIC_TRUE@ $(am__append_31) $(am__append_33) \ +@MONOLITHIC_TRUE@ $(am__append_35) $(am__append_38) \ +@MONOLITHIC_TRUE@ $(am__append_40) $(am__append_42) \ +@MONOLITHIC_TRUE@ $(am__append_44) $(am__append_46) \ +@MONOLITHIC_TRUE@ $(am__append_48) $(am__append_50) \ +@MONOLITHIC_TRUE@ $(am__append_53) $(am__append_55) \ +@MONOLITHIC_TRUE@ $(am__append_57) $(am__append_59) \ +@MONOLITHIC_TRUE@ $(am__append_61) $(am__append_63) \ +@MONOLITHIC_TRUE@ $(am__append_65) $(am__append_67) \ +@MONOLITHIC_TRUE@ $(am__append_69) $(am__append_71) \ +@MONOLITHIC_TRUE@ $(am__append_73) $(am__append_75) \ +@MONOLITHIC_TRUE@ $(am__append_77) $(am__append_79) \ +@MONOLITHIC_TRUE@ $(am__append_81) all: all-recursive .SUFFIXES: @@ -837,7 +823,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Plo@am__quote@ @@ -885,8 +870,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_ipsec.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_handler.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keymat.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_manager.Plo@am__quote@ @@ -899,7 +883,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer_cfg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_message_job.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/processor.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_substructure.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk_authenticator.Plo@am__quote@ @@ -910,7 +893,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retransmit_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/roam_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa_payload.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_dpd_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_keepalive_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Plo@am__quote@ @@ -919,6 +901,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Plo@am__quote@ @@ -1194,19 +1178,12 @@ vendor_id_payload.lo: encoding/payloads/vendor_id_payload.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c -kernel_interface.lo: kernel/kernel_interface.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c - -kernel_ipsec.lo: kernel/kernel_ipsec.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@ +kernel_handler.lo: kernel/kernel_handler.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_handler.lo -MD -MP -MF $(DEPDIR)/kernel_handler.Tpo -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/kernel_handler.Tpo $(DEPDIR)/kernel_handler.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='kernel/kernel_handler.c' object='kernel_handler.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c packet.lo: network/packet.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c @@ -1243,13 +1220,6 @@ acquire_job.lo: processing/jobs/acquire_job.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c -callback_job.lo: processing/jobs/callback_job.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c - delete_child_sa_job.lo: processing/jobs/delete_child_sa_job.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Plo @@ -1334,20 +1304,6 @@ inactivity_job.lo: processing/jobs/inactivity_job.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c -scheduler.lo: processing/scheduler.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c - -processor.lo: processing/processor.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c - authenticator.lo: sa/authenticators/authenticator.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.lo -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.lo `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Plo @@ -1565,6 +1521,20 @@ task.lo: sa/tasks/task.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c +tnccs.lo: tnccs/tnccs.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c + +tnccs_manager.lo: tnccs/tnccs_manager.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c + endpoint_notify.lo: encoding/payloads/endpoint_notify.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo @@ -1934,6 +1904,8 @@ daemon.lo : $(top_builddir)/config.status @MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@ # otherwise this library is linked to both the eap_aka and the eap_sim plugin +@MONOLITHIC_TRUE@@USE_TLS_TRUE@ # otherwise this library is linked to eap_tls + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index 441009e5e..ab8d0fc48 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -17,7 +17,6 @@ #include <stdint.h> -#include <daemon.h> #include <threading/thread.h> #include <threading/thread_value.h> #include <threading/condvar.h> @@ -163,7 +162,7 @@ METHOD(bus_t, listen_, void, this->mutex->lock(this->mutex); this->listeners->insert_last(this->listeners, data.entry); - charon->processor->queue_job(charon->processor, job); + lib->processor->queue_job(lib->processor, job); thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex); thread_cleanup_push((thread_cleanup_t)listener_cleanup, &data); old = thread_cancelability(TRUE); diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c index 87db532f5..157436a7d 100644 --- a/src/libcharon/bus/listeners/file_logger.c +++ b/src/libcharon/bus/listeners/file_logger.c @@ -46,6 +46,11 @@ struct private_file_logger_t { * strftime() format of time prefix, if any */ char *time_format; + + /** + * Print the name/# of the IKE_SA? + */ + bool ike_name; }; /** @@ -56,7 +61,7 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level, { if (level <= this->levels[group]) { - char buffer[8192], timestr[128]; + char buffer[8192], timestr[128], namestr[128] = ""; char *current = buffer, *next; struct tm tm; time_t t; @@ -67,6 +72,23 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level, localtime_r(&t, &tm); strftime(timestr, sizeof(timestr), this->time_format, &tm); } + if (this->ike_name && ike_sa) + { + if (ike_sa->get_peer_cfg(ike_sa)) + { + snprintf(namestr, sizeof(namestr), " <%s|%d>", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); + } + else + { + snprintf(namestr, sizeof(namestr), " <%d>", + ike_sa->get_unique_id(ike_sa)); + } + } + else + { + namestr[0] = '\0'; + } /* write in memory buffer first */ vsnprintf(buffer, sizeof(buffer), format, args); @@ -81,13 +103,13 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level, } if (this->time_format) { - fprintf(this->out, "%s %.2d[%N] %s\n", - timestr, thread, debug_names, group, current); + fprintf(this->out, "%s %.2d[%N]%s %s\n", + timestr, thread, debug_names, group, namestr, current); } else { - fprintf(this->out, "%.2d[%N] %s\n", - thread, debug_names, group, current); + fprintf(this->out, "%.2d[%N]%s %s\n", + thread, debug_names, group, namestr, current); } current = next; } @@ -129,7 +151,7 @@ static void destroy(private_file_logger_t *this) /* * Described in header. */ -file_logger_t *file_logger_create(FILE *out, char *time_format) +file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name) { private_file_logger_t *this = malloc_thing(private_file_logger_t); @@ -142,6 +164,7 @@ file_logger_t *file_logger_create(FILE *out, char *time_format) /* private variables */ this->out = out; this->time_format = time_format; + this->ike_name = ike_name; set_level(this, DBG_ANY, LEVEL_SILENT); return &this->public; diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h index e02a12c0c..d02f1701d 100644 --- a/src/libcharon/bus/listeners/file_logger.h +++ b/src/libcharon/bus/listeners/file_logger.h @@ -54,8 +54,9 @@ struct file_logger_t { * * @param out FILE to write to * @param time_format format of timestamp prefix, as in strftime() + * @param ike_name TRUE to prefix the name of the IKE_SA * @return file_logger_t object */ -file_logger_t *file_logger_create(FILE *out, char *time_format); +file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name); #endif /** FILE_LOGGER_H_ @}*/ diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c index 5bc1d581a..fa394ba88 100644 --- a/src/libcharon/bus/listeners/sys_logger.c +++ b/src/libcharon/bus/listeners/sys_logger.c @@ -41,6 +41,11 @@ struct private_sys_logger_t { * Maximum level to log, for each group */ level_t levels[DBG_MAX]; + + /** + * Print the name/# of the IKE_SA? + */ + bool ike_name; }; /** @@ -51,12 +56,26 @@ static bool log_(private_sys_logger_t *this, debug_t group, level_t level, { if (level <= this->levels[group]) { - char buffer[8192]; + char buffer[8192], namestr[128] = ""; char *current = buffer, *next; /* write in memory buffer first */ vsnprintf(buffer, sizeof(buffer), format, args); + if (this->ike_name && ike_sa) + { + if (ike_sa->get_peer_cfg(ike_sa)) + { + snprintf(namestr, sizeof(namestr), " <%s|%d>", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); + } + else + { + snprintf(namestr, sizeof(namestr), " <%d>", + ike_sa->get_unique_id(ike_sa)); + } + } + /* do a syslog with every line */ while (current) { @@ -65,8 +84,8 @@ static bool log_(private_sys_logger_t *this, debug_t group, level_t level, { *(next++) = '\0'; } - syslog(this->facility|LOG_INFO, "%.2d[%N] %s\n", - thread, debug_names, group, current); + syslog(this->facility|LOG_INFO, "%.2d[%N]%s %s\n", + thread, debug_names, group, namestr, current); current = next; } } @@ -104,7 +123,7 @@ static void destroy(private_sys_logger_t *this) /* * Described in header. */ -sys_logger_t *sys_logger_create(int facility) +sys_logger_t *sys_logger_create(int facility, bool ike_name) { private_sys_logger_t *this = malloc_thing(private_sys_logger_t); @@ -116,6 +135,7 @@ sys_logger_t *sys_logger_create(int facility) /* private variables */ this->facility = facility; + this->ike_name = ike_name; set_level(this, DBG_ANY, LEVEL_SILENT); return &this->public; diff --git a/src/libcharon/bus/listeners/sys_logger.h b/src/libcharon/bus/listeners/sys_logger.h index 58d4de529..d83715a6a 100644 --- a/src/libcharon/bus/listeners/sys_logger.h +++ b/src/libcharon/bus/listeners/sys_logger.h @@ -53,8 +53,9 @@ struct sys_logger_t { * Constructor to create a sys_logger_t object. * * @param facility syslog facility to use + * @param ike_name TRUE to prefix the name of the IKE_SA * @return sys_logger_t object */ -sys_logger_t *sys_logger_create(int facility); +sys_logger_t *sys_logger_create(int facility, bool ike_name); #endif /** SYS_LOGGER_H_ @}*/ diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 70f38b285..1cdfd5949 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -27,15 +27,6 @@ ENUM(action_names, ACTION_NONE, ACTION_RESTART, "restart", ); -ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE, - "IPCOMP_NONE"); -ENUM_NEXT(ipcomp_transform_names, IPCOMP_OUI, IPCOMP_LZJH, IPCOMP_NONE, - "IPCOMP_OUI", - "IPCOMP_DEFLATE", - "IPCOMP_LZS", - "IPCOMP_LZJH"); -ENUM_END(ipcomp_transform_names, IPCOMP_LZJH); - typedef struct private_child_cfg_t private_child_cfg_t; /** diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index d34835ead..1e6fe3fe9 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -24,9 +24,6 @@ #define CHILD_CFG_H_ typedef enum action_t action_t; -typedef enum ipcomp_transform_t ipcomp_transform_t; -typedef struct lifetime_cfg_t lifetime_cfg_t; -typedef struct mark_t mark_t; typedef struct child_cfg_t child_cfg_t; #include <library.h> @@ -52,48 +49,6 @@ enum action_t { extern enum_name_t *action_names; /** - * IPComp transform IDs, as in RFC 4306 - */ -enum ipcomp_transform_t { - IPCOMP_NONE = 241, - IPCOMP_OUI = 1, - IPCOMP_DEFLATE = 2, - IPCOMP_LZS = 3, - IPCOMP_LZJH = 4, -}; - -/** - * enum strings for ipcomp_transform_t. - */ -extern enum_name_t *ipcomp_transform_names; - -/** - * A lifetime_cfg_t defines the lifetime limits of a CHILD_SA. - * - * Set any of these values to 0 to ignore. - */ -struct lifetime_cfg_t { - struct { - /** Limit before the CHILD_SA gets invalid. */ - u_int64_t life; - /** Limit before the CHILD_SA gets rekeyed. */ - u_int64_t rekey; - /** The range of a random value subtracted from rekey. */ - u_int64_t jitter; - } time, bytes, packets; -}; - -/** - * A mark_t defines an optional mark in a CHILD_SA. - */ -struct mark_t { - /** Mark value */ - u_int32_t value; - /** Mark mask */ - u_int32_t mask; -}; - -/** * A child_cfg_t defines the config template for a CHILD_SA. * * After creation, proposals and traffic selectors may be added to the config. @@ -238,7 +193,7 @@ struct child_cfg_t { * Check whether IPComp should be used, if the other peer supports it. * * @return TRUE, if IPComp should be used - * FALSE, otherwise + * FALSE, otherwise */ bool (*use_ipcomp)(child_cfg_t *this); @@ -259,7 +214,7 @@ struct child_cfg_t { /** * Optional mark for CHILD_SA * - * @param inbound TRUE for inbound, FALSE for outbound + * @param inbound TRUE for inbound, FALSE for outbound * @return mark */ mark_t (*get_mark)(child_cfg_t *this, bool inbound); @@ -277,7 +232,7 @@ struct child_cfg_t { * Check whether IPsec transport SA should be set up in proxy mode * * @return TRUE, if proxy mode should be used - * FALSE, otherwise + * FALSE, otherwise */ bool (*use_proxy_mode)(child_cfg_t *this); @@ -285,7 +240,7 @@ struct child_cfg_t { * Check whether IPsec policies should be installed in the kernel * * @return TRUE, if IPsec kernel policies should be installed - * FALSE, otherwise + * FALSE, otherwise */ bool (*install_policy)(child_cfg_t *this); diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index e86393028..5b8294599 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2008-2009 Tobias Brunner - * Copyright (C) 2006 Martin Willi + * Copyright (C) 2006-2010 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -87,6 +87,11 @@ struct private_proposal_t { * senders SPI */ u_int64_t spi; + + /** + * Proposal number + */ + u_int number; }; /** @@ -117,11 +122,9 @@ static void add_algo(linked_list_t *list, u_int16_t algo, u_int16_t key_size) list->insert_last(list, (void*)algo_key); } -/** - * Implements proposal_t.add_algorithm - */ -static void add_algorithm(private_proposal_t *this, transform_type_t type, - u_int16_t algo, u_int16_t key_size) +METHOD(proposal_t, add_algorithm, void, + private_proposal_t *this, transform_type_t type, + u_int16_t algo, u_int16_t key_size) { switch (type) { @@ -160,11 +163,8 @@ static bool alg_filter(void *null, algorithm_t **in, u_int16_t *alg, return TRUE; } -/** - * Implements proposal_t.create_enumerator. - */ -static enumerator_t *create_enumerator(private_proposal_t *this, - transform_type_t type) +METHOD(proposal_t, create_enumerator, enumerator_t*, + private_proposal_t *this, transform_type_t type) { linked_list_t *list; @@ -192,11 +192,9 @@ static enumerator_t *create_enumerator(private_proposal_t *this, (void*)alg_filter, NULL, NULL); } -/** - * Implements proposal_t.get_algorithm. - */ -static bool get_algorithm(private_proposal_t *this, transform_type_t type, - u_int16_t *alg, u_int16_t *key_size) +METHOD(proposal_t, get_algorithm, bool, + private_proposal_t *this, transform_type_t type, + u_int16_t *alg, u_int16_t *key_size) { enumerator_t *enumerator; bool found = FALSE; @@ -210,10 +208,8 @@ static bool get_algorithm(private_proposal_t *this, transform_type_t type, return found; } -/** - * Implements proposal_t.has_dh_group - */ -static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group) +METHOD(proposal_t, has_dh_group, bool, + private_proposal_t *this, diffie_hellman_group_t group) { bool result = FALSE; @@ -240,10 +236,8 @@ static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group) return result; } -/** - * Implementation of proposal_t.strip_dh. - */ -static void strip_dh(private_proposal_t *this) +METHOD(proposal_t, strip_dh, void, + private_proposal_t *this) { algorithm_t *alg; @@ -254,28 +248,6 @@ static void strip_dh(private_proposal_t *this) } /** - * Returns true if the given alg is an authenticated encryption algorithm - */ -static bool is_authenticated_encryption(u_int16_t alg) -{ - switch(alg) - { - case ENCR_AES_CCM_ICV8: - case ENCR_AES_CCM_ICV12: - case ENCR_AES_CCM_ICV16: - case ENCR_AES_GCM_ICV8: - case ENCR_AES_GCM_ICV12: - case ENCR_AES_GCM_ICV16: - case ENCR_CAMELLIA_CCM_ICV8: - case ENCR_CAMELLIA_CCM_ICV12: - case ENCR_CAMELLIA_CCM_ICV16: - case ENCR_NULL_AUTH_AES_GMAC: - return TRUE; - } - return FALSE; -} - -/** * Find a matching alg/keysize in two linked lists */ static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv, @@ -326,12 +298,10 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv, return FALSE; } -/** - * Implements proposal_t.select. - */ -static proposal_t *select_proposal(private_proposal_t *this, - private_proposal_t *other, bool private) +METHOD(proposal_t, select_proposal, proposal_t*, + private_proposal_t *this, proposal_t *other_pub, bool private) { + private_proposal_t *other = (private_proposal_t*)other_pub; proposal_t *selected; u_int16_t algo; size_t key_size; @@ -346,7 +316,7 @@ static proposal_t *select_proposal(private_proposal_t *this, return NULL; } - selected = proposal_create(this->protocol); + selected = proposal_create(this->protocol, other->number); /* select encryption algorithm */ if (select_algo(this->encryption_algos, other->encryption_algos, private, @@ -366,7 +336,7 @@ static proposal_t *select_proposal(private_proposal_t *this, return NULL; } /* select integrity algorithm */ - if (!is_authenticated_encryption(algo)) + if (!encryption_algorithm_is_aead(algo)) { if (select_algo(this->integrity_algos, other->integrity_algos, private, &add, &algo, &key_size)) @@ -442,26 +412,20 @@ static proposal_t *select_proposal(private_proposal_t *this, return selected; } -/** - * Implements proposal_t.get_protocols. - */ -static protocol_id_t get_protocol(private_proposal_t *this) +METHOD(proposal_t, get_protocol, protocol_id_t, + private_proposal_t *this) { return this->protocol; } -/** - * Implements proposal_t.set_spi. - */ -static void set_spi(private_proposal_t *this, u_int64_t spi) +METHOD(proposal_t, set_spi, void, + private_proposal_t *this, u_int64_t spi) { this->spi = spi; } -/** - * Implements proposal_t.get_spi. - */ -static u_int64_t get_spi(private_proposal_t *this) +METHOD(proposal_t, get_spi, u_int64_t, + private_proposal_t *this) { return this->spi; } @@ -514,19 +478,21 @@ static bool algo_list_equals(linked_list_t *l1, linked_list_t *l2) return equals; } -/** - * Implementation of proposal_t.equals. - */ -static bool equals(private_proposal_t *this, private_proposal_t *other) +METHOD(proposal_t, get_number, u_int, + private_proposal_t *this) +{ + return this->number; +} + +METHOD(proposal_t, equals, bool, + private_proposal_t *this, proposal_t *other_pub) { + private_proposal_t *other = (private_proposal_t*)other_pub; + if (this == other) { return TRUE; } - if (this->public.equals != other->public.equals) - { - return FALSE; - } return ( algo_list_equals(this->encryption_algos, other->encryption_algos) && algo_list_equals(this->integrity_algos, other->integrity_algos) && @@ -535,13 +501,12 @@ static bool equals(private_proposal_t *this, private_proposal_t *other) algo_list_equals(this->esns, other->esns)); } -/** - * Implements proposal_t.clone - */ -static proposal_t *clone_(private_proposal_t *this) +METHOD(proposal_t, clone_, proposal_t*, + private_proposal_t *this) { - private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol); + private_proposal_t *clone; + clone = (private_proposal_t*)proposal_create(this->protocol, 0); clone_algo_list(this->encryption_algos, clone->encryption_algos); clone_algo_list(this->integrity_algos, clone->integrity_algos); clone_algo_list(this->prf_algos, clone->prf_algos); @@ -549,6 +514,7 @@ static proposal_t *clone_(private_proposal_t *this) clone_algo_list(this->esns, clone->esns); clone->spi = this->spi; + clone->number = this->number; return &clone->public; } @@ -565,7 +531,7 @@ static void check_proposal(private_proposal_t *this) e = this->encryption_algos->create_enumerator(this->encryption_algos); while (e->enumerate(e, &alg)) { - if (!is_authenticated_encryption(alg->algorithm)) + if (!encryption_algorithm_is_aead(alg->algorithm)) { all_aead = FALSE; break; @@ -623,6 +589,9 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) case AUTH_AES_XCBC_96: prf = PRF_AES128_XCBC; break; + case AUTH_CAMELLIA_XCBC_96: + prf = PRF_CAMELLIA128_XCBC; + break; default: prf = PRF_UNDEFINED; } @@ -715,10 +684,8 @@ int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, return written; } -/** - * Implements proposal_t.destroy. - */ -static void destroy(private_proposal_t *this) +METHOD(proposal_t, destroy, void, + private_proposal_t *this) { this->encryption_algos->destroy_function(this->encryption_algos, free); this->integrity_algos->destroy_function(this->integrity_algos, free); @@ -731,31 +698,34 @@ static void destroy(private_proposal_t *this) /* * Describtion in header-file */ -proposal_t *proposal_create(protocol_id_t protocol) +proposal_t *proposal_create(protocol_id_t protocol, u_int number) { - private_proposal_t *this = malloc_thing(private_proposal_t); - - this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,u_int16_t))add_algorithm; - this->public.create_enumerator = (enumerator_t* (*)(proposal_t*,transform_type_t))create_enumerator; - this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm; - this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group; - this->public.strip_dh = (void(*)(proposal_t*))strip_dh; - this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*,bool))select_proposal; - this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol; - this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi; - this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi; - this->public.equals = (bool(*)(proposal_t*, proposal_t *other))equals; - this->public.clone = (proposal_t*(*)(proposal_t*))clone_; - this->public.destroy = (void(*)(proposal_t*))destroy; - - this->spi = 0; - this->protocol = protocol; - - this->encryption_algos = linked_list_create(); - this->integrity_algos = linked_list_create(); - this->prf_algos = linked_list_create(); - this->dh_groups = linked_list_create(); - this->esns = linked_list_create(); + private_proposal_t *this; + + INIT(this, + .public = { + .add_algorithm = _add_algorithm, + .create_enumerator = _create_enumerator, + .get_algorithm = _get_algorithm, + .has_dh_group = _has_dh_group, + .strip_dh = _strip_dh, + .select = _select_proposal, + .get_protocol = _get_protocol, + .set_spi = _set_spi, + .get_spi = _get_spi, + .get_number = _get_number, + .equals = _equals, + .clone = _clone_, + .destroy = _destroy, + }, + .protocol = protocol, + .number = number, + .encryption_algos = linked_list_create(), + .integrity_algos = linked_list_create(), + .prf_algos = linked_list_create(), + .dh_groups = linked_list_create(), + .esns = linked_list_create(), + ); return &this->public; } @@ -777,19 +747,24 @@ static void proposal_add_supported_ike(private_proposal_t *this) switch (encryption) { case ENCR_AES_CBC: - /* we assume that we support all AES sizes */ - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); - break; - case ENCR_3DES: case ENCR_AES_CTR: + case ENCR_CAMELLIA_CBC: + case ENCR_CAMELLIA_CTR: case ENCR_AES_CCM_ICV8: case ENCR_AES_CCM_ICV12: case ENCR_AES_CCM_ICV16: case ENCR_AES_GCM_ICV8: case ENCR_AES_GCM_ICV12: case ENCR_AES_GCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: + /* we assume that we support all AES/Camellia sizes */ + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); + break; + case ENCR_3DES: add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0); break; case ENCR_DES: @@ -877,7 +852,7 @@ static void proposal_add_supported_ike(private_proposal_t *this) */ proposal_t *proposal_create_default(protocol_id_t protocol) { - private_proposal_t *this = (private_proposal_t*)proposal_create(protocol); + private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); switch (protocol) { @@ -912,7 +887,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol) */ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs) { - private_proposal_t *this = (private_proposal_t*)proposal_create(protocol); + private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); chunk_t string = {(void*)algs, strlen(algs)}; chunk_t alg; status_t status = SUCCESS; diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h index 30f63b80d..97af5b60b 100644 --- a/src/libcharon/config/proposal.h +++ b/src/libcharon/config/proposal.h @@ -161,6 +161,13 @@ struct proposal_t { void (*set_spi) (proposal_t *this, u_int64_t spi); /** + * Get the proposal number, as encoded in SA payload + * + * @return proposal number + */ + u_int (*get_number)(proposal_t *this); + + /** * Check for the eqality of two proposals. * * @param other other proposal to check for equality @@ -185,9 +192,10 @@ struct proposal_t { * Create a child proposal for AH, ESP or IKE. * * @param protocol protocol, such as PROTO_ESP + * @param number proposal number, as encoded in SA payload * @return proposal_t object */ -proposal_t *proposal_create(protocol_id_t protocol); +proposal_t *proposal_create(protocol_id_t protocol, u_int number); /** * Create a default proposal if nothing further specified. diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index c0227027c..4b8e1fadd 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -33,6 +33,7 @@ #include <library.h> #include <config/proposal.h> +#include <kernel/kernel_handler.h> #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ #define LOG_AUTHPRIV LOG_AUTH @@ -50,6 +51,11 @@ struct private_daemon_t { daemon_t public; /** + * Handler for kernel events + */ + kernel_handler_t *kernel_handler; + + /** * capabilities to keep */ #ifdef CAPABILITIES_LIBCAP @@ -94,10 +100,8 @@ static void dbg_bus(debug_t group, level_t level, char *fmt, ...) static void destroy(private_daemon_t *this) { /* terminate all idle threads */ - if (this->public.processor) - { - this->public.processor->set_threads(this->public.processor, 0); - } + lib->processor->set_threads(lib->processor, 0); + /* close all IKE_SAs */ if (this->public.ike_sa_manager) { @@ -110,21 +114,19 @@ static void destroy(private_daemon_t *this) #ifdef CAPABILITIES_LIBCAP cap_free(this->caps); #endif /* CAPABILITIES_LIBCAP */ + DESTROY_IF(this->kernel_handler); DESTROY_IF(this->public.traps); DESTROY_IF(this->public.ike_sa_manager); - DESTROY_IF(this->public.kernel_interface); - DESTROY_IF(this->public.scheduler); DESTROY_IF(this->public.controller); DESTROY_IF(this->public.eap); DESTROY_IF(this->public.sim); + DESTROY_IF(this->public.tnccs); #ifdef ME DESTROY_IF(this->public.connect_manager); DESTROY_IF(this->public.mediation_manager); #endif /* ME */ DESTROY_IF(this->public.backends); DESTROY_IF(this->public.socket); - /* wait until all threads are gone */ - DESTROY_IF(this->public.processor); /* rehook library logging, shutdown logging */ dbg = dbg_old; @@ -176,7 +178,7 @@ METHOD(daemon_t, start, void, private_daemon_t *this) { /* start the engine, go multithreaded */ - charon->processor->set_threads(charon->processor, + lib->processor->set_threads(lib->processor, lib->settings->get_int(lib->settings, "charon.threads", DEFAULT_THREADS)); } @@ -213,7 +215,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr, int loggers_defined = 0; debug_t group; level_t def; - bool append; + bool append, ike_name; FILE *file; /* setup sysloggers */ @@ -222,13 +224,16 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr, while (enumerator->enumerate(enumerator, &facility)) { loggers_defined++; + + ike_name = lib->settings->get_bool(lib->settings, + "charon.syslog.%s.ike_name", FALSE, facility); if (streq(facility, "daemon")) { - sys_logger = sys_logger_create(LOG_DAEMON); + sys_logger = sys_logger_create(LOG_DAEMON, ike_name); } else if (streq(facility, "auth")) { - sys_logger = sys_logger_create(LOG_AUTHPRIV); + sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name); } else { @@ -282,7 +287,9 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr, } file_logger = file_logger_create(file, lib->settings->get_str(lib->settings, - "charon.filelog.%s.time_format", NULL, filename)); + "charon.filelog.%s.time_format", NULL, filename), + lib->settings->get_bool(lib->settings, + "charon.filelog.%s.ike_name", FALSE, filename)); def = lib->settings->get_int(lib->settings, "charon.filelog.%s.default", 1, filename); for (group = 0; group < DBG_MAX; group++) @@ -303,12 +310,12 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr, if (!loggers_defined) { /* set up default stdout file_logger */ - file_logger = file_logger_create(stdout, NULL); + file_logger = file_logger_create(stdout, NULL, FALSE); this->public.bus->add_listener(this->public.bus, &file_logger->listener); this->public.file_loggers->insert_last(this->public.file_loggers, file_logger); /* set up default daemon sys_logger */ - sys_logger = sys_logger_create(LOG_DAEMON); + sys_logger = sys_logger_create(LOG_DAEMON, FALSE); this->public.bus->add_listener(this->public.bus, &sys_logger->listener); this->public.sys_loggers->insert_last(this->public.sys_loggers, sys_logger); @@ -322,7 +329,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr, } /* set up default auth sys_logger */ - sys_logger = sys_logger_create(LOG_AUTHPRIV); + sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE); this->public.bus->add_listener(this->public.bus, &sys_logger->listener); this->public.sys_loggers->insert_last(this->public.sys_loggers, sys_logger); @@ -356,15 +363,14 @@ METHOD(daemon_t, initialize, bool, } /* load secrets, ca certificates and crls */ - this->public.processor = processor_create(); - this->public.scheduler = scheduler_create(); this->public.controller = controller_create(); this->public.eap = eap_manager_create(); this->public.sim = sim_manager_create(); + this->public.tnccs = tnccs_manager_create(); this->public.backends = backend_manager_create(); - this->public.kernel_interface = kernel_interface_create(); this->public.socket = socket_manager_create(); this->public.traps = trap_manager_create(); + this->kernel_handler = kernel_handler_create(); /* load plugins, further infrastructure may need it */ if (!lib->plugins->load(lib->plugins, NULL, diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h index 38f0256e7..c0c834b43 100644 --- a/src/libcharon/daemon.h +++ b/src/libcharon/daemon.h @@ -37,7 +37,7 @@ * @defgroup payloads payloads * @ingroup encoding * - * @defgroup kernel kernel + * @defgroup ckernel kernel * @ingroup libcharon * * @defgroup network network @@ -46,11 +46,11 @@ * @defgroup cplugins plugins * @ingroup libcharon * - * @defgroup processing processing + * @defgroup cprocessing processing * @ingroup libcharon * - * @defgroup jobs jobs - * @ingroup processing + * @defgroup cjobs jobs + * @ingroup cprocessing * * @defgroup sa sa * @ingroup libcharon @@ -140,9 +140,6 @@ typedef struct daemon_t daemon_t; #include <network/sender.h> #include <network/receiver.h> #include <network/socket_manager.h> -#include <processing/scheduler.h> -#include <processing/processor.h> -#include <kernel/kernel_interface.h> #include <control/controller.h> #include <bus/bus.h> #include <bus/listeners/file_logger.h> @@ -152,6 +149,7 @@ typedef struct daemon_t daemon_t; #include <config/backend_manager.h> #include <sa/authenticators/eap/eap_manager.h> #include <sa/authenticators/eap/sim_manager.h> +#include <tnccs/tnccs_manager.h> #ifdef ME #include <sa/connect_manager.h> @@ -209,16 +207,6 @@ struct daemon_t { receiver_t *receiver; /** - * The Scheduler-Thread. - */ - scheduler_t *scheduler; - - /** - * Job processing using a thread pool. - */ - processor_t *processor; - - /** * The signaling bus. */ bus_t *bus; @@ -234,11 +222,6 @@ struct daemon_t { linked_list_t *sys_loggers; /** - * Kernel Interface to communicate with kernel - */ - kernel_interface_t *kernel_interface; - - /** * Controller to control the daemon */ controller_t *controller; @@ -253,6 +236,11 @@ struct daemon_t { */ sim_manager_t *sim; + /** + * TNCCS manager to maintain registered TNCCS protocols + */ + tnccs_manager_t *tnccs; + #ifdef ME /** * Connect manager diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c index 6485da492..224f76fce 100644 --- a/src/libcharon/encoding/generator.c +++ b/src/libcharon/encoding/generator.c @@ -42,6 +42,16 @@ #include <encoding/payloads/configuration_attribute.h> #include <encoding/payloads/eap_payload.h> +/** + * Generating is done in a data buffer. + * This is the start size of this buffer in bytes. + */ +#define GENERATOR_DATA_BUFFER_SIZE 500 + +/** + * Number of bytes to increase the buffer, if it is too small. + */ +#define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500 typedef struct private_generator_t private_generator_t; @@ -453,36 +463,19 @@ static void generate_from_chunk(private_generator_t *this, u_int32_t offset) write_bytes_to_buffer(this, value->ptr, value->len); } -/** - * Implementation of private_generator_t.write_to_chunk. - */ -static void write_to_chunk(private_generator_t *this,chunk_t *data) +METHOD(generator_t, get_chunk, chunk_t, + private_generator_t *this, u_int32_t **lenpos) { - int data_length = get_length(this); - u_int32_t header_length_field = data_length; - - /* write length into header length field */ - if (this->header_length_position_offset > 0) - { - u_int32_t val = htonl(header_length_field); - write_bytes_to_buffer_at_offset(this, &val, sizeof(u_int32_t), - this->header_length_position_offset); - } + chunk_t data; - if (this->current_bit > 0) - { - data_length++; - } - *data = chunk_alloc(data_length); - memcpy(data->ptr, this->buffer, data_length); - - DBG3(DBG_ENC, "generated data of this generator %B", data); + *lenpos = (u_int32_t*)(this->buffer + this->header_length_position_offset); + data = chunk_create(this->buffer, get_length(this)); + DBG3(DBG_ENC, "generated data of this generator %B", &data); + return data; } -/** - * Implementation of private_generator_t.generate_payload. - */ -static void generate_payload (private_generator_t *this,payload_t *payload) +METHOD(generator_t, generate_payload, void, + private_generator_t *this,payload_t *payload) { int i, offset_start; size_t rule_count; @@ -846,14 +839,11 @@ static void generate_payload (private_generator_t *this,payload_t *payload) this->out_position - this->buffer - offset_start); } -/** - * Implementation of generator_t.destroy. - */ -static status_t destroy(private_generator_t *this) +METHOD(generator_t, destroy, void, + private_generator_t *this) { free(this->buffer); free(this); - return SUCCESS; } /* @@ -863,26 +853,18 @@ generator_t *generator_create() { private_generator_t *this; - this = malloc_thing(private_generator_t); - - /* initiate public functions */ - this->public.generate_payload = (void(*)(generator_t*, payload_t *))generate_payload; - this->public.destroy = (void(*)(generator_t*)) destroy; - this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *))write_to_chunk; + INIT(this, + .public = { + .get_chunk = _get_chunk, + .generate_payload = _generate_payload, + .destroy = _destroy, + }, + .buffer = malloc(GENERATOR_DATA_BUFFER_SIZE), + ); - /* allocate memory for buffer */ - this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE); - - /* initiate private variables */ this->out_position = this->buffer; this->roof_position = this->buffer + GENERATOR_DATA_BUFFER_SIZE; - this->data_struct = NULL; - this->current_bit = 0; - this->last_payload_length_position_offset = 0; - this->header_length_position_offset = 0; - this->attribute_format = FALSE; - this->attribute_length = 0; - - return &(this->public); + + return &this->public; } diff --git a/src/libcharon/encoding/generator.h b/src/libcharon/encoding/generator.h index 2221c84af..fe561fdfd 100644 --- a/src/libcharon/encoding/generator.h +++ b/src/libcharon/encoding/generator.h @@ -29,24 +29,12 @@ typedef struct generator_t generator_t; #include <encoding/payloads/payload.h> /** - * Generating is done in a data buffer. - * This is the start size of this buffer in bytes. - */ -#define GENERATOR_DATA_BUFFER_SIZE 500 - -/** - * Number of bytes to increase the buffer, if it is too small. - */ -#define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500 - - -/** * A generator_t class used to generate IKEv2 payloads. * * After creation, multiple payloads can be generated with the generate_payload * method. The generated bytes are appended. After all payloads are added, * the write_to_chunk method writes out all generated data since - * the creation of the generator. After that, the generator must be destroyed. + * the creation of the generator. * The generater uses a set of encoding rules, which it can get from * the supplied payload. With this rules, the generater can generate * the payload and all substructures automatically. @@ -56,18 +44,20 @@ struct generator_t { /** * Generates a specific payload from given payload object. * - * Remember: Header and substructures are also handled as payloads. - * * @param payload interface payload_t implementing object */ void (*generate_payload) (generator_t *this,payload_t *payload); /** - * Writes all generated data of the generator to a chunk. + * Return a chunk for the currently generated data. + * + * The returned length pointer must be filled in with the length of + * the generated chunk (in network order). * - * @param data chunk to write the data to + * @param lenpos receives a pointer to fill in length value + * @param return chunk to internal buffer. */ - void (*write_to_chunk) (generator_t *this,chunk_t *data); + chunk_t (*get_chunk) (generator_t *this, u_int32_t **lenpos); /** * Destroys a generator_t object. diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index ee49a6686..d41ad4697 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2006-2007 Tobias Brunner - * Copyright (C) 2005-2009 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -43,111 +44,61 @@ */ #define MAX_DELETE_PAYLOADS 20 - -typedef struct payload_rule_t payload_rule_t; - /** * A payload rule defines the rules for a payload * in a specific message rule. It defines if and how * many times a payload must/can occur in a message * and if it must be encrypted. */ -struct payload_rule_t { - /** - * Payload type. - */ - payload_type_t payload_type; - - /** - * Minimal occurence of this payload. - */ - size_t min_occurence; - - /** - * Max occurence of this payload. - */ - size_t max_occurence; - - /** - * TRUE if payload must be encrypted - */ - bool encrypted; - - /** - * If this payload occurs, the message rule is - * fullfilled in any case. This applies e.g. to - * notify_payloads. - */ - bool sufficient; -}; - -typedef struct payload_order_t payload_order_t; +typedef struct { + /* Payload type */ + payload_type_t type; + /* Minimal occurence of this payload. */ + size_t min_occurence; + /* Max occurence of this payload. */ + size_t max_occurence; + /* TRUE if payload must be encrypted */ + bool encrypted; + /* If payload occurs, the message rule is fullfilled */ + bool sufficient; +} payload_rule_t; /** * payload ordering structure allows us to reorder payloads according to RFC. */ -struct payload_order_t { - - /** - * payload type - */ +typedef struct { + /** payload type */ payload_type_t type; - - /** - * notify type, if payload == NOTIFY - */ + /** notify type, if payload == NOTIFY */ notify_type_t notify; -}; - - -typedef struct message_rule_t message_rule_t; +} payload_order_t; /** * A message rule defines the kind of a message, * if it has encrypted contents and a list * of payload ordering rules and payload parsing rules. */ -struct message_rule_t { - /** - * Type of message. - */ +typedef struct { + /** Type of message. */ exchange_type_t exchange_type; - - /** - * Is message a request or response. - */ + /** Is message a request or response. */ bool is_request; - - /** - * Message contains encrypted content. - */ - bool encrypted_content; - - /** - * Number of payload rules which will follow - */ - int payload_rule_count; - - /** - * Pointer to first payload rule - */ - payload_rule_t *payload_rules; - - /** - * Number of payload order rules - */ - int payload_order_count; - - /** - * payload ordering rules - */ - payload_order_t *payload_order; -}; + /** Message contains encrypted payloads. */ + bool encrypted; + /** Number of payload rules which will follow */ + int rule_count; + /** Pointer to first payload rule */ + payload_rule_t *rules; + /** Number of payload order rules */ + int order_count; + /** payload ordering rules */ + payload_order_t *order; +} message_rule_t; /** * Message rule for IKE_SA_INIT from initiator. */ -static payload_rule_t ike_sa_init_i_payload_rules[] = { +static payload_rule_t ike_sa_init_i_rules[] = { /* payload type min max encr suff */ {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE}, {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE}, @@ -159,7 +110,7 @@ static payload_rule_t ike_sa_init_i_payload_rules[] = { /** * payload order for IKE_SA_INIT initiator */ -static payload_order_t ike_sa_init_i_payload_order[] = { +static payload_order_t ike_sa_init_i_order[] = { /* payload type notify type */ {NOTIFY, COOKIE}, {SECURITY_ASSOCIATION, 0}, @@ -174,7 +125,7 @@ static payload_order_t ike_sa_init_i_payload_order[] = { /** * Message rule for IKE_SA_INIT from responder. */ -static payload_rule_t ike_sa_init_r_payload_rules[] = { +static payload_rule_t ike_sa_init_r_rules[] = { /* payload type min max encr suff */ {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE}, {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE}, @@ -186,7 +137,7 @@ static payload_rule_t ike_sa_init_r_payload_rules[] = { /** * payload order for IKE_SA_INIT responder */ -static payload_order_t ike_sa_init_r_payload_order[] = { +static payload_order_t ike_sa_init_r_order[] = { /* payload type notify type */ {SECURITY_ASSOCIATION, 0}, {KEY_EXCHANGE, 0}, @@ -202,7 +153,7 @@ static payload_order_t ike_sa_init_r_payload_order[] = { /** * Message rule for IKE_AUTH from initiator. */ -static payload_rule_t ike_auth_i_payload_rules[] = { +static payload_rule_t ike_auth_i_rules[] = { /* payload type min max encr suff */ {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE}, {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE}, @@ -227,7 +178,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = { /** * payload order for IKE_AUTH initiator */ -static payload_order_t ike_auth_i_payload_order[] = { +static payload_order_t ike_auth_i_order[] = { /* payload type notify type */ {ID_INITIATOR, 0}, {CERTIFICATE, 0}, @@ -256,7 +207,7 @@ static payload_order_t ike_auth_i_payload_order[] = { /** * Message rule for IKE_AUTH from responder. */ -static payload_rule_t ike_auth_r_payload_rules[] = { +static payload_rule_t ike_auth_r_rules[] = { /* payload type min max encr suff */ {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE}, {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE}, @@ -273,7 +224,7 @@ static payload_rule_t ike_auth_r_payload_rules[] = { /** * payload order for IKE_AUTH responder */ -static payload_order_t ike_auth_r_payload_order[] = { +static payload_order_t ike_auth_r_order[] = { /* payload type notify type */ {ID_RESPONDER, 0}, {CERTIFICATE, 0}, @@ -299,7 +250,7 @@ static payload_order_t ike_auth_r_payload_order[] = { /** * Message rule for INFORMATIONAL from initiator. */ -static payload_rule_t informational_i_payload_rules[] = { +static payload_rule_t informational_i_rules[] = { /* payload type min max encr suff */ {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE}, {CONFIGURATION, 0, 1, TRUE, FALSE}, @@ -310,7 +261,7 @@ static payload_rule_t informational_i_payload_rules[] = { /** * payload order for INFORMATIONAL initiator */ -static payload_order_t informational_i_payload_order[] = { +static payload_order_t informational_i_order[] = { /* payload type notify type */ {NOTIFY, UPDATE_SA_ADDRESSES}, {NOTIFY, NAT_DETECTION_SOURCE_IP}, @@ -324,7 +275,7 @@ static payload_order_t informational_i_payload_order[] = { /** * Message rule for INFORMATIONAL from responder. */ -static payload_rule_t informational_r_payload_rules[] = { +static payload_rule_t informational_r_rules[] = { /* payload type min max encr suff */ {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE}, {CONFIGURATION, 0, 1, TRUE, FALSE}, @@ -335,7 +286,7 @@ static payload_rule_t informational_r_payload_rules[] = { /** * payload order for INFORMATIONAL responder */ -static payload_order_t informational_r_payload_order[] = { +static payload_order_t informational_r_order[] = { /* payload type notify type */ {NOTIFY, UPDATE_SA_ADDRESSES}, {NOTIFY, NAT_DETECTION_SOURCE_IP}, @@ -349,7 +300,7 @@ static payload_order_t informational_r_payload_order[] = { /** * Message rule for CREATE_CHILD_SA from initiator. */ -static payload_rule_t create_child_sa_i_payload_rules[] = { +static payload_rule_t create_child_sa_i_rules[] = { /* payload type min max encr suff */ {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE}, {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE}, @@ -364,7 +315,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = { /** * payload order for CREATE_CHILD_SA from initiator. */ -static payload_order_t create_child_sa_i_payload_order[] = { +static payload_order_t create_child_sa_i_order[] = { /* payload type notify type */ {NOTIFY, REKEY_SA}, {NOTIFY, IPCOMP_SUPPORTED}, @@ -382,7 +333,7 @@ static payload_order_t create_child_sa_i_payload_order[] = { /** * Message rule for CREATE_CHILD_SA from responder. */ -static payload_rule_t create_child_sa_r_payload_rules[] = { +static payload_rule_t create_child_sa_r_rules[] = { /* payload type min max encr suff */ {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE}, {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE}, @@ -397,7 +348,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = { /** * payload order for CREATE_CHILD_SA from responder. */ -static payload_order_t create_child_sa_r_payload_order[] = { +static payload_order_t create_child_sa_r_order[] = { /* payload type notify type */ {NOTIFY, IPCOMP_SUPPORTED}, {NOTIFY, USE_TRANSPORT_MODE}, @@ -416,7 +367,7 @@ static payload_order_t create_child_sa_r_payload_order[] = { /** * Message rule for ME_CONNECT from initiator. */ -static payload_rule_t me_connect_i_payload_rules[] = { +static payload_rule_t me_connect_i_rules[] = { /* payload type min max encr suff */ {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE}, {ID_PEER, 1, 1, TRUE, FALSE}, @@ -426,7 +377,7 @@ static payload_rule_t me_connect_i_payload_rules[] = { /** * payload order for ME_CONNECT from initiator. */ -static payload_order_t me_connect_i_payload_order[] = { +static payload_order_t me_connect_i_order[] = { /* payload type notify type */ {NOTIFY, 0}, {ID_PEER, 0}, @@ -436,7 +387,7 @@ static payload_order_t me_connect_i_payload_order[] = { /** * Message rule for ME_CONNECT from responder. */ -static payload_rule_t me_connect_r_payload_rules[] = { +static payload_rule_t me_connect_r_rules[] = { /* payload type min max encr suff */ {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE}, {VENDOR_ID, 0, 10, TRUE, FALSE} @@ -445,7 +396,7 @@ static payload_rule_t me_connect_r_payload_rules[] = { /** * payload order for ME_CONNECT from responder. */ -static payload_order_t me_connect_r_payload_order[] = { +static payload_order_t me_connect_r_order[] = { /* payload type notify type */ {NOTIFY, 0}, {VENDOR_ID, 0}, @@ -457,65 +408,45 @@ static payload_order_t me_connect_r_payload_order[] = { */ static message_rule_t message_rules[] = { {IKE_SA_INIT, TRUE, FALSE, - (sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)), - ike_sa_init_i_payload_rules, - (sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)), - ike_sa_init_i_payload_order, + countof(ike_sa_init_i_rules), ike_sa_init_i_rules, + countof(ike_sa_init_i_order), ike_sa_init_i_order, }, {IKE_SA_INIT, FALSE, FALSE, - (sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)), - ike_sa_init_r_payload_rules, - (sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)), - ike_sa_init_r_payload_order, + countof(ike_sa_init_r_rules), ike_sa_init_r_rules, + countof(ike_sa_init_r_order), ike_sa_init_r_order, }, {IKE_AUTH, TRUE, TRUE, - (sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)), - ike_auth_i_payload_rules, - (sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)), - ike_auth_i_payload_order, + countof(ike_auth_i_rules), ike_auth_i_rules, + countof(ike_auth_i_order), ike_auth_i_order, }, {IKE_AUTH, FALSE, TRUE, - (sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)), - ike_auth_r_payload_rules, - (sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)), - ike_auth_r_payload_order, + countof(ike_auth_r_rules), ike_auth_r_rules, + countof(ike_auth_r_order), ike_auth_r_order, }, {INFORMATIONAL, TRUE, TRUE, - (sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)), - informational_i_payload_rules, - (sizeof(informational_i_payload_order)/sizeof(payload_order_t)), - informational_i_payload_order, + countof(informational_i_rules), informational_i_rules, + countof(informational_i_order), informational_i_order, }, {INFORMATIONAL, FALSE, TRUE, - (sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)), - informational_r_payload_rules, - (sizeof(informational_r_payload_order)/sizeof(payload_order_t)), - informational_r_payload_order, + countof(informational_r_rules), informational_r_rules, + countof(informational_r_order), informational_r_order, }, {CREATE_CHILD_SA, TRUE, TRUE, - (sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)), - create_child_sa_i_payload_rules, - (sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)), - create_child_sa_i_payload_order, + countof(create_child_sa_i_rules), create_child_sa_i_rules, + countof(create_child_sa_i_order), create_child_sa_i_order, }, {CREATE_CHILD_SA, FALSE, TRUE, - (sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)), - create_child_sa_r_payload_rules, - (sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)), - create_child_sa_r_payload_order, + countof(create_child_sa_r_rules), create_child_sa_r_rules, + countof(create_child_sa_r_order), create_child_sa_r_order, }, #ifdef ME {ME_CONNECT, TRUE, TRUE, - (sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)), - me_connect_i_payload_rules, - (sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)), - me_connect_i_payload_order, + countof(me_connect_i_rules), me_connect_i_rules, + countof(me_connect_i_order), me_connect_i_order, }, {ME_CONNECT, FALSE, TRUE, - (sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)), - me_connect_r_payload_rules, - (sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)), - me_connect_r_payload_order, + countof(me_connect_r_rules), me_connect_r_rules, + countof(me_connect_r_order), me_connect_r_order, }, #endif /* ME */ }; @@ -586,169 +517,132 @@ struct private_message_t { /** * The message rule for this message instance */ - message_rule_t *message_rule; + message_rule_t *rule; }; /** - * Implementation of private_message_t.set_message_rule. + * Get the message rule that applies to this message */ -static status_t set_message_rule(private_message_t *this) +static message_rule_t* get_message_rule(private_message_t *this) { int i; - for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++) + for (i = 0; i < countof(message_rules); i++) { if ((this->exchange_type == message_rules[i].exchange_type) && (this->is_request == message_rules[i].is_request)) { - /* found rule for given exchange_type*/ - this->message_rule = &(message_rules[i]); - return SUCCESS; + return &message_rules[i]; } } - this->message_rule = NULL; - return NOT_FOUND; + return NULL; } /** - * Implementation of private_message_t.get_payload_rule. + * Look up a payload rule */ -static status_t get_payload_rule(private_message_t *this, - payload_type_t payload_type, payload_rule_t **payload_rule) +static payload_rule_t* get_payload_rule(private_message_t *this, + payload_type_t type) { int i; - for (i = 0; i < this->message_rule->payload_rule_count;i++) + for (i = 0; i < this->rule->rule_count;i++) { - if (this->message_rule->payload_rules[i].payload_type == payload_type) + if (this->rule->rules[i].type == type) { - *payload_rule = &(this->message_rule->payload_rules[i]); - return SUCCESS; + return &this->rule->rules[i]; } } - - *payload_rule = NULL; - return NOT_FOUND; + return NULL; } -/** - * Implementation of message_t.set_ike_sa_id. - */ -static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id) +METHOD(message_t, set_ike_sa_id, void, + private_message_t *this,ike_sa_id_t *ike_sa_id) { DESTROY_IF(this->ike_sa_id); this->ike_sa_id = ike_sa_id->clone(ike_sa_id); } -/** - * Implementation of message_t.get_ike_sa_id. - */ -static ike_sa_id_t* get_ike_sa_id(private_message_t *this) +METHOD(message_t, get_ike_sa_id, ike_sa_id_t*, + private_message_t *this) { return this->ike_sa_id; } -/** - * Implementation of message_t.set_message_id. - */ -static void set_message_id(private_message_t *this,u_int32_t message_id) +METHOD(message_t, set_message_id, void, + private_message_t *this,u_int32_t message_id) { this->message_id = message_id; } -/** - * Implementation of message_t.get_message_id. - */ -static u_int32_t get_message_id(private_message_t *this) +METHOD(message_t, get_message_id, u_int32_t, + private_message_t *this) { return this->message_id; } -/** - * Implementation of message_t.get_initiator_spi. - */ -static u_int64_t get_initiator_spi(private_message_t *this) +METHOD(message_t, get_initiator_spi, u_int64_t, + private_message_t *this) { return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id)); } -/** - * Implementation of message_t.get_responder_spi. - */ -static u_int64_t get_responder_spi(private_message_t *this) +METHOD(message_t, get_responder_spi, u_int64_t, + private_message_t *this) { return (this->ike_sa_id->get_responder_spi(this->ike_sa_id)); } -/** - * Implementation of message_t.set_major_version. - */ -static void set_major_version(private_message_t *this,u_int8_t major_version) +METHOD(message_t, set_major_version, void, + private_message_t *this, u_int8_t major_version) { this->major_version = major_version; } -/** - * Implementation of message_t.set_major_version. - */ -static u_int8_t get_major_version(private_message_t *this) +METHOD(message_t, get_major_version, u_int8_t, + private_message_t *this) { return this->major_version; } -/** - * Implementation of message_t.set_minor_version. - */ -static void set_minor_version(private_message_t *this,u_int8_t minor_version) +METHOD(message_t, set_minor_version, void, + private_message_t *this,u_int8_t minor_version) { this->minor_version = minor_version; } -/** - * Implementation of message_t.get_minor_version. - */ -static u_int8_t get_minor_version(private_message_t *this) +METHOD(message_t, get_minor_version, u_int8_t, + private_message_t *this) { return this->minor_version; } -/** - * Implementation of message_t.set_exchange_type. - */ -static void set_exchange_type(private_message_t *this, - exchange_type_t exchange_type) +METHOD(message_t, set_exchange_type, void, + private_message_t *this, exchange_type_t exchange_type) { this->exchange_type = exchange_type; } -/** - * Implementation of message_t.get_exchange_type. - */ -static exchange_type_t get_exchange_type(private_message_t *this) +METHOD(message_t, get_exchange_type, exchange_type_t, + private_message_t *this) { return this->exchange_type; } -/** - * Implementation of message_t.get_first_payload_type. - */ -static payload_type_t get_first_payload_type(private_message_t *this) +METHOD(message_t, get_first_payload_type, payload_type_t, + private_message_t *this) { return this->first_payload; } -/** - * Implementation of message_t.set_request. - */ -static void set_request(private_message_t *this, bool request) +METHOD(message_t, set_request, void, + private_message_t *this, bool request) { this->is_request = request; } -/** - * Implementation of message_t.get_request. - */ -static exchange_type_t get_request(private_message_t *this) +METHOD(message_t, get_request, bool, + private_message_t *this) { return this->is_request; } @@ -767,10 +661,8 @@ static bool is_encoded(private_message_t *this) return TRUE; } -/** - * Implementation of message_t.add_payload. - */ -static void add_payload(private_message_t *this, payload_t *payload) +METHOD(message_t, add_payload, void, + private_message_t *this, payload_t *payload) { payload_t *last_payload; @@ -790,11 +682,8 @@ static void add_payload(private_message_t *this, payload_t *payload) payload_type_names, payload->get_type(payload)); } -/** - * Implementation of message_t.add_notify. - */ -static void add_notify(private_message_t *this, bool flush, notify_type_t type, - chunk_t data) +METHOD(message_t, add_notify, void, + private_message_t *this, bool flush, notify_type_t type, chunk_t data) { notify_payload_t *notify; payload_t *payload; @@ -813,50 +702,38 @@ static void add_notify(private_message_t *this, bool flush, notify_type_t type, add_payload(this, (payload_t*)notify); } -/** - * Implementation of message_t.set_source. - */ -static void set_source(private_message_t *this, host_t *host) +METHOD(message_t, set_source, void, + private_message_t *this, host_t *host) { this->packet->set_source(this->packet, host); } -/** - * Implementation of message_t.set_destination. - */ -static void set_destination(private_message_t *this, host_t *host) +METHOD(message_t, set_destination, void, + private_message_t *this, host_t *host) { this->packet->set_destination(this->packet, host); } -/** - * Implementation of message_t.get_source. - */ -static host_t* get_source(private_message_t *this) +METHOD(message_t, get_source, host_t*, + private_message_t *this) { return this->packet->get_source(this->packet); } -/** - * Implementation of message_t.get_destination. - */ -static host_t * get_destination(private_message_t *this) +METHOD(message_t, get_destination, host_t*, + private_message_t *this) { return this->packet->get_destination(this->packet); } -/** - * Implementation of message_t.create_payload_enumerator. - */ -static enumerator_t *create_payload_enumerator(private_message_t *this) +METHOD(message_t, create_payload_enumerator, enumerator_t*, + private_message_t *this) { return this->payloads->create_enumerator(this->payloads); } -/** - * Implementation of message_t.get_payload. - */ -static payload_t *get_payload(private_message_t *this, payload_type_t type) +METHOD(message_t, get_payload, payload_t*, + private_message_t *this, payload_type_t type) { payload_t *current, *found = NULL; enumerator_t *enumerator; @@ -874,10 +751,8 @@ static payload_t *get_payload(private_message_t *this, payload_type_t type) return found; } -/** - * Implementation of message_t.get_notify - */ -static notify_payload_t* get_notify(private_message_t *this, notify_type_t type) +METHOD(message_t, get_notify, notify_payload_t*, + private_message_t *this, notify_type_t type) { enumerator_t *enumerator; notify_payload_t *notify = NULL; @@ -1034,11 +909,13 @@ static void order_payloads(private_message_t *this) list->insert_first(list, payload); } /* for each rule, ... */ - for (i = 0; i < this->message_rule->payload_order_count; i++) + for (i = 0; i < this->rule->order_count; i++) { enumerator_t *enumerator; notify_payload_t *notify; - payload_order_t order = this->message_rule->payload_order[i]; + payload_order_t order; + + order = this->rule->order[i]; /* ... find all payload ... */ enumerator = list->create_enumerator(list); @@ -1068,8 +945,8 @@ static void order_payloads(private_message_t *this) { DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s", payload_type_names, payload->get_type(payload), - exchange_type_names, this->message_rule->exchange_type, - this->message_rule->is_request ? "request" : "response"); + exchange_type_names, this->rule->exchange_type, + this->rule->is_request ? "request" : "response"); } add_payload(this, payload); } @@ -1077,98 +954,67 @@ static void order_payloads(private_message_t *this) } /** - * Implementation of private_message_t.encrypt_payloads. + * Wrap payloads in a encryption payload */ -static status_t encrypt_payloads(private_message_t *this, - crypter_t *crypter, signer_t* signer) +static encryption_payload_t* wrap_payloads(private_message_t *this) { encryption_payload_t *encryption; linked_list_t *payloads; payload_t *current; - status_t status; - if (!this->message_rule->encrypted_content) - { - DBG2(DBG_ENC, "message doesn't have to be encrypted"); - /* message contains no content to encrypt */ - return SUCCESS; - } - - if (!crypter || !signer) - { - DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message"); - /* message contains no content to encrypt */ - return SUCCESS; - } - - DBG2(DBG_ENC, "copy all payloads to a temporary list"); + /* copy all payloads in a temporary list */ payloads = linked_list_create(); - - /* first copy all payloads in a temporary list */ - while (this->payloads->get_count(this->payloads) > 0) + while (this->payloads->remove_first(this->payloads, + (void**)¤t) == SUCCESS) { - this->payloads->remove_first(this->payloads, (void**)¤t); payloads->insert_last(payloads, current); } encryption = encryption_payload_create(); - - DBG2(DBG_ENC, "check each payloads if they have to get encrypted"); - while (payloads->get_count(payloads) > 0) + while (payloads->remove_first(payloads, (void**)¤t) == SUCCESS) { payload_rule_t *rule; payload_type_t type; - bool to_encrypt = TRUE; - - payloads->remove_first(payloads, (void**)¤t); + bool encrypt = TRUE; type = current->get_type(current); - if (get_payload_rule(this, type, &rule) == SUCCESS) + rule = get_payload_rule(this, type); + if (rule) { - to_encrypt = rule->encrypted; + encrypt = rule->encrypted; } - if (to_encrypt) + if (encrypt) { DBG2(DBG_ENC, "insert payload %N to encryption payload", - payload_type_names, current->get_type(current)); + payload_type_names, type); encryption->add_payload(encryption, current); } else { DBG2(DBG_ENC, "insert payload %N unencrypted", - payload_type_names, current->get_type(current)); - add_payload(this, (payload_t*)current); + payload_type_names, type); + add_payload(this, current); } } - - DBG2(DBG_ENC, "encrypting encryption payload"); - encryption->set_transforms(encryption, crypter, signer); - status = encryption->encrypt(encryption); - DBG2(DBG_ENC, "add encrypted payload to payload list"); - add_payload(this, (payload_t*)encryption); - payloads->destroy(payloads); - return status; + return encryption; } -/** - * Implementation of message_t.generate. - */ -static status_t generate(private_message_t *this, crypter_t *crypter, - signer_t* signer, packet_t **packet) +METHOD(message_t, generate, status_t, + private_message_t *this, aead_t *aead, packet_t **packet) { generator_t *generator; ike_header_t *ike_header; - payload_t *payload, *next_payload; + payload_t *payload, *next; + encryption_payload_t *encryption = NULL; enumerator_t *enumerator; - status_t status; - chunk_t packet_data; + chunk_t chunk; char str[256]; + u_int32_t *lenpos; if (is_encoded(this)) - { - /* already generated, return a new packet clone */ + { /* already generated, return a new packet clone */ *packet = this->packet->clone(this->packet); return SUCCESS; } @@ -1182,14 +1028,12 @@ static status_t generate(private_message_t *this, crypter_t *crypter, if (this->packet->get_source(this->packet) == NULL || this->packet->get_destination(this->packet) == NULL) { - DBG1(DBG_ENC, "%s not defined", - !this->packet->get_source(this->packet) ? "source" : "destination"); + DBG1(DBG_ENC, "source/destination not defined"); return INVALID_STATE; } - /* set the rules for this messge */ - status = set_message_rule(this); - if (status != SUCCESS) + this->rule = get_message_rule(this); + if (!this->rule) { DBG1(DBG_ENC, "no message rules specified for this message type"); return NOT_SUPPORTED; @@ -1199,17 +1043,16 @@ static status_t generate(private_message_t *this, crypter_t *crypter, DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str))); - /* going to encrypt all content which have to be encrypted */ - status = encrypt_payloads(this, crypter, signer); - if (status != SUCCESS) + if (aead && this->rule->encrypted) { - DBG1(DBG_ENC, "payload encryption failed"); - return status; + encryption = wrap_payloads(this); + } + else + { + DBG2(DBG_ENC, "not encrypting payloads"); } - /* build ike header */ ike_header = ike_header_create(); - ike_header->set_exchange_type(ike_header, this->exchange_type); ike_header->set_message_id(ike_header, this->message_id); ike_header->set_response_flag(ike_header, !this->is_request); @@ -1222,54 +1065,49 @@ static status_t generate(private_message_t *this, crypter_t *crypter, generator = generator_create(); + /* generate all payloads with proper next type */ payload = (payload_t*)ike_header; - - /* generate every payload expect last one, this is done later*/ enumerator = create_payload_enumerator(this); - while (enumerator->enumerate(enumerator, &next_payload)) + while (enumerator->enumerate(enumerator, &next)) { - payload->set_next_type(payload, next_payload->get_type(next_payload)); + payload->set_next_type(payload, next->get_type(next)); generator->generate_payload(generator, payload); - payload = next_payload; + payload = next; } enumerator->destroy(enumerator); - - /* last payload has no next payload*/ - payload->set_next_type(payload, NO_PAYLOAD); - + payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD); generator->generate_payload(generator, payload); - ike_header->destroy(ike_header); - /* build packet */ - generator->write_to_chunk(generator, &packet_data); - generator->destroy(generator); - - /* if last payload is of type encrypted, integrity checksum if necessary */ - if (payload->get_type(payload) == ENCRYPTED) + if (encryption) { - DBG2(DBG_ENC, "build signature on whole message"); - encryption_payload_t *encryption_payload = (encryption_payload_t*)payload; - status = encryption_payload->build_signature(encryption_payload, packet_data); - if (status != SUCCESS) + u_int32_t *lenpos; + + /* build associated data (without header of encryption payload) */ + chunk = generator->get_chunk(generator, &lenpos); + encryption->set_transform(encryption, aead); + /* fill in length, including encryption payload */ + htoun32(lenpos, chunk.len + encryption->get_length(encryption)); + + this->payloads->insert_last(this->payloads, encryption); + if (!encryption->encrypt(encryption, chunk)) { - return status; + generator->destroy(generator); + return INVALID_STATE; } + generator->generate_payload(generator, &encryption->payload_interface); } + chunk = generator->get_chunk(generator, &lenpos); + htoun32(lenpos, chunk.len); + this->packet->set_data(this->packet, chunk_clone(chunk)); + generator->destroy(generator); - this->packet->set_data(this->packet, packet_data); - - /* clone packet for caller */ *packet = this->packet->clone(this->packet); - - DBG2(DBG_ENC, "message generated successfully"); return SUCCESS; } -/** - * Implementation of message_t.get_packet. - */ -static packet_t *get_packet(private_message_t *this) +METHOD(message_t, get_packet, packet_t*, + private_message_t *this) { if (this->packet == NULL) { @@ -1278,10 +1116,8 @@ static packet_t *get_packet(private_message_t *this) return this->packet->clone(this->packet); } -/** - * Implementation of message_t.get_packet_data. - */ -static chunk_t get_packet_data(private_message_t *this) +METHOD(message_t, get_packet_data, chunk_t, + private_message_t *this) { if (this->packet == NULL) { @@ -1290,10 +1126,8 @@ static chunk_t get_packet_data(private_message_t *this) return chunk_clone(this->packet->get_data(this->packet)); } -/** - * Implementation of message_t.parse_header. - */ -static status_t parse_header(private_message_t *this) +METHOD(message_t, parse_header, status_t, + private_message_t *this) { ike_header_t *ike_header; status_t status; @@ -1310,7 +1144,6 @@ static status_t parse_header(private_message_t *this) } - /* verify payload */ status = ike_header->payload_interface.verify( &ike_header->payload_interface); if (status != SUCCESS) @@ -1320,18 +1153,14 @@ static status_t parse_header(private_message_t *this) return status; } - if (this->ike_sa_id != NULL) - { - this->ike_sa_id->destroy(this->ike_sa_id); - } - + DESTROY_IF(this->ike_sa_id); this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header), ike_header->get_responder_spi(ike_header), ike_header->get_initiator_flag(ike_header)); this->exchange_type = ike_header->get_exchange_type(ike_header); this->message_id = ike_header->get_message_id(ike_header); - this->is_request = (!(ike_header->get_response_flag(ike_header))); + this->is_request = !ike_header->get_response_flag(ike_header); this->major_version = ike_header->get_maj_version(ike_header); this->minor_version = ike_header->get_min_version(ike_header); this->first_payload = ike_header->payload_interface.get_next_type( @@ -1342,232 +1171,151 @@ static status_t parse_header(private_message_t *this) ike_header->destroy(ike_header); - /* get the rules for this messge */ - status = set_message_rule(this); - if (status != SUCCESS) + this->rule = get_message_rule(this); + if (!this->rule) { DBG1(DBG_ENC, "no message rules specified for a %N %s", exchange_type_names, this->exchange_type, this->is_request ? "request" : "response"); } - return status; } /** - * Implementation of private_message_t.decrypt_and_verify_payloads. + * Decrypt payload from the encryption payload */ -static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter, - signer_t* signer) +static status_t decrypt_payloads(private_message_t *this, aead_t *aead) { - bool current_payload_was_encrypted = FALSE; - payload_t *previous_payload = NULL; - int payload_number = 1; - iterator_t *iterator; - payload_t *current_payload; - status_t status; - - iterator = this->payloads->create_iterator(this->payloads,TRUE); + bool was_encrypted = FALSE; + payload_t *payload, *previous = NULL; + enumerator_t *enumerator; + payload_rule_t *rule; + payload_type_t type; + status_t status = SUCCESS; - /* process each payload and decrypt a encryption payload */ - while(iterator->iterate(iterator, (void**)¤t_payload)) + enumerator = this->payloads->create_enumerator(this->payloads); + while (enumerator->enumerate(enumerator, &payload)) { - payload_rule_t *payload_rule; - payload_type_t current_payload_type; + type = payload->get_type(payload); - /* needed to check */ - current_payload_type = current_payload->get_type(current_payload); + DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type); - DBG2(DBG_ENC, "process payload of type %N", - payload_type_names, current_payload_type); - - if (current_payload_type == ENCRYPTED) + if (type == ENCRYPTED) { - encryption_payload_t *encryption_payload; - payload_t *current_encrypted_payload; + encryption_payload_t *encryption; + payload_t *encrypted; + chunk_t chunk; - encryption_payload = (encryption_payload_t*)current_payload; + encryption = (encryption_payload_t*)payload; DBG2(DBG_ENC, "found an encryption payload"); - if (payload_number != this->payloads->get_count(this->payloads)) + if (enumerator->enumerate(enumerator, &payload)) { - /* encrypted payload is not last one */ DBG1(DBG_ENC, "encrypted payload is not last payload"); - iterator->destroy(iterator); - return VERIFY_ERROR; + status = VERIFY_ERROR; + break; } - /* decrypt */ - encryption_payload->set_transforms(encryption_payload, - crypter, signer); - DBG2(DBG_ENC, "verify signature of encryption payload"); - status = encryption_payload->verify_signature(encryption_payload, - this->packet->get_data(this->packet)); - if (status != SUCCESS) + encryption->set_transform(encryption, aead); + chunk = this->packet->get_data(this->packet); + if (chunk.len < encryption->get_length(encryption)) { - DBG1(DBG_ENC, "encryption payload signature invalid"); - iterator->destroy(iterator); - return FAILED; + DBG1(DBG_ENC, "invalid payload length"); + status = VERIFY_ERROR; + break; } - DBG2(DBG_ENC, "decrypting content of encryption payload"); - status = encryption_payload->decrypt(encryption_payload); + chunk.len -= encryption->get_length(encryption); + status = encryption->decrypt(encryption, chunk); if (status != SUCCESS) { - DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed"); - iterator->destroy(iterator); - return PARSE_ERROR; - } - - /* needed later to find out if a payload was encrypted */ - current_payload_was_encrypted = TRUE; - - /* check if there are payloads contained in the encryption payload */ - if (encryption_payload->get_payload_count(encryption_payload) == 0) - { - DBG2(DBG_ENC, "encrypted payload is empty"); - /* remove the encryption payload, is not needed anymore */ - iterator->remove(iterator); - /* encrypted payload contains no other payload */ - current_payload_type = NO_PAYLOAD; - } - else - { - /* encryption_payload is replaced with first payload contained - * in encryption_payload */ - encryption_payload->remove_first_payload(encryption_payload, - ¤t_encrypted_payload); - iterator->replace(iterator, NULL, - (void *)current_encrypted_payload); - current_payload_type = current_encrypted_payload->get_type( - current_encrypted_payload); + break; } - /* is the current paylad the first in the message? */ - if (previous_payload == NULL) - { - /* yes, set the first payload type of the message to the - * current type */ - this->first_payload = current_payload_type; - } - else - { - /* no, set the next_type of the previous payload to the - * current type */ - previous_payload->set_next_type(previous_payload, - current_payload_type); - } + was_encrypted = TRUE; + this->payloads->remove_at(this->payloads, enumerator); - /* all encrypted payloads are added to the payload list */ - while (encryption_payload->get_payload_count(encryption_payload) > 0) + while ((encrypted = encryption->remove_payload(encryption))) { - encryption_payload->remove_first_payload(encryption_payload, - ¤t_encrypted_payload); - DBG2(DBG_ENC, "insert unencrypted payload of type " - "%N at end of list", payload_type_names, - current_encrypted_payload->get_type( - current_encrypted_payload)); - this->payloads->insert_last(this->payloads, - current_encrypted_payload); + type = encrypted->get_type(encrypted); + if (previous) + { + previous->set_next_type(previous, type); + } + else + { + this->first_payload = type; + } + DBG2(DBG_ENC, "insert decrypted payload of type " + "%N at end of list", payload_type_names, type); + this->payloads->insert_last(this->payloads, encrypted); + previous = encrypted; } - - /* encryption payload is processed, payloads are moved. Destroy it. */ - encryption_payload->destroy(encryption_payload); + encryption->destroy(encryption); } - - /* we allow unknown payloads of any type and don't bother if it was - * encrypted. Not our problem. */ - if (current_payload_type != UNKNOWN_PAYLOAD && - current_payload_type != NO_PAYLOAD) + if (type != UNKNOWN_PAYLOAD && !was_encrypted) { - /* get the ruleset for found payload */ - status = get_payload_rule(this, current_payload_type, &payload_rule); - if (status != SUCCESS) - { - /* payload is not allowed */ - DBG1(DBG_ENC, "payload type %N not allowed", - payload_type_names, current_payload_type); - iterator->destroy(iterator); - return VERIFY_ERROR; - } - - /* check if the payload was encrypted, and if it should been have - * encrypted */ - if (payload_rule->encrypted != current_payload_was_encrypted) + rule = get_payload_rule(this, type); + if (!rule || rule->encrypted) { - /* payload was not encrypted, but should have been. - * or vice-versa */ - DBG1(DBG_ENC, "payload type %N should be %s!", - payload_type_names, current_payload_type, - (payload_rule->encrypted) ? "encrypted" : "not encrypted"); - iterator->destroy(iterator); - return VERIFY_ERROR; + DBG1(DBG_ENC, "payload type %N was not encrypted", + payload_type_names, type); + status = VERIFY_ERROR; + break; } } - /* advance to the next payload */ - payload_number++; - /* is stored to set next payload in case of found encryption payload */ - previous_payload = current_payload; + previous = payload; } - iterator->destroy(iterator); - return SUCCESS; + enumerator->destroy(enumerator); + return status; } /** - * Implementation of private_message_t.verify. + * Verify a message and all payload according to message/payload rules */ static status_t verify(private_message_t *this) { int i; - enumerator_t *enumerator; - payload_t *current_payload; - size_t total_found_payloads = 0; DBG2(DBG_ENC, "verifying message structure"); /* check for payloads with wrong count*/ - for (i = 0; i < this->message_rule->payload_rule_count; i++) + for (i = 0; i < this->rule->rule_count; i++) { - size_t found_payloads = 0; + enumerator_t *enumerator; + payload_t *payload; payload_rule_t *rule; + int found = 0; - rule = &this->message_rule->payload_rules[i]; + rule = &this->rule->rules[i]; enumerator = create_payload_enumerator(this); - - /* check all payloads for specific rule */ - while (enumerator->enumerate(enumerator, ¤t_payload)) + while (enumerator->enumerate(enumerator, &payload)) { - payload_type_t current_payload_type; - unknown_payload_t *unknown_payload; + payload_type_t type; + unknown_payload_t *unknown; - current_payload_type = current_payload->get_type(current_payload); - if (current_payload_type == UNKNOWN_PAYLOAD) + type = payload->get_type(payload); + if (type == UNKNOWN_PAYLOAD) { - /* unknown payloads are ignored, IF they are not critical */ - unknown_payload = (unknown_payload_t*)current_payload; - if (unknown_payload->is_critical(unknown_payload)) + /* unknown payloads are ignored if they are not critical */ + unknown = (unknown_payload_t*)payload; + if (unknown->is_critical(unknown)) { DBG1(DBG_ENC, "%N is not supported, but its critical!", - payload_type_names, current_payload_type); + payload_type_names, type); enumerator->destroy(enumerator); return NOT_SUPPORTED; } } - else if (current_payload_type == rule->payload_type) + else if (type == rule->type) { - found_payloads++; - total_found_payloads++; - DBG2(DBG_ENC, "found payload of type %N", payload_type_names, - rule->payload_type); - - /* as soon as ohe payload occures more then specified, - * the verification fails */ - if (found_payloads > - rule->max_occurence) + found++; + DBG2(DBG_ENC, "found payload of type %N", + payload_type_names, type); + if (found > rule->max_occurence) { DBG1(DBG_ENC, "payload of type %N more than %d times (%d) " "occured in current message", payload_type_names, - current_payload_type, rule->max_occurence, - found_payloads); + type, rule->max_occurence, found); enumerator->destroy(enumerator); return VERIFY_ERROR; } @@ -1575,11 +1323,10 @@ static status_t verify(private_message_t *this) } enumerator->destroy(enumerator); - if (found_payloads < rule->min_occurence) + if (found < rule->min_occurence) { DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)", - payload_type_names, rule->payload_type, rule->min_occurence, - found_payloads); + payload_type_names, rule->type, rule->min_occurence, found); return VERIFY_ERROR; } if (rule->sufficient) @@ -1590,72 +1337,60 @@ static status_t verify(private_message_t *this) return SUCCESS; } -/** - * Implementation of message_t.parse_body. - */ -static status_t parse_body(private_message_t *this, crypter_t *crypter, - signer_t *signer) +METHOD(message_t, parse_body, status_t, + private_message_t *this, aead_t *aead) { status_t status = SUCCESS; - payload_type_t current_payload_type; + payload_t *payload; + payload_type_t type; char str[256]; - current_payload_type = this->first_payload; + type = this->first_payload; DBG2(DBG_ENC, "parsing body of message, first payload is %N", - payload_type_names, current_payload_type); + payload_type_names, type); - /* parse payload for payload, while there are more available */ - while ((current_payload_type != NO_PAYLOAD)) + while (type != NO_PAYLOAD) { - payload_t *current_payload; - DBG2(DBG_ENC, "starting parsing a %N payload", - payload_type_names, current_payload_type); + payload_type_names, type); - /* parse current payload */ - status = this->parser->parse_payload(this->parser, current_payload_type, - (payload_t**)¤t_payload); + status = this->parser->parse_payload(this->parser, type, &payload); if (status != SUCCESS) { DBG1(DBG_ENC, "payload type %N could not be parsed", - payload_type_names, current_payload_type); + payload_type_names, type); return PARSE_ERROR; } - DBG2(DBG_ENC, "verifying payload of type %N", - payload_type_names, current_payload_type); - - /* verify it, stop parsig if its invalid */ - status = current_payload->verify(current_payload); + DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type); + status = payload->verify(payload); if (status != SUCCESS) { DBG1(DBG_ENC, "%N payload verification failed", - payload_type_names, current_payload_type); - current_payload->destroy(current_payload); + payload_type_names, type); + payload->destroy(payload); return VERIFY_ERROR; } DBG2(DBG_ENC, "%N payload verified. Adding to payload list", - payload_type_names, current_payload_type); - this->payloads->insert_last(this->payloads,current_payload); + payload_type_names, type); + this->payloads->insert_last(this->payloads, payload); /* an encryption payload is the last one, so STOP here. decryption is * done later */ - if (current_payload_type == ENCRYPTED) + if (type == ENCRYPTED) { DBG2(DBG_ENC, "%N payload found. Stop parsing", - payload_type_names, current_payload_type); + payload_type_names, type); break; } - - /* get next payload type */ - current_payload_type = current_payload->get_next_type(current_payload); + type = payload->get_next_type(payload); } - if (current_payload_type == ENCRYPTED) + if (type == ENCRYPTED) { - status = decrypt_payloads(this,crypter,signer); + status = decrypt_payloads(this, aead); if (status != SUCCESS) { DBG1(DBG_ENC, "could not decrypt payloads"); @@ -1674,10 +1409,8 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, return SUCCESS; } -/** - * Implementation of message_t.destroy. - */ -static void destroy (private_message_t *this) +METHOD(message_t, destroy, void, + private_message_t *this) { DESTROY_IF(this->ike_sa_id); this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy)); @@ -1691,58 +1424,48 @@ static void destroy (private_message_t *this) */ message_t *message_create_from_packet(packet_t *packet) { - private_message_t *this = malloc_thing(private_message_t); - - /* public functions */ - this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version; - this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version; - this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version; - this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version; - this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id; - this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id; - this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi; - this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi; - this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id; - this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id; - this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type; - this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type; - this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type; - this->public.set_request = (void(*)(message_t*, bool))set_request; - this->public.get_request = (bool(*)(message_t*))get_request; - this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload; - this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify; - this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate; - this->public.set_source = (void (*) (message_t*,host_t*)) set_source; - this->public.get_source = (host_t * (*) (message_t*)) get_source; - this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination; - this->public.get_destination = (host_t * (*) (message_t*)) get_destination; - this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator; - this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload; - this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify; - this->public.parse_header = (status_t (*) (message_t *)) parse_header; - this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body; - this->public.get_packet = (packet_t * (*) (message_t*)) get_packet; - this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data; - this->public.destroy = (void(*)(message_t*))destroy; - - /* private values */ - this->exchange_type = EXCHANGE_TYPE_UNDEFINED; - this->is_request = TRUE; - this->ike_sa_id = NULL; - this->first_payload = NO_PAYLOAD; - this->message_id = 0; - - /* private values */ - if (packet == NULL) - { - packet = packet_create(); - } - this->message_rule = NULL; - this->packet = packet; - this->payloads = linked_list_create(); - - /* parser is created from data of packet */ - this->parser = parser_create(this->packet->get_data(this->packet)); + private_message_t *this; + + INIT(this, + .public = { + .set_major_version = _set_major_version, + .get_major_version = _get_major_version, + .set_minor_version = _set_minor_version, + .get_minor_version = _get_minor_version, + .set_message_id = _set_message_id, + .get_message_id = _get_message_id, + .get_initiator_spi = _get_initiator_spi, + .get_responder_spi = _get_responder_spi, + .set_ike_sa_id = _set_ike_sa_id, + .get_ike_sa_id = _get_ike_sa_id, + .set_exchange_type = _set_exchange_type, + .get_exchange_type = _get_exchange_type, + .get_first_payload_type = _get_first_payload_type, + .set_request = _set_request, + .get_request = _get_request, + .add_payload = _add_payload, + .add_notify = _add_notify, + .generate = _generate, + .set_source = _set_source, + .get_source = _get_source, + .set_destination = _set_destination, + .get_destination = _get_destination, + .create_payload_enumerator = _create_payload_enumerator, + .get_payload = _get_payload, + .get_notify = _get_notify, + .parse_header = _parse_header, + .parse_body = _parse_body, + .get_packet = _get_packet, + .get_packet_data = _get_packet_data, + .destroy = _destroy, + }, + .exchange_type = EXCHANGE_TYPE_UNDEFINED, + .is_request = TRUE, + .first_payload = NO_PAYLOAD, + .packet = packet, + .payloads = linked_list_create(), + .parser = parser_create(packet->get_data(packet)), + ); return (&this->public); } @@ -1752,6 +1475,6 @@ message_t *message_create_from_packet(packet_t *packet) */ message_t *message_create() { - return message_create_from_packet(NULL); + return message_create_from_packet(packet_create()); } diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h index 2c7718f49..8c1cbcd09 100644 --- a/src/libcharon/encoding/message.h +++ b/src/libcharon/encoding/message.h @@ -32,8 +32,7 @@ typedef struct message_t message_t; #include <encoding/payloads/ike_header.h> #include <encoding/payloads/notify_payload.h> #include <utils/linked_list.h> -#include <crypto/crypters/crypter.h> -#include <crypto/signers/signer.h> +#include <crypto/aead.h> /** * This class is used to represent an IKEv2-Message. @@ -201,14 +200,10 @@ struct message_t { * The body gets not only parsed, but rather it gets verified. * All payloads are verified if they are allowed to exist in the message * of this type and if their own structure is ok. - * If there are encrypted payloads, they get decrypted via the supplied - * crypter. Also the message integrity gets verified with the supplied - * signer. - * Crypter/signer can be omitted (by passing NULL) when no encryption - * payload is expected. - * - * @param crypter crypter to decrypt encryption payloads - * @param signer signer to verifiy a message with an encryption payload + * If there are encrypted payloads, they get decrypted and verified using + * the given aead transform (if given). + * + * @param aead aead transform to verify/decrypt message * @return * - SUCCESS if parsing successful * - NOT_SUPPORTED if ciritcal unknown payloads found @@ -216,32 +211,28 @@ struct message_t { * - PARSE_ERROR if message parsing failed * - VERIFY_ERROR if message verification failed (bad syntax) * - FAILED if integrity check failed - * - INVALID_STATE if crypter/signer not supplied, but needed + * - INVALID_STATE if aead not supplied, but needed */ - status_t (*parse_body) (message_t *this, crypter_t *crypter, signer_t *signer); + status_t (*parse_body) (message_t *this, aead_t *aead); /** * Generates the UDP packet of specific message. * * Payloads which must be encrypted are generated first and added to - * an encryption payload. This encryption payload will get encrypted via - * the supplied crypter. Then all other payloads and the header get generated. - * After that, the checksum is added to the encryption payload over the full - * message. - * Crypter/signer can be omitted (by passing NULL) when no encryption - * payload is expected. - * Generation is only done once, multiple calls will just return a packet copy. - * - * @param crypter crypter to use when a payload must be encrypted - * @param signer signer to build a mac + * an encryption payload. This encryption payload will get encrypted and + * signed via the supplied aead transform (if given). + * Generation is only done once, multiple calls will just return a copy + * of the packet. + * + * @param aead aead transform to encrypt/sign message * @param packet copy of generated packet * @return * - SUCCESS if packet could be generated * - INVALID_STATE if exchange type is currently not set * - NOT_FOUND if no rules found for message generation - * - INVALID_STATE if crypter/signer not supplied but needed. + * - INVALID_STATE if aead not supplied but needed. */ - status_t (*generate) (message_t *this, crypter_t *crypter, signer_t *signer, packet_t **packet); + status_t (*generate) (message_t *this, aead_t *aead, packet_t **packet); /** * Gets the source host informations. @@ -331,13 +322,8 @@ struct message_t { /** * Creates an message_t object from a incoming UDP Packet. * - * @warning the given packet_t object is not copied and gets - * destroyed in message_t's destroy call. - * - * - exchange_type is set to NOT_SET - * - original_initiator is set to TRUE - * - is_request is set to TRUE - * Call message_t.parse_header afterwards. + * The given packet gets owned by the message. The message is uninitialized, + * call parse_header() to populate header fields. * * @param packet packet_t object which is assigned to message * @return message_t object diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c index 97b4743b2..5fc3b7c88 100644 --- a/src/libcharon/encoding/payloads/delete_payload.c +++ b/src/libcharon/encoding/payloads/delete_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -65,11 +66,6 @@ struct private_delete_payload_t { * The contained SPI's. */ chunk_t spis; - - /** - * List containing u_int32_t spis - */ - linked_list_t *spi_list; }; /** @@ -77,7 +73,6 @@ struct private_delete_payload_t { * * The defined offsets are the positions in a object of type * private_delete_payload_t. - * */ encoding_rule_t delete_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -85,20 +80,20 @@ encoding_rule_t delete_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_delete_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_delete_payload_t, payload_length)}, + { PAYLOAD_LENGTH, offsetof(private_delete_payload_t, payload_length) }, { U_INT_8, offsetof(private_delete_payload_t, protocol_id) }, { U_INT_8, offsetof(private_delete_payload_t, spi_size) }, { U_INT_16, offsetof(private_delete_payload_t, spi_count) }, /* some delete data bytes, length is defined in PAYLOAD_LENGTH */ - { SPIS, offsetof(private_delete_payload_t, spis) } + { SPIS, offsetof(private_delete_payload_t, spis) } }; /* @@ -115,10 +110,8 @@ encoding_rule_t delete_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_delete_payload_t *this) +METHOD(payload_t, verify, status_t, + private_delete_payload_t *this) { switch (this->protocol_id) { @@ -147,112 +140,104 @@ static status_t verify(private_delete_payload_t *this) return SUCCESS; } -/** - * Implementation of delete_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_delete_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_delete_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = delete_payload_encodings; - *rule_count = sizeof(delete_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(delete_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_delete_payload_t *this) +METHOD(payload_t, get_payload_type, payload_type_t, + private_delete_payload_t *this) { return DELETE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_delete_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_delete_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_delete_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_delete_payload_t *this,payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_delete_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_delete_payload_t *this) { return this->payload_length; } -/** - * Implementation of delete_payload_t.get_protocol_id. - */ -static protocol_id_t get_protocol_id (private_delete_payload_t *this) +METHOD(delete_payload_t, get_protocol_id, protocol_id_t, + private_delete_payload_t *this) { - return (this->protocol_id); + return this->protocol_id; } -/** - * Implementation of delete_payload_t.add_spi. - */ -static void add_spi(private_delete_payload_t *this, u_int32_t spi) +METHOD(delete_payload_t, add_spi, void, + private_delete_payload_t *this, u_int32_t spi) { - /* only add SPIs if AH|ESP, ignore others */ - if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP) + switch (this->protocol_id) { - this->spi_count += 1; - this->spis.len += this->spi_size; - this->spis.ptr = realloc(this->spis.ptr, this->spis.len); - *(u_int32_t*)(this->spis.ptr + (this->spis.len / this->spi_size - 1)) = spi; - if (this->spi_list) - { - /* reset SPI iterator list */ - this->spi_list->destroy(this->spi_list); - this->spi_list = NULL; - } + case PROTO_AH: + case PROTO_ESP: + this->spi_count++; + this->payload_length += sizeof(spi); + this->spis = chunk_cat("mc", this->spis, chunk_from_thing(spi)); + break; + default: + break; } } /** - * Implementation of delete_payload_t.create_spi_iterator. + * SPI enumerator implementation */ -static iterator_t* create_spi_iterator(private_delete_payload_t *this) -{ - int i; +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** remaining SPIs */ + chunk_t spis; +} spi_enumerator_t; - if (this->spi_list == NULL) +METHOD(enumerator_t, spis_enumerate, bool, + spi_enumerator_t *this, u_int32_t *spi) +{ + if (this->spis.len >= sizeof(*spi)) { - this->spi_list = linked_list_create(); - /* only parse SPIs if AH|ESP */ - if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP) - { - for (i = 0; i < this->spi_count; i++) - { - this->spi_list->insert_last(this->spi_list, this->spis.ptr + i * - this->spi_size); - } - } + memcpy(spi, this->spis.ptr, sizeof(*spi)); + this->spis = chunk_skip(this->spis, sizeof(*spi)); + return TRUE; } - return this->spi_list->create_iterator(this->spi_list, TRUE); + return FALSE; } -/** - * Implementation of payload_t.destroy and delete_payload_t.destroy. - */ -static void destroy(private_delete_payload_t *this) +METHOD(delete_payload_t, create_spi_enumerator, enumerator_t*, + private_delete_payload_t *this) { - if (this->spis.ptr != NULL) - { - chunk_free(&this->spis); - } - if (this->spi_list) + spi_enumerator_t *e; + + if (this->spi_size != sizeof(u_int32_t)) { - this->spi_list->destroy(this->spi_list); + return enumerator_create_empty(); } + INIT(e, + .public = { + .enumerate = (void*)_spis_enumerate, + .destroy = (void*)free, + }, + .spis = this->spis, + ); + return &e->public; +} + +METHOD2(payload_t, delete_payload_t, destroy, void, + private_delete_payload_t *this) +{ + free(this->spis.ptr); free(this); } @@ -261,32 +246,28 @@ static void destroy(private_delete_payload_t *this) */ delete_payload_t *delete_payload_create(protocol_id_t protocol_id) { - private_delete_payload_t *this = malloc_thing(private_delete_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (delete_payload_t *)) destroy; - this->public.get_protocol_id = (protocol_id_t (*) (delete_payload_t *)) get_protocol_id; - this->public.add_spi = (void (*) (delete_payload_t *,u_int32_t))add_spi; - this->public.create_spi_iterator = (iterator_t* (*) (delete_payload_t *)) create_spi_iterator; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = DELETE_PAYLOAD_HEADER_LENGTH; - this->protocol_id = protocol_id; - this->spi_size = protocol_id == PROTO_AH || protocol_id == PROTO_ESP ? 4 : 0; - this->spi_count = 0; - this->spis = chunk_empty; - this->spi_list = NULL; + private_delete_payload_t *this; - return (&this->public); + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_payload_type, + .destroy = _destroy, + }, + .get_protocol_id = _get_protocol_id, + .add_spi = _add_spi, + .create_spi_enumerator = _create_spi_enumerator, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = DELETE_PAYLOAD_HEADER_LENGTH, + .protocol_id = protocol_id, + .spi_size = protocol_id == PROTO_AH || protocol_id == PROTO_ESP ? 4 : 0, + ); + return &this->public; } diff --git a/src/libcharon/encoding/payloads/delete_payload.h b/src/libcharon/encoding/payloads/delete_payload.h index 3b62c1af1..026829f97 100644 --- a/src/libcharon/encoding/payloads/delete_payload.h +++ b/src/libcharon/encoding/payloads/delete_payload.h @@ -39,6 +39,7 @@ typedef struct delete_payload_t delete_payload_t; * The DELETE payload format is described in RFC section 3.11. */ struct delete_payload_t { + /** * The payload_t interface. */ @@ -59,13 +60,11 @@ struct delete_payload_t { void (*add_spi) (delete_payload_t *this, u_int32_t spi); /** - * Get an iterator over the SPIs. - * - * The iterate() function returns a pointer to a u_int32_t SPI. + * Get an enumerator over the SPIs in network order. * - * @return iterator over SPIs + * @return enumerator over SPIs, u_int32_t */ - iterator_t *(*create_spi_iterator) (delete_payload_t *this); + enumerator_t *(*create_spi_enumerator) (delete_payload_t *this); /** * Destroys an delete_payload_t object. diff --git a/src/libcharon/encoding/payloads/encryption_payload.c b/src/libcharon/encoding/payloads/encryption_payload.c index 2adbb88b9..3b23ea9fb 100644 --- a/src/libcharon/encoding/payloads/encryption_payload.c +++ b/src/libcharon/encoding/payloads/encryption_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -24,9 +25,6 @@ #include <utils/linked_list.h> #include <encoding/generator.h> #include <encoding/parser.h> -#include <utils/iterator.h> -#include <crypto/signers/signer.h> - typedef struct private_encryption_payload_t private_encryption_payload_t; @@ -50,9 +48,9 @@ struct private_encryption_payload_t { u_int8_t next_payload; /** - * Critical flag. + * Flags, including reserved bits */ - bool critical; + u_int8_t flags; /** * Length of this payload @@ -60,28 +58,17 @@ struct private_encryption_payload_t { u_int16_t payload_length; /** - * Chunk containing the iv, data, padding, - * and (an eventually not calculated) signature. + * Chunk containing the IV, plain, padding and ICV. */ chunk_t encrypted; /** - * Chunk containing the data in decrypted (unpadded) form. - */ - chunk_t decrypted; - - /** - * Signer set by set_signer. + * AEAD transform to use */ - signer_t *signer; + aead_t *aead; /** - * Crypter, supplied by encrypt/decrypt - */ - crypter_t *crypter; - - /** - * Contained payloads of this encrpytion_payload. + * Contained payloads */ linked_list_t *payloads; }; @@ -91,25 +78,16 @@ struct private_encryption_payload_t { * * The defined offsets are the positions in a object of type * private_encryption_payload_t. - * */ encoding_rule_t encryption_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ { U_INT_8, offsetof(private_encryption_payload_t, next_payload) }, - /* the critical bit */ - { FLAG, offsetof(private_encryption_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + /* Critical and 7 reserved bits, all stored for reconstruction */ + { U_INT_8, offsetof(private_encryption_payload_t, flags) }, /* Length of the whole encryption payload*/ { PAYLOAD_LENGTH, offsetof(private_encryption_payload_t, payload_length) }, /* encrypted data, stored in a chunk. contains iv, data, padding */ - { ENCRYPTED_DATA, offsetof(private_encryption_payload_t, encrypted) }, + { ENCRYPTED_DATA, offsetof(private_encryption_payload_t, encrypted) }, }; /* @@ -131,108 +109,90 @@ encoding_rule_t encryption_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_encryption_payload_t *this) +METHOD(payload_t, verify, status_t, + private_encryption_payload_t *this) { return SUCCESS; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_encryption_payload_t *this, encoding_rule_t **rules, + size_t *count) { *rules = encryption_payload_encodings; - *rule_count = sizeof(encryption_payload_encodings) / sizeof(encoding_rule_t); + *count = countof(encryption_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_encryption_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_encryption_payload_t *this) { return ENCRYPTED; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_encryption_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_encryption_payload_t *this) { - /* returns first contained payload here */ - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_encryption_payload_t *this, payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_encryption_payload_t *this, payload_type_t type) { - /* set next type is not allowed, since this payload MUST be the last one - * and so nothing is done in here*/ + /* the next payload is set during add */ } /** - * (re-)compute the lenght of the whole payload + * Compute the lenght of the whole payload */ static void compute_length(private_encryption_payload_t *this) { - iterator_t *iterator; - payload_t *current_payload; - size_t block_size, length = 0; - iterator = this->payloads->create_iterator(this->payloads, TRUE); + enumerator_t *enumerator; + payload_t *payload; + size_t bs, length = 0; - /* count payload length */ - while (iterator->iterate(iterator, (void **) ¤t_payload)) + if (this->encrypted.len) { - length += current_payload->get_length(current_payload); + length = this->encrypted.len; } - iterator->destroy(iterator); - - if (this->crypter && this->signer) + else { - /* append one byte for padding length */ - length++; - /* append padding */ - block_size = this->crypter->get_block_size(this->crypter); - length += block_size - length % block_size; - /* add iv */ - length += block_size; - /* add signature */ - length += this->signer->get_block_size(this->signer); + enumerator = this->payloads->create_enumerator(this->payloads); + while (enumerator->enumerate(enumerator, &payload)) + { + length += payload->get_length(payload); + } + enumerator->destroy(enumerator); + + if (this->aead) + { + /* append padding */ + bs = this->aead->get_block_size(this->aead); + length += bs - (length % bs); + /* add iv */ + length += this->aead->get_iv_size(this->aead); + /* add icv */ + length += this->aead->get_icv_size(this->aead); + } } length += ENCRYPTION_PAYLOAD_HEADER_LENGTH; this->payload_length = length; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_encryption_payload_t *this) +METHOD2(payload_t, encryption_payload_t, get_length, size_t, + private_encryption_payload_t *this) { compute_length(this); return this->payload_length; } -/** - * Implementation of payload_t.create_payload_iterator. - */ -static iterator_t *create_payload_iterator (private_encryption_payload_t *this, bool forward) -{ - return (this->payloads->create_iterator(this->payloads, forward)); -} - -/** - * Implementation of payload_t.add_payload. - */ -static void add_payload(private_encryption_payload_t *this, payload_t *payload) +METHOD(encryption_payload_t, add_payload, void, + private_encryption_payload_t *this, payload_t *payload) { payload_t *last_payload; + if (this->payloads->get_count(this->payloads) > 0) { - this->payloads->get_last(this->payloads,(void **) &last_payload); + this->payloads->get_last(this->payloads, (void **)&last_payload); last_payload->set_next_type(last_payload, payload->get_type(payload)); } else @@ -240,339 +200,255 @@ static void add_payload(private_encryption_payload_t *this, payload_t *payload) this->next_payload = payload->get_type(payload); } payload->set_next_type(payload, NO_PAYLOAD); - this->payloads->insert_last(this->payloads, (void*)payload); + this->payloads->insert_last(this->payloads, payload); compute_length(this); } -/** - * Implementation of encryption_payload_t.remove_first_payload. - */ -static status_t remove_first_payload(private_encryption_payload_t *this, payload_t **payload) +METHOD(encryption_payload_t, remove_payload, payload_t *, + private_encryption_payload_t *this) { - return this->payloads->remove_first(this->payloads, (void**)payload); -} + payload_t *payload; -/** - * Implementation of encryption_payload_t.get_payload_count. - */ -static size_t get_payload_count(private_encryption_payload_t *this) -{ - return this->payloads->get_count(this->payloads); + if (this->payloads->remove_first(this->payloads, + (void**)&payload) == SUCCESS) + { + return payload; + } + return NULL; } /** - * Generate payload before encryption. + * Generate payload before encryption */ -static void generate(private_encryption_payload_t *this) +static chunk_t generate(private_encryption_payload_t *this, + generator_t *generator) { - payload_t *current_payload, *next_payload; - generator_t *generator; - iterator_t *iterator; - - /* recalculate length before generating */ - compute_length(this); + payload_t *current, *next; + enumerator_t *enumerator; + u_int32_t *lenpos; + chunk_t chunk = chunk_empty; - /* create iterator */ - iterator = this->payloads->create_iterator(this->payloads, TRUE); - - /* get first payload */ - if (iterator->iterate(iterator, (void**)¤t_payload)) - { - this->next_payload = current_payload->get_type(current_payload); - } - else + enumerator = this->payloads->create_enumerator(this->payloads); + if (enumerator->enumerate(enumerator, ¤t)) { - /* no paylads? */ - DBG2(DBG_ENC, "generating contained payloads, but none available"); - free(this->decrypted.ptr); - this->decrypted = chunk_empty; - iterator->destroy(iterator); - return; - } + this->next_payload = current->get_type(current); - generator = generator_create(); + while (enumerator->enumerate(enumerator, &next)) + { + current->set_next_type(current, next->get_type(next)); + generator->generate_payload(generator, current); + current = next; + } + current->set_next_type(current, NO_PAYLOAD); + generator->generate_payload(generator, current); - /* build all payload, except last */ - while(iterator->iterate(iterator, (void**)&next_payload)) - { - current_payload->set_next_type(current_payload, next_payload->get_type(next_payload)); - generator->generate_payload(generator, current_payload); - current_payload = next_payload; + chunk = generator->get_chunk(generator, &lenpos); + DBG2(DBG_ENC, "generated content in encryption payload"); } - iterator->destroy(iterator); - - /* build last payload */ - current_payload->set_next_type(current_payload, NO_PAYLOAD); - generator->generate_payload(generator, current_payload); - - /* free already generated data */ - free(this->decrypted.ptr); - - generator->write_to_chunk(generator, &(this->decrypted)); - generator->destroy(generator); - DBG2(DBG_ENC, "successfully generated content in encryption payload"); + enumerator->destroy(enumerator); + return chunk; } /** - * Implementation of encryption_payload_t.encrypt. + * Append the encryption payload header to the associated data */ -static status_t encrypt(private_encryption_payload_t *this) +static chunk_t append_header(private_encryption_payload_t *this, chunk_t assoc) { - chunk_t iv, padding, to_crypt, result; + struct { + u_int8_t next_payload; + u_int8_t flags; + u_int16_t length; + } __attribute__((packed)) header = { + .next_payload = this->next_payload, + .flags = this->flags, + .length = htons(get_length(this)), + }; + return chunk_cat("cc", assoc, chunk_from_thing(header)); +} + +METHOD(encryption_payload_t, encrypt, bool, + private_encryption_payload_t *this, chunk_t assoc) +{ + chunk_t iv, plain, padding, icv, crypt; + generator_t *generator; rng_t *rng; - size_t block_size; + size_t bs; - if (this->signer == NULL || this->crypter == NULL) + if (this->aead == NULL) { - DBG1(DBG_ENC, "could not encrypt, signer/crypter not set"); - return INVALID_STATE; + DBG1(DBG_ENC, "encrypting encryption payload failed, transform missing"); + return FALSE; } - /* for random data in iv and padding */ rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); if (!rng) { - DBG1(DBG_ENC, "could not encrypt, no RNG found"); - return FAILED; + DBG1(DBG_ENC, "encrypting encryption payload failed, no RNG found"); + return FALSE; } - /* build payload chunk */ - generate(this); - DBG2(DBG_ENC, "encrypting payloads"); - DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted); + assoc = append_header(this, assoc); - /* build padding */ - block_size = this->crypter->get_block_size(this->crypter); - padding.len = block_size - ((this->decrypted.len + 1) % block_size); - rng->allocate_bytes(rng, padding.len, &padding); - - /* concatenate payload data, padding, padding len */ - to_crypt.len = this->decrypted.len + padding.len + 1; - to_crypt.ptr = malloc(to_crypt.len); - - memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len); - memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len); - *(to_crypt.ptr + to_crypt.len - 1) = padding.len; + generator = generator_create(); + plain = generate(this, generator); + bs = this->aead->get_block_size(this->aead); + /* we need at least one byte padding to store the padding length */ + padding.len = bs - (plain.len % bs); + iv.len = this->aead->get_iv_size(this->aead); + icv.len = this->aead->get_icv_size(this->aead); + + /* prepare data to authenticate-encrypt: + * | IV | plain | padding | ICV | + * \____crypt______/ ^ + * | / + * v / + * assoc -> + ------->/ + */ + free(this->encrypted.ptr); + this->encrypted = chunk_alloc(iv.len + plain.len + padding.len + icv.len); + iv.ptr = this->encrypted.ptr; + memcpy(iv.ptr + iv.len, plain.ptr, plain.len); + plain.ptr = iv.ptr + iv.len; + padding.ptr = plain.ptr + plain.len; + icv.ptr = padding.ptr + padding.len; + crypt = chunk_create(plain.ptr, plain.len + padding.len); + generator->destroy(generator); - /* build iv */ - iv.len = block_size; - rng->allocate_bytes(rng, iv.len, &iv); + rng->get_bytes(rng, iv.len, iv.ptr); + rng->get_bytes(rng, padding.len - 1, padding.ptr); + padding.ptr[padding.len - 1] = padding.len - 1; rng->destroy(rng); - DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt); + DBG3(DBG_ENC, "encryption payload encryption:"); + DBG3(DBG_ENC, "IV %B", &iv); + DBG3(DBG_ENC, "plain %B", &plain); + DBG3(DBG_ENC, "padding %B", &padding); + DBG3(DBG_ENC, "assoc %B", &assoc); - /* encrypt to_crypt chunk */ - free(this->encrypted.ptr); - this->crypter->encrypt(this->crypter, to_crypt, iv, &result); - free(padding.ptr); - free(to_crypt.ptr); - - DBG3(DBG_ENC, "data after encryption %B", &result); - - /* build encrypted result with iv and signature */ - this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer); - free(this->encrypted.ptr); - this->encrypted.ptr = malloc(this->encrypted.len); + this->aead->encrypt(this->aead, crypt, assoc, iv, NULL); - /* fill in result, signature is left out */ - memcpy(this->encrypted.ptr, iv.ptr, iv.len); - memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len); + DBG3(DBG_ENC, "encrypted %B", &crypt); + DBG3(DBG_ENC, "ICV %B", &icv); - free(result.ptr); - free(iv.ptr); - DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B", - &this->encrypted); + free(assoc.ptr); - return SUCCESS; + return TRUE; } /** * Parse the payloads after decryption. */ -static status_t parse(private_encryption_payload_t *this) +static status_t parse(private_encryption_payload_t *this, chunk_t plain) { parser_t *parser; - status_t status; - payload_type_t current_payload_type; - - /* build a parser on the decrypted data */ - parser = parser_create(this->decrypted); + payload_type_t type; - current_payload_type = this->next_payload; - /* parse all payloads */ - while (current_payload_type != NO_PAYLOAD) + parser = parser_create(plain); + type = this->next_payload; + while (type != NO_PAYLOAD) { - payload_t *current_payload; + payload_t *payload; - status = parser->parse_payload(parser, current_payload_type, (payload_t**)¤t_payload); - if (status != SUCCESS) + if (parser->parse_payload(parser, type, &payload) != SUCCESS) { parser->destroy(parser); return PARSE_ERROR; } - - status = current_payload->verify(current_payload); - if (status != SUCCESS) + if (payload->verify(payload) != SUCCESS) { DBG1(DBG_ENC, "%N verification failed", - payload_type_names, current_payload->get_type(current_payload)); - current_payload->destroy(current_payload); + payload_type_names, payload->get_type(payload)); + payload->destroy(payload); parser->destroy(parser); return VERIFY_ERROR; } - - /* get next payload type */ - current_payload_type = current_payload->get_next_type(current_payload); - - this->payloads->insert_last(this->payloads,current_payload); + type = payload->get_next_type(payload); + this->payloads->insert_last(this->payloads, payload); } parser->destroy(parser); - DBG2(DBG_ENC, "succesfully parsed content of encryption payload"); + DBG2(DBG_ENC, "parsed content of encryption payload"); return SUCCESS; } -/** - * Implementation of encryption_payload_t.encrypt. - */ -static status_t decrypt(private_encryption_payload_t *this) +METHOD(encryption_payload_t, decrypt, status_t, + private_encryption_payload_t *this, chunk_t assoc) { - chunk_t iv, concatenated; - u_int8_t padding_length; - - DBG2(DBG_ENC, "decrypting encryption payload"); - DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B", - &this->encrypted); + chunk_t iv, plain, padding, icv, crypt; + size_t bs; - if (this->signer == NULL || this->crypter == NULL) + if (this->aead == NULL) { - DBG1(DBG_ENC, "could not decrypt, no crypter/signer set"); + DBG1(DBG_ENC, "decrypting encryption payload failed, transform missing"); return INVALID_STATE; } - /* get IV */ - iv.len = this->crypter->get_block_size(this->crypter); + /* prepare data to authenticate-decrypt: + * | IV | plain | padding | ICV | + * \____crypt______/ ^ + * | / + * v / + * assoc -> + ------->/ + */ + bs = this->aead->get_block_size(this->aead); + iv.len = this->aead->get_iv_size(this->aead); iv.ptr = this->encrypted.ptr; + icv.len = this->aead->get_icv_size(this->aead); + icv.ptr = this->encrypted.ptr + this->encrypted.len - icv.len; + crypt.ptr = iv.ptr + iv.len; + crypt.len = this->encrypted.len - iv.len; - /* point concatenated to data + padding + padding_length*/ - concatenated.ptr = this->encrypted.ptr + iv.len; - concatenated.len = this->encrypted.len - iv.len - - this->signer->get_block_size(this->signer); - - /* concatenated must be a multiple of block_size of crypter */ - if (concatenated.len < iv.len || concatenated.len % iv.len) + if (iv.len + icv.len > this->encrypted.len || + (crypt.len - icv.len) % bs) { - DBG1(DBG_ENC, "could not decrypt, invalid input"); + DBG1(DBG_ENC, "decrypting encryption payload failed, invalid length"); return FAILED; } - /* free previus data, if any */ - free(this->decrypted.ptr); - - DBG3(DBG_ENC, "data before decryption %B", &concatenated); - - this->crypter->decrypt(this->crypter, concatenated, iv, &this->decrypted); + assoc = append_header(this, assoc); - DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted); + DBG3(DBG_ENC, "encryption payload decryption:"); + DBG3(DBG_ENC, "IV %B", &iv); + DBG3(DBG_ENC, "encrypted %B", &crypt); + DBG3(DBG_ENC, "ICV %B", &icv); + DBG3(DBG_ENC, "assoc %B", &assoc); - /* get padding length, sits just bevore signature */ - padding_length = *(this->decrypted.ptr + this->decrypted.len - 1); - /* add one byte to the padding length, since the padding_length field is - * not included */ - padding_length++; - - /* check size again */ - if (padding_length > concatenated.len || padding_length > this->decrypted.len) + if (!this->aead->decrypt(this->aead, crypt, assoc, iv, NULL)) { - DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?"); - /* decryption failed :-/ */ + DBG1(DBG_ENC, "verifying encryption payload integrity failed"); + free(assoc.ptr); return FAILED; } - this->decrypted.len -= padding_length; - - /* free padding */ - this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len); - DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted); - DBG2(DBG_ENC, "decryption successful, trying to parse content"); - return parse(this); -} + free(assoc.ptr); -/** - * Implementation of encryption_payload_t.set_transforms. - */ -static void set_transforms(private_encryption_payload_t *this, crypter_t* crypter, signer_t* signer) -{ - this->signer = signer; - this->crypter = crypter; -} - -/** - * Implementation of encryption_payload_t.build_signature. - */ -static status_t build_signature(private_encryption_payload_t *this, chunk_t data) -{ - chunk_t data_without_sig = data; - chunk_t sig; - - if (this->signer == NULL) + plain = chunk_create(crypt.ptr, crypt.len - icv.len); + padding.len = plain.ptr[plain.len - 1] + 1; + if (padding.len > plain.len) { - DBG1(DBG_ENC, "unable to build signature, no signer set"); - return INVALID_STATE; + DBG1(DBG_ENC, "decrypting encryption payload failed, " + "padding invalid %B", &crypt); + return PARSE_ERROR; } + plain.len -= padding.len; + padding.ptr = plain.ptr + plain.len; - sig.len = this->signer->get_block_size(this->signer); - data_without_sig.len -= sig.len; - sig.ptr = data.ptr + data_without_sig.len; - DBG2(DBG_ENC, "building signature"); - this->signer->get_signature(this->signer, data_without_sig, sig.ptr); - return SUCCESS; + DBG3(DBG_ENC, "plain %B", &plain); + DBG3(DBG_ENC, "padding %B", &padding); + + return parse(this, plain); } -/** - * Implementation of encryption_payload_t.verify_signature. - */ -static status_t verify_signature(private_encryption_payload_t *this, chunk_t data) +METHOD(encryption_payload_t, set_transform, void, + private_encryption_payload_t *this, aead_t* aead) { - chunk_t sig, data_without_sig; - bool valid; - - if (this->signer == NULL) - { - DBG1(DBG_ENC, "unable to verify signature, no signer set"); - return INVALID_STATE; - } - /* find signature in data chunk */ - sig.len = this->signer->get_block_size(this->signer); - if (data.len <= sig.len) - { - DBG1(DBG_ENC, "unable to verify signature, invalid input"); - return FAILED; - } - sig.ptr = data.ptr + data.len - sig.len; - - /* verify it */ - data_without_sig.len = data.len - sig.len; - data_without_sig.ptr = data.ptr; - valid = this->signer->verify_signature(this->signer, data_without_sig, sig); - - if (!valid) - { - DBG1(DBG_ENC, "signature verification failed"); - return FAILED; - } - - DBG2(DBG_ENC, "signature verification successful"); - return SUCCESS; + this->aead = aead; } -/** - * Implementation of payload_t.destroy. - */ -static void destroy(private_encryption_payload_t *this) +METHOD2(payload_t, encryption_payload_t, destroy, void, + private_encryption_payload_t *this) { this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy)); free(this->encrypted.ptr); - free(this->decrypted.ptr); free(this); } @@ -581,39 +457,31 @@ static void destroy(private_encryption_payload_t *this) */ encryption_payload_t *encryption_payload_create() { - private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t); - - /* payload_t interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator; - this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload; - this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload; - this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count; - - this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt; - this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt; - this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms; - this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature; - this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature; - this->public.destroy = (void (*) (encryption_payload_t *)) destroy; - - /* set default values of the fields */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH; - this->encrypted = chunk_empty; - this->decrypted = chunk_empty; - this->signer = NULL; - this->crypter = NULL; - this->payloads = linked_list_create(); - - return (&(this->public)); + private_encryption_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_length = _get_length, + .add_payload = _add_payload, + .remove_payload = _remove_payload, + .set_transform = _set_transform, + .encrypt = _encrypt, + .decrypt = _decrypt, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH, + .payloads = linked_list_create(), + ); + + return &this->public; } diff --git a/src/libcharon/encoding/payloads/encryption_payload.h b/src/libcharon/encoding/payloads/encryption_payload.h index ac5326b87..e99c42fb7 100644 --- a/src/libcharon/encoding/payloads/encryption_payload.h +++ b/src/libcharon/encoding/payloads/encryption_payload.h @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -25,45 +26,30 @@ typedef struct encryption_payload_t encryption_payload_t; #include <library.h> -#include <crypto/crypters/crypter.h> -#include <crypto/signers/signer.h> +#include <crypto/aead.h> #include <encoding/payloads/payload.h> -#include <utils/linked_list.h> /** * Encrpytion payload length in bytes without IV and following data. */ #define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4 - /** * The encryption payload as described in RFC section 3.14. - * - * Before any crypt/decrypt/sign/verify operation can occur, - * the transforms must be set. After that, a parsed encryption payload - * can be decrypted, which also will parse the contained payloads. - * Encryption is done the same way, added payloads will get generated - * and then encrypted. - * For signature building, there is the FULL packet needed. Meaning it - * must be builded after generation of all payloads and the encryption - * of the encryption payload. - * Signature verificatin is done before decryption. */ struct encryption_payload_t { + /** * Implements payload_t interface. */ payload_t payload_interface; /** - * Creates an iterator for all contained payloads. + * Get the payload length. * - * iterator_t object has to get destroyed by the caller. - * - * @param forward iterator direction (TRUE: front to end) - * return created iterator_t object + * @return (expected) payload length */ - iterator_t *(*create_payload_iterator) (encryption_payload_t *this, bool forward); + size_t (*get_length)(encryption_payload_t *this); /** * Adds a payload to this encryption payload. @@ -73,89 +59,39 @@ struct encryption_payload_t { void (*add_payload) (encryption_payload_t *this, payload_t *payload); /** - * Reove the last payload in the contained payload list. + * Remove the first payload in the list * * @param payload removed payload - * @return - * - SUCCESS, or - * - NOT_FOUND if list empty - */ - status_t (*remove_first_payload) (encryption_payload_t *this, payload_t **payload); - - /** - * Get the number of payloads. - * - * @return number of contained payloads + * @return payload, NULL if none left */ - size_t (*get_payload_count) (encryption_payload_t *this); + payload_t* (*remove_payload)(encryption_payload_t *this); /** - * Set transforms to use. - * - * To decryption, encryption, signature building and verifying, - * the payload needs a crypter and a signer object. + * Set the AEAD transform to use. * - * @warning Do NOT call this function again after encryption, since - * the signer must be the same while encrypting and signature building! - * - * @param crypter crypter_t to use for data de-/encryption - * @param signer signer_t to use for data signing/verifying + * @param aead aead transform to use */ - void (*set_transforms) (encryption_payload_t *this, crypter_t *crypter, signer_t *signer); + void (*set_transform) (encryption_payload_t *this, aead_t *aead); /** - * Generate and encrypt contained payloads. - * - * This function generates the content for added payloads - * and encrypts them. Signature is not built, since we need - * additional data (the full message). + * Generate, encrypt and sign contained payloads. * - * @return SUCCESS, or INVALID_STATE if transforms not set + * @param assoc associated data + * @return TRUE if encrypted */ - status_t (*encrypt) (encryption_payload_t *this); + bool (*encrypt) (encryption_payload_t *this, chunk_t assoc); /** - * Decrypt and parse contained payloads. - * - * This function decrypts the contained data. After, - * the payloads are parsed internally and are accessible - * via the iterator. - * - * @return - * - SUCCESS, or - * - INVALID_STATE if transforms not set, or - * - FAILED if data is invalid - */ - status_t (*decrypt) (encryption_payload_t *this); - - /** - * Build the signature. - * - * The signature is built over the FULL message, so the header - * and every payload (inclusive this one) must already be generated. - * The generated message is supplied via the data paramater. - * - * @param data chunk contains the already generated message - * @return - * - SUCCESS, or - * - INVALID_STATE if transforms not set - */ - status_t (*build_signature) (encryption_payload_t *this, chunk_t data); - - /** - * Verify the signature. - * - * Since the signature is built over the full message, we need - * this data to do the verification. The message data - * is supplied via the data argument. - * - * @param data chunk contains the message - * @return - * - SUCCESS, or - * - FAILED if signature invalid, or - * - INVALID_STATE if transforms not set + * Decrypt, verify and parse contained payloads. + * + * @param assoc associated data + * - SUCCESS if parsing successful + * - PARSE_ERROR if sub-payload parsing failed + * - VERIFY_ERROR if sub-payload verification failed + * - FAILED if integrity check failed + * - INVALID_STATE if aead not supplied, but needed */ - status_t (*verify_signature) (encryption_payload_t *this, chunk_t data); + status_t (*decrypt) (encryption_payload_t *this, chunk_t assoc); /** * Destroys an encryption_payload_t object. @@ -166,7 +102,7 @@ struct encryption_payload_t { /** * Creates an empty encryption_payload_t object. * - * @return encryption_payload_t object + * @return encryption_payload_t object */ encryption_payload_t *encryption_payload_create(void); diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c index 469698ef5..a56fd1869 100644 --- a/src/libcharon/encoding/payloads/notify_payload.c +++ b/src/libcharon/encoding/payloads/notify_payload.c @@ -41,7 +41,7 @@ ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL "INVALID_KE_PAYLOAD"); ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD, "AUTHENTICATION_FAILED"); -ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED, +ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUTHENTICATION_FAILED, "SINGLE_PAIR_REQUIRED", "NO_ADDITIONAL_SAS", "INTERNAL_ADDRESS_FAILURE", @@ -50,10 +50,12 @@ ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICAT "INVALID_SELECTORS", "UNACCEPTABLE_ADDRESSES", "UNEXPECTED_NAT_DETECTED", - "USE_ASSIGNED_HoA"); -ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA, + "USE_ASSIGNED_HoA", + "TEMPORARY_FAILURE", + "CHILD_SA_NOT_FOUND"); +ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_FOUND, "ME_CONNECT_FAILED"); -ENUM_NEXT(notify_type_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED, +ENUM_NEXT(notify_type_names, INITIAL_CONTACT, EAP_ONLY_AUTHENTICATION, ME_CONNECT_FAILED, "INITIAL_CONTACT", "SET_WINDOW_SIZE", "ADDITIONAL_TS_POSSIBLE", @@ -84,8 +86,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED, "TICKET_ACK", "TICKET_NACK", "TICKET_OPAQUE", - "LINK_ID"); -ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID, + "LINK_ID", + "USE_WESP_MODE", + "ROHC_SUPPORTED", "EAP_ONLY_AUTHENTICATION"); ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION, "USE_BEET_MODE"); @@ -117,7 +120,7 @@ ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PR "INVAL_KE"); ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD, "AUTH_FAILED"); -ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED, +ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUTHENTICATION_FAILED, "SINGLE_PAIR", "NO_ADD_SAS", "INT_ADDR_FAIL", @@ -126,10 +129,12 @@ ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHE "INVAL_SEL", "UNACCEPT_ADDR", "UNEXPECT_NAT", - "ASSIGNED_HoA"); -ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA, + "ASSIGNED_HoA", + "TEMP_FAIL", + "NO_CHILD_SA"); +ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_FOUND, "ME_CONN_FAIL"); -ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED, +ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, EAP_ONLY_AUTHENTICATION, ME_CONNECT_FAILED, "INIT_CONTACT", "SET_WINSIZE", "ADD_TS_POSS", @@ -160,8 +165,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED, "TKT_ACK", "TKT_NACK", "TKT_OPAK", - "LINK_ID"); -ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID, + "LINK_ID", + "WESP_MODE", + "ROHC_SUP", "EAP_ONLY"); ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION, "BEET_MODE"); @@ -238,29 +244,29 @@ struct private_notify_payload_t { */ encoding_rule_t notify_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_notify_payload_t, next_payload) }, + { U_INT_8, offsetof(private_notify_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_notify_payload_t, critical) }, + { FLAG, offsetof(private_notify_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_notify_payload_t, payload_length) }, + { PAYLOAD_LENGTH, offsetof(private_notify_payload_t, payload_length) }, /* Protocol ID as 8 bit field*/ - { U_INT_8, offsetof(private_notify_payload_t, protocol_id) }, + { U_INT_8, offsetof(private_notify_payload_t, protocol_id) }, /* SPI Size as 8 bit field*/ - { SPI_SIZE, offsetof(private_notify_payload_t, spi_size) }, + { SPI_SIZE, offsetof(private_notify_payload_t, spi_size) }, /* Notify message type as 16 bit field*/ { U_INT_16, offsetof(private_notify_payload_t, notify_type) }, /* SPI as variable length field*/ { SPI, offsetof(private_notify_payload_t, spi) }, /* Key Exchange Data is from variable size */ - { NOTIFICATION_DATA, offsetof(private_notify_payload_t, notification_data) } + { NOTIFICATION_DATA, offsetof(private_notify_payload_t, notification_data) } }; /* diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h index 0e1bc23b8..8abc236e1 100644 --- a/src/libcharon/encoding/payloads/notify_payload.h +++ b/src/libcharon/encoding/payloads/notify_payload.h @@ -64,6 +64,9 @@ enum notify_type_t { UNEXPECTED_NAT_DETECTED = 41, /* mobile IPv6 bootstrapping, RFC 5026 */ USE_ASSIGNED_HoA = 42, + /* IKEv2 RFC 5996 */ + TEMPORARY_FAILURE = 43, + CHILD_SA_NOT_FOUND = 44, /* IKE-ME, private use */ ME_CONNECT_FAILED = 8192, @@ -98,16 +101,21 @@ enum notify_type_t { REDIRECT_SUPPORTED = 16406, REDIRECT = 16407, REDIRECTED_FROM = 16408, - /* draft-ietf-ipsecme-ikev2-resumption, assigned by IANA */ + /* session resumption, RFC 5723 */ TICKET_LT_OPAQUE = 16409, TICKET_REQUEST = 16410, TICKET_ACK = 16411, TICKET_NACK = 16412, TICKET_OPAQUE = 16413, + /* IPv6 configuration, RFC 5739 */ LINK_ID = 16414, + /* wrapped esp, RFC 5840 */ + USE_WESP_MODE = 16415, + /* robust header compression, RFC 5857 */ + ROHC_SUPPORTED = 16416, + /* EAP-only authentication, RFC 5998 */ + EAP_ONLY_AUTHENTICATION = 16417, - /* draft-eronen-ipsec-ikev2-eap-auth, not assigned by IANA yet */ - EAP_ONLY_AUTHENTICATION = 40960, /* BEET mode, not even a draft yet. private use */ USE_BEET_MODE = 40961, /* IKE-ME, private use */ @@ -144,7 +152,7 @@ struct notify_payload_t { /** * Gets the protocol id of this payload. * - * @return protocol id of this payload + * @return protocol id of this payload */ u_int8_t (*get_protocol_id) (notify_payload_t *this); @@ -158,7 +166,7 @@ struct notify_payload_t { /** * Gets the notify message type of this payload. * - * @return notify message type of this payload + * @return notify message type of this payload */ notify_type_t (*get_notify_type) (notify_payload_t *this); @@ -174,7 +182,7 @@ struct notify_payload_t { * * This is only valid for notifys with protocol AH|ESP * - * @return SPI value + * @return SPI value */ u_int32_t (*get_spi) (notify_payload_t *this); @@ -192,7 +200,7 @@ struct notify_payload_t { * * Returned data are not copied. * - * @return chunk_t pointing to the value + * @return chunk_t pointing to the value */ chunk_t (*get_notification_data) (notify_payload_t *this); @@ -201,7 +209,7 @@ struct notify_payload_t { * * @warning Value is getting copied. * - * @param notification_data chunk_t pointing to the value to set + * @param notification_data chunk_t pointing to the value to set */ void (*set_notification_data) (notify_payload_t *this, chunk_t notification_data); diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index c93f73a68..985b03255 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -24,20 +24,18 @@ #include <utils/linked_list.h> #include <daemon.h> - /** * IKEv1 Value for a proposal payload. */ #define PROPOSAL_TYPE_VALUE 2 - typedef struct private_proposal_substructure_t private_proposal_substructure_t; /** * Private data of an proposal_substructure_t object. - * */ struct private_proposal_substructure_t { + /** * Public proposal_substructure_t interface. */ @@ -92,24 +90,24 @@ struct private_proposal_substructure_t { */ encoding_rule_t proposal_substructure_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) }, + { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) }, /* Reserved Byte is skipped */ - { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, /* Length of the whole proposal substructure payload*/ - { PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) }, + { PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) }, /* proposal number is a number of 8 bit */ - { U_INT_8, offsetof(private_proposal_substructure_t, proposal_number) }, + { U_INT_8, offsetof(private_proposal_substructure_t, proposal_number) }, /* protocol ID is a number of 8 bit */ - { U_INT_8, offsetof(private_proposal_substructure_t, protocol_id) }, + { U_INT_8, offsetof(private_proposal_substructure_t, protocol_id) }, /* SPI Size has its own type */ - { SPI_SIZE, offsetof(private_proposal_substructure_t, spi_size) }, + { SPI_SIZE, offsetof(private_proposal_substructure_t, spi_size) }, /* Number of transforms is a number of 8 bit */ - { U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) }, + { U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) }, /* SPI is a chunk of variable size*/ - { SPI, offsetof(private_proposal_substructure_t, spi) }, + { SPI, offsetof(private_proposal_substructure_t, spi) }, /* Transforms are stored in a transform substructure, offset points to a linked_list_t pointer */ - { TRANSFORMS, offsetof(private_proposal_substructure_t, transforms) } + { TRANSFORMS, offsetof(private_proposal_substructure_t, transforms) } }; /* @@ -128,16 +126,14 @@ encoding_rule_t proposal_substructure_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_proposal_substructure_t *this) +METHOD(payload_t, verify, status_t, + private_proposal_substructure_t *this) { status_t status = SUCCESS; - iterator_t *iterator; - payload_t *current_transform; + enumerator_t *enumerator; + payload_t *current; - if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 2)) + if (this->next_payload != NO_PAYLOAD && this->next_payload != 2) { /* must be 0 or 2 */ DBG1(DBG_ENC, "inconsistent next payload"); @@ -169,61 +165,46 @@ static status_t verify(private_proposal_substructure_t *this) } break; default: - DBG1(DBG_ENC, "invalid proposal protocol (%d)", this->protocol_id); - return FAILED; - } - if ((this->protocol_id == 0) || (this->protocol_id >= 4)) - { - /* reserved are not supported */ - DBG1(DBG_ENC, "invalid protocol"); - return FAILED; + break; } - - iterator = this->transforms->create_iterator(this->transforms,TRUE); - while(iterator->iterate(iterator, (void**)¤t_transform)) + enumerator = this->transforms->create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, ¤t)) { - status = current_transform->verify(current_transform); + status = current->verify(current); if (status != SUCCESS) { DBG1(DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed"); break; } } - iterator->destroy(iterator); + enumerator->destroy(enumerator); /* proposal number is checked in SA payload */ return status; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_proposal_substructure_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_proposal_substructure_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = proposal_substructure_encodings; - *rule_count = sizeof(proposal_substructure_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(proposal_substructure_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_proposal_substructure_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_proposal_substructure_t *this) { return PROPOSAL_SUBSTRUCTURE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_proposal_substructure_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_proposal_substructure_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_proposal_substructure_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_proposal_substructure_t *this, payload_type_t type) { } @@ -250,145 +231,88 @@ static void compute_length(private_proposal_substructure_t *this) this->proposal_length = length; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_proposal_substructure_t *this) +METHOD(payload_t, get_length, size_t, + private_proposal_substructure_t *this) { compute_length(this); return this->proposal_length; } /** - * Implementation of proposal_substructure_t.create_transform_substructure_iterator. - */ -static iterator_t *create_transform_substructure_iterator (private_proposal_substructure_t *this,bool forward) -{ - return (this->transforms->create_iterator(this->transforms,forward)); -} - -/** - * Implementation of proposal_substructure_t.add_transform_substructure. + * Add a transform substructure to the proposal */ -static void add_transform_substructure (private_proposal_substructure_t *this,transform_substructure_t *transform) +static void add_transform_substructure(private_proposal_substructure_t *this, + transform_substructure_t *transform) { - status_t status; if (this->transforms->get_count(this->transforms) > 0) { - transform_substructure_t *last_transform; - status = this->transforms->get_last(this->transforms,(void **) &last_transform); - /* last transform is now not anymore last one */ - last_transform->set_is_last_transform(last_transform,FALSE); + transform_substructure_t *last; + this->transforms->get_last(this->transforms, (void **)&last); + last->set_is_last_transform(last, FALSE); } transform->set_is_last_transform(transform,TRUE); - - this->transforms->insert_last(this->transforms,(void *) transform); + this->transforms->insert_last(this->transforms, transform); compute_length(this); } -/** - * Implementation of proposal_substructure_t.proposal_substructure_t. - */ -static void set_is_last_proposal (private_proposal_substructure_t *this, bool is_last) +METHOD(proposal_substructure_t, set_is_last_proposal, void, + private_proposal_substructure_t *this, bool is_last) { - this->next_payload = (is_last) ? 0: PROPOSAL_TYPE_VALUE; + this->next_payload = is_last ? 0 : PROPOSAL_TYPE_VALUE; } -/** - * Implementation of proposal_substructure_t.set_proposal_number. - */ -static void set_proposal_number(private_proposal_substructure_t *this,u_int8_t proposal_number) +METHOD(proposal_substructure_t, set_proposal_number, void, + private_proposal_substructure_t *this,u_int8_t proposal_number) { this->proposal_number = proposal_number; } -/** - * Implementation of proposal_substructure_t.get_proposal_number. - */ -static u_int8_t get_proposal_number (private_proposal_substructure_t *this) +METHOD(proposal_substructure_t, get_proposal_number, u_int8_t, + private_proposal_substructure_t *this) { - return (this->proposal_number); + return this->proposal_number; } -/** - * Implementation of proposal_substructure_t.set_protocol_id. - */ -static void set_protocol_id(private_proposal_substructure_t *this,u_int8_t protocol_id) +METHOD(proposal_substructure_t, set_protocol_id, void, + private_proposal_substructure_t *this,u_int8_t protocol_id) { this->protocol_id = protocol_id; } -/** - * Implementation of proposal_substructure_t.get_protocol_id. - */ -static u_int8_t get_protocol_id(private_proposal_substructure_t *this) +METHOD(proposal_substructure_t, get_protocol_id, u_int8_t, + private_proposal_substructure_t *this) { - return (this->protocol_id); + return this->protocol_id; } -/** - * Implementation of proposal_substructure_t.set_spi. - */ -static void set_spi(private_proposal_substructure_t *this, chunk_t spi) +METHOD(proposal_substructure_t, set_spi, void, + private_proposal_substructure_t *this, chunk_t spi) { - /* first delete already set spi value */ - if (this->spi.ptr != NULL) - { - free(this->spi.ptr); - this->spi.ptr = NULL; - this->spi.len = 0; - compute_length(this); - } - - this->spi.ptr = clalloc(spi.ptr,spi.len); - this->spi.len = spi.len; + free(this->spi.ptr); + this->spi = chunk_clone(spi); this->spi_size = spi.len; compute_length(this); } -/** - * Implementation of proposal_substructure_t.get_spi. - */ -static chunk_t get_spi(private_proposal_substructure_t *this) -{ - chunk_t spi; - spi.ptr = this->spi.ptr; - spi.len = this->spi.len; - - return spi; -} - -/** - * Implementation of proposal_substructure_t.get_transform_count. - */ -static size_t get_transform_count (private_proposal_substructure_t *this) -{ - return this->transforms->get_count(this->transforms); -} - -/** - * Implementation of proposal_substructure_t.get_spi_size. - */ -static size_t get_spi_size (private_proposal_substructure_t *this) +METHOD(proposal_substructure_t, get_spi, chunk_t, + private_proposal_substructure_t *this) { - return this->spi.len; + return this->spi; } -/** - * Implementation of proposal_substructure_t.get_proposal. - */ -proposal_t* get_proposal(private_proposal_substructure_t *this) +METHOD(proposal_substructure_t, get_proposal, proposal_t*, + private_proposal_substructure_t *this) { - iterator_t *iterator; + enumerator_t *enumerator; transform_substructure_t *transform; proposal_t *proposal; u_int64_t spi; - proposal = proposal_create(this->protocol_id); + proposal = proposal_create(this->protocol_id, this->proposal_number); - iterator = this->transforms->create_iterator(this->transforms, TRUE); - while (iterator->iterate(iterator, (void**)&transform)) + enumerator = this->transforms->create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, &transform)) { transform_type_t transform_type; u_int16_t transform_id; @@ -400,7 +324,7 @@ proposal_t* get_proposal(private_proposal_substructure_t *this) proposal->add_algorithm(proposal, transform_type, transform_id, key_length); } - iterator->destroy(iterator); + enumerator->destroy(enumerator); switch (this->spi.len) { @@ -418,42 +342,36 @@ proposal_t* get_proposal(private_proposal_substructure_t *this) return proposal; } -/** - * Implementation of proposal_substructure_t.clone. - */ -static private_proposal_substructure_t* clone_(private_proposal_substructure_t *this) +METHOD(proposal_substructure_t, clone_, proposal_substructure_t*, + private_proposal_substructure_t *this) { private_proposal_substructure_t *clone; - iterator_t *transforms; - transform_substructure_t *current_transform; + enumerator_t *enumerator; + transform_substructure_t *current; - clone = (private_proposal_substructure_t *) proposal_substructure_create(); + clone = (private_proposal_substructure_t*)proposal_substructure_create(); clone->next_payload = this->next_payload; clone->proposal_number = this->proposal_number; clone->protocol_id = this->protocol_id; clone->spi_size = this->spi_size; if (this->spi.ptr != NULL) { - clone->spi.ptr = clalloc(this->spi.ptr,this->spi.len); + clone->spi.ptr = clalloc(this->spi.ptr, this->spi.len); clone->spi.len = this->spi.len; } - - transforms = this->transforms->create_iterator(this->transforms,FALSE); - while (transforms->iterate(transforms, (void**)¤t_transform)) + enumerator = this->transforms->create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, ¤t)) { - current_transform = current_transform->clone(current_transform); - clone->public.add_transform_substructure(&clone->public, current_transform); + current = current->clone(current); + add_transform_substructure(clone, current); } - transforms->destroy(transforms); + enumerator->destroy(enumerator); - return clone; + return &clone->public; } -/** - * Implements payload_t's and proposal_substructure_t's destroy function. - * See #payload_s.destroy or proposal_substructure_s.destroy for description. - */ -static void destroy(private_proposal_substructure_t *this) +METHOD2(payload_t, proposal_substructure_t, destroy, void, + private_proposal_substructure_t *this) { this->transforms->destroy_offset(this->transforms, offsetof(transform_substructure_t, destroy)); @@ -466,53 +384,42 @@ static void destroy(private_proposal_substructure_t *this) */ proposal_substructure_t *proposal_substructure_create() { - private_proposal_substructure_t *this = malloc_thing(private_proposal_substructure_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - - /* public functions */ - this->public.create_transform_substructure_iterator = (iterator_t* (*) (proposal_substructure_t *,bool)) create_transform_substructure_iterator; - this->public.add_transform_substructure = (void (*) (proposal_substructure_t *,transform_substructure_t *)) add_transform_substructure; - this->public.set_proposal_number = (void (*) (proposal_substructure_t *,u_int8_t))set_proposal_number; - this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number; - this->public.set_protocol_id = (void (*) (proposal_substructure_t *,u_int8_t))set_protocol_id; - this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id; - this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal; - this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal; - this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi; - this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi; - this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count; - this->public.get_spi_size = (size_t (*) (proposal_substructure_t *)) get_spi_size; - this->public.clone = (proposal_substructure_t * (*) (proposal_substructure_t *)) clone_; - this->public.destroy = (void (*) (proposal_substructure_t *)) destroy; - - /* set default values of the fields */ - this->next_payload = NO_PAYLOAD; - this->proposal_length = 0; - this->proposal_number = 0; - this->protocol_id = 0; - this->transforms_count = 0; - this->spi_size = 0; - this->spi.ptr = NULL; - this->spi.len = 0; - - this->transforms = linked_list_create(); - - return (&(this->public)); + private_proposal_substructure_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .set_proposal_number = _set_proposal_number, + .get_proposal_number = _get_proposal_number, + .set_protocol_id = _set_protocol_id, + .get_protocol_id = _get_protocol_id, + .set_is_last_proposal = _set_is_last_proposal, + .get_proposal = _get_proposal, + .set_spi = _set_spi, + .get_spi = _get_spi, + .clone = _clone_, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .transforms = linked_list_create(), + ); + + return &this->public; } /* * Described in header. */ -proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal) +proposal_substructure_t *proposal_substructure_create_from_proposal( + proposal_t *proposal) { transform_substructure_t *transform; private_proposal_substructure_t *this; @@ -591,7 +498,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t * default: break; } - this->proposal_number = 0; + this->proposal_number = proposal->get_number(proposal); this->protocol_id = proposal->get_protocol(proposal); return &this->public; diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h index 4934802af..56e7184b6 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.h +++ b/src/libcharon/encoding/payloads/proposal_substructure.h @@ -42,36 +42,19 @@ typedef struct proposal_substructure_t proposal_substructure_t; * The PROPOSAL SUBSTRUCTURE format is described in RFC section 3.3.1. */ struct proposal_substructure_t { + /** * The payload_t interface. */ payload_t payload_interface; /** - * Creates an iterator of stored transform_substructure_t objects. - * - * @param forward iterator direction (TRUE: front to end) - * @return created iterator_t object - */ - iterator_t *(*create_transform_substructure_iterator) ( - proposal_substructure_t *this, bool forward); - - /** - * Adds a transform_substructure_t object to this object. - * - * @param transform transform_substructure_t object to add - */ - void (*add_transform_substructure) (proposal_substructure_t *this, - transform_substructure_t *transform); - - /** * Sets the proposal number of current proposal. * * @param id proposal number to set */ void (*set_proposal_number) (proposal_substructure_t *this, u_int8_t proposal_number); - /** * get proposal number of current proposal. * @@ -80,20 +63,6 @@ struct proposal_substructure_t { u_int8_t (*get_proposal_number) (proposal_substructure_t *this); /** - * get the number of transforms in current proposal. - * - * @return transform count in current proposal - */ - size_t (*get_transform_count) (proposal_substructure_t *this); - - /** - * get size of the set spi in bytes. - * - * @return size of the spi in bytes - */ - size_t (*get_spi_size) (proposal_substructure_t *this); - - /** * Sets the protocol id of current proposal. * * @param id protocol id to set diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c index 187a8fee0..4fbd4cac0 100644 --- a/src/libcharon/encoding/payloads/sa_payload.c +++ b/src/libcharon/encoding/payloads/sa_payload.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -27,9 +27,9 @@ typedef struct private_sa_payload_t private_sa_payload_t; /** * Private data of an sa_payload_t object. - * */ struct private_sa_payload_t { + /** * Public sa_payload_t interface. */ @@ -61,26 +61,25 @@ struct private_sa_payload_t { * * The defined offsets are the positions in a object of type * private_sa_payload_t. - * */ encoding_rule_t sa_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_sa_payload_t, next_payload) }, + { U_INT_8, offsetof(private_sa_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_sa_payload_t, critical) }, + { FLAG, offsetof(private_sa_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, /* Length of the whole SA payload*/ - { PAYLOAD_LENGTH, offsetof(private_sa_payload_t, payload_length) }, + { PAYLOAD_LENGTH, offsetof(private_sa_payload_t, payload_length) }, /* Proposals are stored in a proposal substructure, offset points to a linked_list_t pointer */ - { PROPOSALS, offsetof(private_sa_payload_t, proposals) } + { PROPOSALS, offsetof(private_sa_payload_t, proposals) }, }; /* @@ -95,26 +94,23 @@ encoding_rule_t sa_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_sa_payload_t *this) +METHOD(payload_t, verify, status_t, + private_sa_payload_t *this) { int expected_number = 1, current_number; status_t status = SUCCESS; - iterator_t *iterator; - proposal_substructure_t *current_proposal; + enumerator_t *enumerator; + proposal_substructure_t *substruct; bool first = TRUE; /* check proposal numbering */ - iterator = this->proposals->create_iterator(this->proposals,TRUE); - - while(iterator->iterate(iterator, (void**)¤t_proposal)) + enumerator = this->proposals->create_enumerator(this->proposals); + while (enumerator->enumerate(enumerator, (void**)&substruct)) { - current_number = current_proposal->get_proposal_number(current_proposal); + current_number = substruct->get_proposal_number(substruct); if (current_number < expected_number) { - if (current_number != (expected_number + 1)) + if (current_number != expected_number + 1) { DBG1(DBG_ENC, "proposal number is %d, expected %d or %d", current_number, expected_number, expected_number + 1); @@ -124,13 +120,12 @@ static status_t verify(private_sa_payload_t *this) } else if (current_number < expected_number) { - /* must not be smaller then proceeding one */ - DBG1(DBG_ENC, "proposal number smaller than that of previous proposal"); + DBG1(DBG_ENC, "proposal number smaller than previous"); status = FAILED; break; } - status = current_proposal->payload_interface.verify(&(current_proposal->payload_interface)); + status = substruct->payload_interface.verify(&substruct->payload_interface); if (status != SUCCESS) { DBG1(DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed"); @@ -139,52 +134,31 @@ static status_t verify(private_sa_payload_t *this) first = FALSE; expected_number = current_number; } - - iterator->destroy(iterator); + enumerator->destroy(enumerator); return status; } - -/** - * Implementation of payload_t.destroy and sa_payload_t.destroy. - */ -static status_t destroy(private_sa_payload_t *this) -{ - this->proposals->destroy_offset(this->proposals, - offsetof(proposal_substructure_t, destroy)); - free(this); - return SUCCESS; -} - -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_sa_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_sa_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = sa_payload_encodings; - *rule_count = sizeof(sa_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(sa_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_sa_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_sa_payload_t *this) { return SECURITY_ASSOCIATION; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_sa_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_sa_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_sa_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_sa_payload_t *this,payload_type_t type) { this->next_payload = type; } @@ -192,116 +166,104 @@ static void set_next_type(private_sa_payload_t *this,payload_type_t type) /** * recompute length of the payload. */ -static void compute_length (private_sa_payload_t *this) +static void compute_length(private_sa_payload_t *this) { - iterator_t *iterator; - payload_t *current_proposal; + enumerator_t *enumerator; + payload_t *current; size_t length = SA_PAYLOAD_HEADER_LENGTH; - iterator = this->proposals->create_iterator(this->proposals,TRUE); - while (iterator->iterate(iterator, (void **)¤t_proposal)) + enumerator = this->proposals->create_enumerator(this->proposals); + while (enumerator->enumerate(enumerator, (void **)¤t)) { - length += current_proposal->get_length(current_proposal); + length += current->get_length(current); } - iterator->destroy(iterator); + enumerator->destroy(enumerator); this->payload_length = length; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_sa_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_sa_payload_t *this) { compute_length(this); return this->payload_length; } -/** - * Implementation of sa_payload_t.create_proposal_substructure_iterator. - */ -static iterator_t *create_proposal_substructure_iterator (private_sa_payload_t *this,bool forward) +METHOD(sa_payload_t, add_proposal, void, + private_sa_payload_t *this, proposal_t *proposal) { - return this->proposals->create_iterator(this->proposals,forward); -} + proposal_substructure_t *substruct, *last; + u_int count; -/** - * Implementation of sa_payload_t.add_proposal_substructure. - */ -static void add_proposal_substructure(private_sa_payload_t *this,proposal_substructure_t *proposal) -{ - status_t status; - u_int proposal_count = this->proposals->get_count(this->proposals); - - if (proposal_count > 0) + count = this->proposals->get_count(this->proposals); + substruct = proposal_substructure_create_from_proposal(proposal); + if (count > 0) { - proposal_substructure_t *last_proposal; - status = this->proposals->get_last(this->proposals,(void **) &last_proposal); + this->proposals->get_last(this->proposals, (void**)&last); /* last transform is now not anymore last one */ - last_proposal->set_is_last_proposal(last_proposal, FALSE); + last->set_is_last_proposal(last, FALSE); + } + substruct->set_is_last_proposal(substruct, TRUE); + if (proposal->get_number(proposal)) + { /* use the selected proposals number, if any */ + substruct->set_proposal_number(substruct, proposal->get_number(proposal)); + } + else + { + substruct->set_proposal_number(substruct, count + 1); } - proposal->set_is_last_proposal(proposal, TRUE); - proposal->set_proposal_number(proposal, proposal_count + 1); - this->proposals->insert_last(this->proposals,(void *) proposal); + this->proposals->insert_last(this->proposals, substruct); compute_length(this); } -/** - * Implementation of sa_payload_t.add_proposal. - */ -static void add_proposal(private_sa_payload_t *this, proposal_t *proposal) -{ - proposal_substructure_t *substructure; - - substructure = proposal_substructure_create_from_proposal(proposal); - add_proposal_substructure(this, substructure); -} - -/** - * Implementation of sa_payload_t.get_proposals. - */ -static linked_list_t *get_proposals(private_sa_payload_t *this) +METHOD(sa_payload_t, get_proposals, linked_list_t*, + private_sa_payload_t *this) { int struct_number = 0; int ignore_struct_number = 0; - iterator_t *iterator; - proposal_substructure_t *proposal_struct; - linked_list_t *proposal_list; - - /* this list will hold our proposals */ - proposal_list = linked_list_create(); + enumerator_t *enumerator; + proposal_substructure_t *substruct; + linked_list_t *list; + proposal_t *proposal; + list = linked_list_create(); /* we do not support proposals split up to two proposal substructures, as * AH+ESP bundles are not supported in RFC4301 anymore. * To handle such structures safely, we just skip proposals with multiple * protocols. */ - iterator = this->proposals->create_iterator(this->proposals, TRUE); - while (iterator->iterate(iterator, (void **)&proposal_struct)) + enumerator = this->proposals->create_enumerator(this->proposals); + while (enumerator->enumerate(enumerator, &substruct)) { - proposal_t *proposal; - /* check if a proposal has a single protocol */ - if (proposal_struct->get_proposal_number(proposal_struct) == struct_number) + if (substruct->get_proposal_number(substruct) == struct_number) { if (ignore_struct_number < struct_number) { - /* remova an already added, if first of series */ - proposal_list->remove_last(proposal_list, (void**)&proposal); + /* remove an already added, if first of series */ + list->remove_last(list, (void**)&proposal); proposal->destroy(proposal); ignore_struct_number = struct_number; } continue; } struct_number++; - proposal = proposal_struct->get_proposal(proposal_struct); + proposal = substruct->get_proposal(substruct); if (proposal) { - proposal_list->insert_last(proposal_list, proposal); + list->insert_last(list, proposal); } } - iterator->destroy(iterator); - return proposal_list; + enumerator->destroy(enumerator); + return list; +} + +METHOD2(payload_t, sa_payload_t, destroy, void, + private_sa_payload_t *this) +{ + this->proposals->destroy_offset(this->proposals, + offsetof(proposal_substructure_t, destroy)); + free(this); } /* @@ -309,29 +271,27 @@ static linked_list_t *get_proposals(private_sa_payload_t *this) */ sa_payload_t *sa_payload_create() { - private_sa_payload_t *this = malloc_thing(private_sa_payload_t); - - /* public interface */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.create_proposal_substructure_iterator = (iterator_t* (*) (sa_payload_t *,bool)) create_proposal_substructure_iterator; - this->public.add_proposal_substructure = (void (*) (sa_payload_t *,proposal_substructure_t *)) add_proposal_substructure; - this->public.add_proposal = (void (*) (sa_payload_t*,proposal_t*))add_proposal; - this->public.get_proposals = (linked_list_t* (*) (sa_payload_t *)) get_proposals; - this->public.destroy = (void (*) (sa_payload_t *)) destroy; - - /* set default values of the fields */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = SA_PAYLOAD_HEADER_LENGTH; - this->proposals = linked_list_create(); + private_sa_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .add_proposal = _add_proposal, + .get_proposals = _get_proposals, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = SA_PAYLOAD_HEADER_LENGTH, + .proposals = linked_list_create(), + ); return &this->public; } @@ -340,19 +300,19 @@ sa_payload_t *sa_payload_create() */ sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals) { - iterator_t *iterator; + private_sa_payload_t *this; + enumerator_t *enumerator; proposal_t *proposal; - sa_payload_t *sa_payload = sa_payload_create(); - /* add every payload from the list */ - iterator = proposals->create_iterator(proposals, TRUE); - while (iterator->iterate(iterator, (void**)&proposal)) + this = (private_sa_payload_t*)sa_payload_create(); + enumerator = proposals->create_enumerator(proposals); + while (enumerator->enumerate(enumerator, &proposal)) { - add_proposal((private_sa_payload_t*)sa_payload, proposal); + add_proposal(this, proposal); } - iterator->destroy(iterator); + enumerator->destroy(enumerator); - return sa_payload; + return &this->public; } /* @@ -360,9 +320,10 @@ sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals) */ sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal) { - sa_payload_t *sa_payload = sa_payload_create(); + private_sa_payload_t *this; - add_proposal((private_sa_payload_t*)sa_payload, proposal); + this = (private_sa_payload_t*)sa_payload_create(); + add_proposal(this, proposal); - return sa_payload; + return &this->public; } diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h index 25f5a2407..801a70738 100644 --- a/src/libcharon/encoding/payloads/sa_payload.h +++ b/src/libcharon/encoding/payloads/sa_payload.h @@ -40,33 +40,13 @@ typedef struct sa_payload_t sa_payload_t; * The SA Payload format is described in RFC section 3.3. */ struct sa_payload_t { + /** * The payload_t interface. */ payload_t payload_interface; /** - * Creates an iterator of stored proposal_substructure_t objects. - * - * When deleting an proposal using this iterator, - * the length of this transform substructure has to be refreshed - * by calling get_length()! - * - * @param forward iterator direction (TRUE: front to end) - * @return created iterator_t object - */ - iterator_t *(*create_proposal_substructure_iterator) (sa_payload_t *this, - bool forward); - - /** - * Adds a proposal_substructure_t object to this object. - * - * @param proposal proposal_substructure_t object to add - */ - void (*add_proposal_substructure) (sa_payload_t *this, - proposal_substructure_t *proposal); - - /** * Gets the proposals in this payload as a list. * * @return a list containing proposal_t s diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c new file mode 100644 index 000000000..d9e39fe43 --- /dev/null +++ b/src/libcharon/kernel/kernel_handler.c @@ -0,0 +1,163 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "kernel_handler.h" + +#include <hydra.h> +#include <daemon.h> +#include <processing/jobs/acquire_job.h> +#include <processing/jobs/delete_child_sa_job.h> +#include <processing/jobs/migrate_job.h> +#include <processing/jobs/rekey_child_sa_job.h> +#include <processing/jobs/roam_job.h> +#include <processing/jobs/update_sa_job.h> + +typedef struct private_kernel_handler_t private_kernel_handler_t; + +/** + * Private data of a kernel_handler_t object. + */ +struct private_kernel_handler_t { + + /** + * Public part of kernel_handler_t object. + */ + kernel_handler_t public; + +}; + +/** + * convert an IP protocol identifier to the IKEv2 specific protocol identifier. + */ +static inline protocol_id_t proto_ip2ike(u_int8_t protocol) +{ + switch (protocol) + { + case IPPROTO_ESP: + return PROTO_ESP; + case IPPROTO_AH: + return PROTO_AH; + default: + return protocol; + } +} + +METHOD(kernel_listener_t, acquire, bool, + private_kernel_handler_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts) +{ + job_t *job; + if (src_ts && dst_ts) + { + DBG1(DBG_KNL, "creating acquire job for policy %R === %R " + "with reqid {%u}", src_ts, dst_ts, reqid); + } + else + { + DBG1(DBG_KNL, "creating acquire job for policy with reqid {%u}", reqid); + } + job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts); + lib->processor->queue_job(lib->processor, job); + return TRUE; +} + +METHOD(kernel_listener_t, expire, bool, + private_kernel_handler_t *this, u_int32_t reqid, u_int8_t protocol, + u_int32_t spi, bool hard) +{ + job_t *job; + protocol_id_t proto = proto_ip2ike(protocol); + DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x " + "and reqid {%u}", hard ? "delete" : "rekey", + protocol_id_names, proto, ntohl(spi), reqid); + if (hard) + { + job = (job_t*)delete_child_sa_job_create(reqid, proto, spi); + } + else + { + job = (job_t*)rekey_child_sa_job_create(reqid, proto, spi); + } + lib->processor->queue_job(lib->processor, job); + return TRUE; +} + +METHOD(kernel_listener_t, mapping, bool, + private_kernel_handler_t *this, u_int32_t reqid, u_int32_t spi, + host_t *remote) +{ + job_t *job; + DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and " + "reqid {%u} changed, queuing update job", ntohl(spi), reqid); + job = (job_t*)update_sa_job_create(reqid, remote); + lib->processor->queue_job(lib->processor, job); + return TRUE; +} + +METHOD(kernel_listener_t, migrate, bool, + private_kernel_handler_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, host_t *local, host_t *remote) +{ + job_t *job; + DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with " + "reqid {%u}", src_ts, dst_ts, policy_dir_names, direction, + reqid, local); + job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, direction, local, + remote); + lib->processor->queue_job(lib->processor, job); + return TRUE; +} + +METHOD(kernel_listener_t, roam, bool, + private_kernel_handler_t *this, bool address) +{ + job_t *job; + job = (job_t*)roam_job_create(address); + lib->processor->queue_job(lib->processor, job); + return TRUE; +} + +METHOD(kernel_handler_t, destroy, void, + private_kernel_handler_t *this) +{ + hydra->kernel_interface->remove_listener(hydra->kernel_interface, + &this->public.listener); + free(this); +} + +kernel_handler_t *kernel_handler_create() +{ + private_kernel_handler_t *this; + + INIT(this, + .public = { + .listener = { + .acquire = _acquire, + .expire = _expire, + .mapping = _mapping, + .migrate = _migrate, + .roam = _roam, + }, + .destroy = _destroy, + }, + ); + + hydra->kernel_interface->add_listener(hydra->kernel_interface, + &this->public.listener); + + return &this->public; +} + diff --git a/src/libcharon/kernel/kernel_handler.h b/src/libcharon/kernel/kernel_handler.h new file mode 100644 index 000000000..48ad6889c --- /dev/null +++ b/src/libcharon/kernel/kernel_handler.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup kernel_handler kernel_handler + * @{ @ingroup ckernel + */ + +#ifndef KERNEL_HANDLER_H_ +#define KERNEL_HANDLER_H_ + +typedef struct kernel_handler_t kernel_handler_t; + +#include <kernel/kernel_listener.h> + +/** + * Listens to and handles kernel events. + */ +struct kernel_handler_t { + + /** + * Implements the kernel listener interface. + */ + kernel_listener_t listener; + + /** + * Destroy this instance. + */ + void (*destroy)(kernel_handler_t *this); + +}; + +/** + * Create an object of type kernel_handler_t. + */ +kernel_handler_t *kernel_handler_create(); + +#endif /** KERNEL_HANDLER_H_ @}*/ diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c index 63a8cab58..d8cebe192 100644 --- a/src/libcharon/network/receiver.c +++ b/src/libcharon/network/receiver.c @@ -146,7 +146,7 @@ static void send_notify(message_t *request, notify_type_t type, chunk_t data) ike_sa_id->switch_initiator(ike_sa_id); response->set_ike_sa_id(response, ike_sa_id); response->add_notify(response, FALSE, type, data); - if (response->generate(response, NULL, NULL, &packet) == SUCCESS) + if (response->generate(response, NULL, &packet) == SUCCESS) { charon->sender->send(charon->sender, packet); response->destroy(response); @@ -274,9 +274,17 @@ static job_requeue_t receive_packets(private_receiver_t *this) { packet_t *packet; message_t *message; + status_t status; /* read in a packet */ - if (charon->socket->receive(charon->socket, &packet) != SUCCESS) + status = charon->socket->receive(charon->socket, &packet); + if (status == NOT_SUPPORTED) + { + /* the processor destroys this job */ + this->job = NULL; + return JOB_REQUEUE_NONE; + } + else if (status != SUCCESS) { DBG2(DBG_NET, "receiving from socket failed!"); return JOB_REQUEUE_FAIR; @@ -353,22 +361,25 @@ static job_requeue_t receive_packets(private_receiver_t *this) { DBG1(DBG_NET, "using receive delay: %dms", this->receive_delay); - charon->scheduler->schedule_job_ms(charon->scheduler, + lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)process_message_job_create(message), this->receive_delay); return JOB_REQUEUE_DIRECT; } } } - charon->processor->queue_job(charon->processor, - (job_t*)process_message_job_create(message)); + lib->processor->queue_job(lib->processor, + (job_t*)process_message_job_create(message)); return JOB_REQUEUE_DIRECT; } METHOD(receiver_t, destroy, void, private_receiver_t *this) { - this->job->cancel(this->job); + if (this->job) + { + this->job->cancel(this->job); + } this->rng->destroy(this->rng); this->hasher->destroy(this->hasher); free(this); @@ -383,7 +394,9 @@ receiver_t *receiver_create() u_int32_t now = time_monotonic(NULL); INIT(this, - .public.destroy = _destroy, + .public = { + .destroy = _destroy, + }, .secret_switch = now, .secret_offset = random() % now, ); @@ -424,7 +437,7 @@ receiver_t *receiver_create() this->job = callback_job_create((callback_job_cb_t)receive_packets, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c index bb6d50605..4177fb3e1 100644 --- a/src/libcharon/network/sender.c +++ b/src/libcharon/network/sender.c @@ -195,7 +195,7 @@ sender_t * sender_create() "charon.send_delay_response", TRUE), ); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h index 5c5a4edfb..51b26920f 100644 --- a/src/libcharon/network/socket.h +++ b/src/libcharon/network/socket.h @@ -1,6 +1,7 @@ /* - * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -30,6 +31,11 @@ typedef struct socket_t socket_t; #include <utils/enumerator.h> /** + * Constructor prototype for sockets. + */ +typedef socket_t *(*socket_constructor_t)(); + +/** * Socket interface definition. */ struct socket_t { @@ -42,8 +48,8 @@ struct socket_t { * * @param packet pinter gets address from allocated packet_t * @return - * - SUCCESS when packet successfully received - * - FAILED when unable to receive + * - SUCCESS when packet successfully received + * - FAILED when unable to receive */ status_t (*receive) (socket_t *this, packet_t **packet); @@ -55,10 +61,15 @@ struct socket_t { * * @param packet packet_t to send * @return - * - SUCCESS when packet successfully sent - * - FAILED when unable to send + * - SUCCESS when packet successfully sent + * - FAILED when unable to send */ status_t (*send) (socket_t *this, packet_t *packet); + + /** + * Destroy a socket implementation. + */ + void (*destroy) (socket_t *this); }; #endif /** SOCKET_H_ @}*/ diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c index 0dbce4b1b..72a454301 100644 --- a/src/libcharon/network/socket_manager.c +++ b/src/libcharon/network/socket_manager.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -33,11 +35,21 @@ struct private_socket_manager_t { socket_manager_t public; /** - * List of registered socket + * List of registered socket constructors */ linked_list_t *sockets; /** + * Instantiated socket implementation + */ + socket_t *socket; + + /** + * The constructor used to create the current socket + */ + socket_constructor_t create; + + /** * Lock for sockets list */ rwlock_t *lock; @@ -46,11 +58,9 @@ struct private_socket_manager_t { METHOD(socket_manager_t, receiver, status_t, private_socket_manager_t *this, packet_t **packet) { - socket_t *socket; status_t status; - this->lock->read_lock(this->lock); - if (this->sockets->get_first(this->sockets, (void**)&socket) != SUCCESS) + if (!this->socket) { DBG1(DBG_NET, "no socket implementation registered, receiving failed"); this->lock->unlock(this->lock); @@ -58,7 +68,7 @@ METHOD(socket_manager_t, receiver, status_t, } /* receive is blocking and the thread can be cancelled */ thread_cleanup_push((thread_cleanup_t)this->lock->unlock, this->lock); - status = socket->receive(socket, packet); + status = this->socket->receive(this->socket, packet); thread_cleanup_pop(TRUE); return status; } @@ -66,40 +76,67 @@ METHOD(socket_manager_t, receiver, status_t, METHOD(socket_manager_t, sender, status_t, private_socket_manager_t *this, packet_t *packet) { - socket_t *socket; status_t status; - this->lock->read_lock(this->lock); - if (this->sockets->get_first(this->sockets, (void**)&socket) != SUCCESS) + if (!this->socket) { DBG1(DBG_NET, "no socket implementation registered, sending failed"); this->lock->unlock(this->lock); return NOT_SUPPORTED; } - status = socket->send(socket, packet); + status = this->socket->send(this->socket, packet); this->lock->unlock(this->lock); return status; } +static void create_socket(private_socket_manager_t *this) +{ + socket_constructor_t create; + /* remove constructors in order to avoid trying to create broken ones + * multiple times */ + while (this->sockets->remove_first(this->sockets, + (void**)&create) == SUCCESS) + { + this->socket = create(); + if (this->socket) + { + this->create = create; + break; + } + } +} + METHOD(socket_manager_t, add_socket, void, - private_socket_manager_t *this, socket_t *socket) + private_socket_manager_t *this, socket_constructor_t create) { this->lock->write_lock(this->lock); - this->sockets->insert_last(this->sockets, socket); + this->sockets->insert_last(this->sockets, create); + if (!this->socket) + { + create_socket(this); + } this->lock->unlock(this->lock); } METHOD(socket_manager_t, remove_socket, void, - private_socket_manager_t *this, socket_t *socket) + private_socket_manager_t *this, socket_constructor_t create) { this->lock->write_lock(this->lock); - this->sockets->remove(this->sockets, socket, NULL); + this->sockets->remove(this->sockets, create, NULL); + if (this->create == create) + { + this->socket->destroy(this->socket); + this->socket = NULL; + this->create = NULL; + create_socket(this); + } this->lock->unlock(this->lock); } METHOD(socket_manager_t, destroy, void, private_socket_manager_t *this) { + DESTROY_IF(this->socket); this->sockets->destroy(this->sockets); this->lock->destroy(this->lock); free(this); diff --git a/src/libcharon/network/socket_manager.h b/src/libcharon/network/socket_manager.h index b33d5c71c..94185d21c 100644 --- a/src/libcharon/network/socket_manager.h +++ b/src/libcharon/network/socket_manager.h @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -51,14 +53,18 @@ struct socket_manager_t { status_t (*send) (socket_manager_t *this, packet_t *packet); /** - * Register a socket implementation. + * Register a socket constructor. + * + * @param create constructor for the socket */ - void (*add_socket)(socket_manager_t *this, socket_t *socket); + void (*add_socket)(socket_manager_t *this, socket_constructor_t create); /** - * Unregister a registered socket implementation. + * Unregister a registered socket constructor. + * + * @param create constructor for the socket */ - void (*remove_socket)(socket_manager_t *this, socket_t *socket); + void (*remove_socket)(socket_manager_t *this, socket_constructor_t create); /** * Destroy a socket_manager_t. diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index 4cb047929..426d1a689 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.c b/src/libcharon/plugins/addrblock/addrblock_plugin.c index 1c407035d..5fdb36c5c 100644 --- a/src/libcharon/plugins/addrblock/addrblock_plugin.c +++ b/src/libcharon/plugins/addrblock/addrblock_plugin.c @@ -61,7 +61,11 @@ plugin_t *addrblock_plugin_create() private_addrblock_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, .validator = addrblock_validator_create(), .narrower = addrblock_narrow_create(), ); diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in index 6e4903ee1..d80868798 100644 --- a/src/libcharon/plugins/android/Makefile.in +++ b/src/libcharon/plugins/android/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c index e2c8572ef..3d82d8f60 100644 --- a/src/libcharon/plugins/android/android_plugin.c +++ b/src/libcharon/plugins/android/android_plugin.c @@ -79,8 +79,10 @@ plugin_t *android_plugin_create() private_android_plugin_t *this; INIT(this, - .public.plugin = { - .destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, }, .logger = android_logger_create(), .handler = android_handler_create(), diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c index 538c4a9a2..f9a8e1ea1 100644 --- a/src/libcharon/plugins/android/android_service.c +++ b/src/libcharon/plugins/android/android_service.c @@ -141,7 +141,7 @@ METHOD(listener_t, child_updown, bool, * callback, but from a different thread. we also delay it to avoid * a race condition during a regular shutdown */ job = callback_job_create(shutdown_callback, NULL, NULL, NULL); - charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, 1); + lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, 1); return FALSE; } } @@ -378,7 +378,7 @@ android_service_t *android_service_create(android_creds_t *creds) charon->bus->add_listener(charon->bus, &this->public.listener); this->job = callback_job_create((callback_job_cb_t)initiate, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index b34654fb7..e843c42e8 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c index 829fd6356..fccc99ba5 100644 --- a/src/libcharon/plugins/dhcp/dhcp_plugin.c +++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c @@ -62,7 +62,11 @@ plugin_t *dhcp_plugin_create() private_dhcp_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, .socket = dhcp_socket_create(), ); diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index f61b3a60e..e1e83d648 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -31,6 +31,7 @@ #include <threading/condvar.h> #include <threading/thread.h> +#include <hydra.h> #include <daemon.h> #include <processing/jobs/callback_job.h> @@ -205,8 +206,8 @@ static int prepare_dhcp(private_dhcp_socket_t *this, else { /* act as relay agent */ - src = charon->kernel_interface->get_source_addr( - charon->kernel_interface, this->dst, NULL); + src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, + this->dst, NULL); if (src) { memcpy(&dhcp->gateway_address, src->get_address(src).ptr, @@ -462,8 +463,6 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) offer = host_create_from_chunk(AF_INET, chunk_from_thing(dhcp->your_address), 0); - server = host_create_from_chunk(AF_INET, - chunk_from_thing(dhcp->server_address), DHCP_SERVER_PORT); this->mutex->lock(this->mutex); enumerator = this->discover->create_enumerator(this->discover); @@ -471,11 +470,8 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) { if (transaction->get_id(transaction) == dhcp->transaction_id) { - DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server); this->discover->remove_at(this->discover, enumerator); this->request->insert_last(this->request, transaction); - transaction->set_address(transaction, offer->clone(offer)); - transaction->set_server(transaction, server->clone(server)); break; } } @@ -504,9 +500,22 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) chunk_create((char*)&option->data[pos], 4)); } } + if (option->type == DHCP_SERVER_ID && option->len == 4) + { + server = host_create_from_chunk(AF_INET, + chunk_create(option->data, 4), DHCP_SERVER_PORT); + } optlen -= optsize; optpos += optsize; } + if (!server) + { + server = host_create_from_chunk(AF_INET, + chunk_from_thing(dhcp->server_address), DHCP_SERVER_PORT); + } + DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server); + transaction->set_address(transaction, offer->clone(offer)); + transaction->set_server(transaction, server->clone(server)); } this->mutex->unlock(this->mutex); this->condvar->broadcast(this->condvar); @@ -751,7 +760,7 @@ dhcp_socket_t *dhcp_socket_create() this->job = callback_job_create((callback_job_cb_t)receive_dhcp, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index 14bf3f15d..c0750786d 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index b41b59616..41f69546e 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -200,14 +203,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -247,7 +260,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 57952f621..02d659197 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index d78957438..46011694a 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_identity/eap_identity.c b/src/libcharon/plugins/eap_identity/eap_identity.c index ab082a955..03066b2f8 100644 --- a/src/libcharon/plugins/eap_identity/eap_identity.c +++ b/src/libcharon/plugins/eap_identity/eap_identity.c @@ -59,11 +59,8 @@ struct eap_identity_header_t { u_int8_t data[]; } __attribute__((__packed__)); -/** - * Implementation of eap_method_t.process for the peer - */ -static status_t process_peer(private_eap_identity_t *this, - eap_payload_t *in, eap_payload_t **out) +METHOD(eap_method_t, process_peer, status_t, + private_eap_identity_t *this, eap_payload_t *in, eap_payload_t **out) { chunk_t id; eap_identity_header_t *hdr; @@ -74,7 +71,7 @@ static status_t process_peer(private_eap_identity_t *this, hdr = alloca(len); hdr->code = EAP_RESPONSE; - hdr->identifier = in->get_identifier(in); + hdr->identifier = in ? in->get_identifier(in) : 0; hdr->length = htons(len); hdr->type = EAP_IDENTITY; memcpy(hdr->data, id.ptr, id.len); @@ -83,20 +80,15 @@ static status_t process_peer(private_eap_identity_t *this, return SUCCESS; } -/** - * Implementation of eap_method_t.initiate for the peer - */ -static status_t initiate_peer(private_eap_identity_t *this, eap_payload_t **out) +METHOD(eap_method_t, initiate_peer, status_t, + private_eap_identity_t *this, eap_payload_t **out) { /* peer never initiates */ return FAILED; } -/** - * Implementation of eap_method_t.process for the server - */ -static status_t process_server(private_eap_identity_t *this, - eap_payload_t *in, eap_payload_t **out) +METHOD(eap_method_t, process_server, status_t, + private_eap_identity_t *this, eap_payload_t *in, eap_payload_t **out) { chunk_t data; @@ -108,10 +100,8 @@ static status_t process_server(private_eap_identity_t *this, return SUCCESS; } -/** - * Implementation of eap_method_t.initiate for the server - */ -static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **out) +METHOD(eap_method_t, initiate_server, status_t, + private_eap_identity_t *this, eap_payload_t **out) { eap_identity_header_t hdr; @@ -125,19 +115,15 @@ static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **ou return NEED_MORE; } -/** - * Implementation of eap_method_t.get_type. - */ -static eap_type_t get_type(private_eap_identity_t *this, u_int32_t *vendor) +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_identity_t *this, u_int32_t *vendor) { *vendor = 0; return EAP_IDENTITY; } -/** - * Implementation of eap_method_t.get_msk. - */ -static status_t get_msk(private_eap_identity_t *this, chunk_t *msk) +METHOD(eap_method_t, get_msk, status_t, + private_eap_identity_t *this, chunk_t *msk) { if (this->identity.ptr) { @@ -147,56 +133,42 @@ static status_t get_msk(private_eap_identity_t *this, chunk_t *msk) return FAILED; } -/** - * Implementation of eap_method_t.is_mutual. - */ -static bool is_mutual(private_eap_identity_t *this) +METHOD(eap_method_t, is_mutual, bool, + private_eap_identity_t *this) { return FALSE; } -/** - * Implementation of eap_method_t.destroy. - */ -static void destroy(private_eap_identity_t *this) +METHOD(eap_method_t, destroy, void, + private_eap_identity_t *this) { this->peer->destroy(this->peer); free(this->identity.ptr); free(this); } -/** - * Generic constructor - */ -static private_eap_identity_t *eap_identity_create(identification_t *server, - identification_t *peer) -{ - private_eap_identity_t *this = malloc_thing(private_eap_identity_t); - - this->public.eap_method_interface.initiate = NULL; - this->public.eap_method_interface.process = NULL; - this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; - this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; - this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; - this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy; - - this->peer = peer->clone(peer); - this->identity = chunk_empty; - - return this; -} - /* * Described in header. */ eap_identity_t *eap_identity_create_peer(identification_t *server, identification_t *peer) { - private_eap_identity_t *this = eap_identity_create(server, peer); - - /* public functions */ - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer; + private_eap_identity_t *this; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate_peer, + .process = _process_peer, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + .identity = chunk_empty, + ); return &this->public; } @@ -207,11 +179,22 @@ eap_identity_t *eap_identity_create_peer(identification_t *server, eap_identity_t *eap_identity_create_server(identification_t *server, identification_t *peer) { - private_eap_identity_t *this = eap_identity_create(server, peer); - - /* public functions */ - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server; + private_eap_identity_t *this; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate_server, + .process = _process_server, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + .identity = chunk_empty, + ); return &this->public; } diff --git a/src/libcharon/plugins/eap_identity/eap_identity.h b/src/libcharon/plugins/eap_identity/eap_identity.h index 7364a8bda..9a7f28574 100644 --- a/src/libcharon/plugins/eap_identity/eap_identity.h +++ b/src/libcharon/plugins/eap_identity/eap_identity.h @@ -33,7 +33,7 @@ struct eap_identity_t { /** * Implemented eap_method_t interface. */ - eap_method_t eap_method_interface; + eap_method_t eap_method; }; /** diff --git a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c index 082997154..079c27909 100644 --- a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c +++ b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c @@ -14,15 +14,12 @@ */ #include "eap_identity_plugin.h" - #include "eap_identity.h" #include <daemon.h> -/** - * Implementation of plugin_t.destroy - */ -static void destroy(eap_identity_plugin_t *this) +METHOD(plugin_t, destroy, void, + eap_identity_plugin_t *this) { charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_identity_create_server); @@ -36,9 +33,13 @@ static void destroy(eap_identity_plugin_t *this) */ plugin_t *eap_identity_plugin_create() { - eap_identity_plugin_t *this = malloc_thing(eap_identity_plugin_t); + eap_identity_plugin_t *this; - this->plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_SERVER, (eap_constructor_t)eap_identity_create_server); diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 5bfc59fa4..2e307147f 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c index 3554ae12e..f70754abb 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5.c +++ b/src/libcharon/plugins/eap_md5/eap_md5.c @@ -47,7 +47,7 @@ struct private_eap_md5_t { chunk_t challenge; /** - * EAP message identififier + * EAP message identifier */ u_int8_t identifier; }; @@ -105,19 +105,15 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response, return SUCCESS; } -/** - * Implementation of eap_method_t.initiate for the peer - */ -static status_t initiate_peer(private_eap_md5_t *this, eap_payload_t **out) +METHOD(eap_method_t, initiate_peer, status_t, + private_eap_md5_t *this, eap_payload_t **out) { /* peer never initiates */ return FAILED; } -/** - * Implementation of eap_method_t.initiate for the server - */ -static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out) +METHOD(eap_method_t, initiate_server, status_t, + private_eap_md5_t *this, eap_payload_t **out) { rng_t *rng; eap_md5_header_t *req; @@ -142,11 +138,8 @@ static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out) return NEED_MORE; } -/** - * Implementation of eap_method_t.process for the peer - */ -static status_t process_peer(private_eap_md5_t *this, - eap_payload_t *in, eap_payload_t **out) +METHOD(eap_method_t, process_peer, status_t, + private_eap_md5_t *this, eap_payload_t *in, eap_payload_t **out) { chunk_t response; chunk_t data; @@ -177,11 +170,8 @@ static status_t process_peer(private_eap_md5_t *this, return NEED_MORE; } -/** - * Implementation of eap_method_t.process for the server - */ -static status_t process_server(private_eap_md5_t *this, - eap_payload_t *in, eap_payload_t **out) +METHOD(eap_method_t, process_server, status_t, + private_eap_md5_t *this, eap_payload_t *in, eap_payload_t **out) { chunk_t response, expected; chunk_t data; @@ -209,35 +199,27 @@ static status_t process_server(private_eap_md5_t *this, return SUCCESS; } -/** - * Implementation of eap_method_t.get_type. - */ -static eap_type_t get_type(private_eap_md5_t *this, u_int32_t *vendor) +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_md5_t *this, u_int32_t *vendor) { *vendor = 0; return EAP_MD5; } -/** - * Implementation of eap_method_t.get_msk. - */ -static status_t get_msk(private_eap_md5_t *this, chunk_t *msk) +METHOD(eap_method_t, get_msk, status_t, + private_eap_md5_t *this, chunk_t *msk) { return FAILED; } -/** - * Implementation of eap_method_t.is_mutual. - */ -static bool is_mutual(private_eap_md5_t *this) +METHOD(eap_method_t, is_mutual, bool, + private_eap_md5_t *this) { return FALSE; } -/** - * Implementation of eap_method_t.destroy. - */ -static void destroy(private_eap_md5_t *this) +METHOD(eap_method_t, destroy, void, + private_eap_md5_t *this) { this->peer->destroy(this->peer); this->server->destroy(this->server); @@ -245,39 +227,27 @@ static void destroy(private_eap_md5_t *this) free(this); } -/** - * Generic constructor - */ -static private_eap_md5_t *eap_md5_create_generic(identification_t *server, - identification_t *peer) -{ - private_eap_md5_t *this = malloc_thing(private_eap_md5_t); - - this->public.eap_method_interface.initiate = NULL; - this->public.eap_method_interface.process = NULL; - this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; - this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; - this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; - this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy; - - /* private data */ - this->peer = peer->clone(peer); - this->server = server->clone(server); - this->challenge = chunk_empty; - this->identifier = 0; - - return this; -} - /* - * see header + * See header */ eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *peer) { - private_eap_md5_t *this = eap_md5_create_generic(server, peer); - - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server; + private_eap_md5_t *this; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate_server, + .process = _process_server, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + .server = server->clone(server), + ); /* generate a non-zero identifier */ do { @@ -288,14 +258,26 @@ eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *pee } /* - * see header + * See header */ eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer) { - private_eap_md5_t *this = eap_md5_create_generic(server, peer); - - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer; + private_eap_md5_t *this; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate_peer, + .process = _process_peer, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + .server = server->clone(server), + ); return &this->public; } diff --git a/src/libcharon/plugins/eap_md5/eap_md5.h b/src/libcharon/plugins/eap_md5/eap_md5.h index 3cff0dd79..c6687149a 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5.h +++ b/src/libcharon/plugins/eap_md5/eap_md5.h @@ -33,7 +33,7 @@ struct eap_md5_t { /** * Implemented eap_method_t interface. */ - eap_method_t eap_method_interface; + eap_method_t eap_method; }; /** diff --git a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c index e716dc6e8..39a6f5731 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c +++ b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c @@ -14,15 +14,12 @@ */ #include "eap_md5_plugin.h" - #include "eap_md5.h" #include <daemon.h> -/** - * Implementation of plugin_t.destroy - */ -static void destroy(eap_md5_plugin_t *this) +METHOD(plugin_t, destroy, void, + eap_md5_plugin_t *this) { charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_md5_create_server); @@ -36,9 +33,13 @@ static void destroy(eap_md5_plugin_t *this) */ plugin_t *eap_md5_plugin_create() { - eap_md5_plugin_t *this = malloc_thing(eap_md5_plugin_t); + eap_md5_plugin_t *this; - this->plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_SERVER, (eap_constructor_t)eap_md5_create_server); diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index d61cc9e5d..635cfe6ec 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index 3cd8d994c..4f39c8608 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -818,7 +818,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, eap_mschapv2_header_t *eap; chunk_t data; char *message, *token, *msg = NULL; - int message_len, error = 0, retryable; + int message_len, error = 0, retriable; chunk_t challenge = chunk_empty; data = in->get_data(in); @@ -847,7 +847,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, else if (strneq(token, "R=", 2)) { token += 2; - retryable = atoi(token); + retriable = atoi(token); } else if (strneq(token, "C=", 2)) { @@ -880,17 +880,17 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, mschapv2_error_names, error, sanitize(msg)); /** - * at this point, if the error is retryable, we MAY retry the authentication + * at this point, if the error is retriable, we MAY retry the authentication * or MAY send a Change Password packet. * - * if the error is not retryable (or if we do neither of the above), we + * if the error is not retriable (or if we do neither of the above), we * SHOULD send a Failure Response packet. * windows clients don't do that, and since windows server 2008 r2 behaves * pretty odd if we do send a Failure Response, we just don't send one * either. windows 7 actually sends a delete notify (which, according to the * logs, results in an error on windows server 2008 r2). * - * btw, windows server 2008 r2 does not send non-retryable errors for e.g. + * btw, windows server 2008 r2 does not send non-retriable errors for e.g. * a disabled account but returns the windows error code in a notify payload * of type 12345. */ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index bb372d13c..1d771d9a4 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -200,14 +203,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -247,7 +260,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index 65b868bc6..157034fe5 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -20,6 +20,8 @@ #include <daemon.h> +#define TUNNEL_TYPE_ESP 9 + typedef struct private_eap_radius_t private_eap_radius_t; /** @@ -71,6 +73,11 @@ struct private_eap_radius_t { * Handle the Class attribute as group membership information? */ bool class_group; + + /** + * Handle the Filter-Id attribute as IPsec CHILD_SA name? + */ + bool filter_id; }; /** @@ -211,6 +218,62 @@ static void process_class(private_eap_radius_t *this, radius_message_t *msg) enumerator->destroy(enumerator); } +/** + * Handle the Filter-Id attribute as IPsec CHILD_SA name + */ +static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg) +{ + enumerator_t *enumerator; + int type; + u_int8_t tunnel_tag; + u_int32_t tunnel_type; + chunk_t filter_id = chunk_empty, data; + bool is_esp_tunnel = FALSE; + + enumerator = msg->create_enumerator(msg); + while (enumerator->enumerate(enumerator, &type, &data)) + { + switch (type) + { + case RAT_TUNNEL_TYPE: + if (data.len != 4) + { + continue; + } + tunnel_tag = *data.ptr; + *data.ptr = 0x00; + tunnel_type = untoh32(data.ptr); + DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: " + "tag = %u, value = %u", tunnel_tag, tunnel_type); + is_esp_tunnel = (tunnel_type == TUNNEL_TYPE_ESP); + break; + case RAT_FILTER_ID: + filter_id = data; + DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: " + "'%.*s'", filter_id.len, filter_id.ptr); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + if (is_esp_tunnel && filter_id.len) + { + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_data(filter_id); + auth->add(auth, AUTH_RULE_GROUP, id); + } + } +} + METHOD(eap_method_t, process, status_t, private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out) { @@ -247,12 +310,17 @@ METHOD(eap_method_t, process, status_t, { process_class(this, response); } + if (this->filter_id) + { + process_filter_id(this, response); + } + DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful", + this->peer); status = SUCCESS; break; case RMC_ACCESS_REJECT: default: - DBG1(DBG_CFG, "received %N from RADIUS server", - radius_message_code_names, response->get_code(response)); + DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer); status = FAILED; break; } @@ -313,13 +381,15 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer private_eap_radius_t *this; INIT(this, - .public.eap_method_interface = { - .initiate = _initiate, - .process = _process, - .get_type = _get_type, - .is_mutual = _is_mutual, - .get_msk = _get_msk, - .destroy = _destroy, + .public = { + .eap_method = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, }, /* initially EAP_RADIUS, but is set to the method selected by RADIUS */ .type = EAP_RADIUS, @@ -329,6 +399,9 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer "charon.plugins.eap-radius.id_prefix", ""), .class_group = lib->settings->get_bool(lib->settings, "charon.plugins.eap-radius.class_group", FALSE), + .filter_id = lib->settings->get_bool(lib->settings, + "charon.plugins.eap-radius.filter_id", FALSE), + ); this->client = radius_client_create(); if (!this->client) diff --git a/src/libcharon/plugins/eap_radius/eap_radius.h b/src/libcharon/plugins/eap_radius/eap_radius.h index 8eb9e8c2d..e98cb06e3 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.h +++ b/src/libcharon/plugins/eap_radius/eap_radius.h @@ -33,7 +33,7 @@ struct eap_radius_t { /** * Implemented eap_method_t interface. */ - eap_method_t eap_method_interface; + eap_method_t eap_method; }; /** diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c index 91aae2f62..1c24d77d5 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c @@ -151,7 +151,11 @@ plugin_t *eap_radius_plugin_create() private_eap_radius_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, .servers = linked_list_create(), ); diff --git a/src/libcharon/plugins/eap_radius/radius_server.h b/src/libcharon/plugins/eap_radius/radius_server.h index b820cb583..ba4c94619 100644 --- a/src/libcharon/plugins/eap_radius/radius_server.h +++ b/src/libcharon/plugins/eap_radius/radius_server.h @@ -79,6 +79,7 @@ struct radius_server_t { * @param server server address * @param port server port * @param nas_identifier NAS-Identifier to use with this server + * @param secret secret to use with this server * @param sockets number of sockets to create in pool * @param preference preference boost for this server */ diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index d0f44e925..d05930bbd 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index 2aa0ac832..46a584265 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -200,14 +203,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -247,7 +260,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 7d80f8019..2d8556a59 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -170,6 +171,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -201,14 +204,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -223,24 +229,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -248,7 +261,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index fc26f4497..e59015f82 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -200,14 +203,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -247,7 +260,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index f2e82df0a..3c66d2f36 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c index 0f5319792..1cc5352d8 100644 --- a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c @@ -85,8 +85,10 @@ plugin_t *eap_simaka_sql_plugin_create() "charon.plugins.eap-simaka-sql.remove_used", FALSE); INIT(this, - .public.plugin = { - .destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, }, .db = db, .provider = eap_simaka_sql_provider_create(db, remove_used), diff --git a/src/libcharon/plugins/eap_tls/Makefile.am b/src/libcharon/plugins/eap_tls/Makefile.am new file mode 100644 index 000000000..29ddd822b --- /dev/null +++ b/src/libcharon/plugins/eap_tls/Makefile.am @@ -0,0 +1,17 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-eap-tls.la +else +plugin_LTLIBRARIES = libstrongswan-eap-tls.la +libstrongswan_eap_tls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_eap_tls_la_SOURCES = \ + eap_tls_plugin.h eap_tls_plugin.c eap_tls.h eap_tls.c + +libstrongswan_eap_tls_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in new file mode 100644 index 000000000..e4b78faf8 --- /dev/null +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -0,0 +1,605 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/eap_tls +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +@MONOLITHIC_FALSE@libstrongswan_eap_tls_la_DEPENDENCIES = \ +@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la +am_libstrongswan_eap_tls_la_OBJECTS = eap_tls_plugin.lo eap_tls.lo +libstrongswan_eap_tls_la_OBJECTS = \ + $(am_libstrongswan_eap_tls_la_OBJECTS) +libstrongswan_eap_tls_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_eap_tls_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_eap_tls_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_eap_tls_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_eap_tls_la_SOURCES) +DIST_SOURCES = $(libstrongswan_eap_tls_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tls.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tls.la +@MONOLITHIC_FALSE@libstrongswan_eap_tls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libstrongswan_eap_tls_la_SOURCES = \ + eap_tls_plugin.h eap_tls_plugin.c eap_tls.h eap_tls.c + +libstrongswan_eap_tls_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tls/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tls/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) + $(libstrongswan_eap_tls_la_LINK) $(am_libstrongswan_eap_tls_la_rpath) $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tls.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tls_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c new file mode 100644 index 000000000..efe72c437 --- /dev/null +++ b/src/libcharon/plugins/eap_tls/eap_tls.c @@ -0,0 +1,155 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_tls.h" + +#include <tls_eap.h> + +#include <daemon.h> +#include <library.h> + +typedef struct private_eap_tls_t private_eap_tls_t; + +/** + * Private data of an eap_tls_t object. + */ +struct private_eap_tls_t { + + /** + * Public interface. + */ + eap_tls_t public; + + /** + * TLS stack, wrapped by EAP helper + */ + tls_eap_t *tls_eap; +}; + +/** Maximum number of EAP-TLS messages/fragments allowed */ +#define MAX_MESSAGE_COUNT 32 +/** Default size of a EAP-TLS fragment */ +#define MAX_FRAGMENT_LEN 1024 + +METHOD(eap_method_t, initiate, status_t, + private_eap_tls_t *this, eap_payload_t **out) +{ + chunk_t data; + + if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + return NEED_MORE; + } + return FAILED; +} + +METHOD(eap_method_t, process, status_t, + private_eap_tls_t *this, eap_payload_t *in, eap_payload_t **out) +{ + status_t status; + chunk_t data; + + data = in->get_data(in); + status = this->tls_eap->process(this->tls_eap, data, &data); + if (status == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + } + return status; +} + +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_tls_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_TLS; +} + +METHOD(eap_method_t, get_msk, status_t, + private_eap_tls_t *this, chunk_t *msk) +{ + *msk = this->tls_eap->get_msk(this->tls_eap); + if (msk->len) + { + return SUCCESS; + } + return FAILED; +} + +METHOD(eap_method_t, is_mutual, bool, + private_eap_tls_t *this) +{ + return TRUE; +} + +METHOD(eap_method_t, destroy, void, + private_eap_tls_t *this) +{ + this->tls_eap->destroy(this->tls_eap); + free(this); +} + +/** + * Generic private constructor + */ +static eap_tls_t *eap_tls_create(identification_t *server, + identification_t *peer, bool is_server) +{ + private_eap_tls_t *this; + size_t frag_size; + int max_msg_count; + tls_t *tls; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + ); + + frag_size = lib->settings->get_int(lib->settings, + "charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN); + max_msg_count = lib->settings->get_int(lib->settings, + "charon.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT); + tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL); + this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count); + if (!this->tls_eap) + { + free(this); + return NULL; + } + return &this->public; +} + +eap_tls_t *eap_tls_create_server(identification_t *server, + identification_t *peer) +{ + return eap_tls_create(server, peer, TRUE); +} + +eap_tls_t *eap_tls_create_peer(identification_t *server, + identification_t *peer) +{ + return eap_tls_create(server, peer, FALSE); +} diff --git a/src/libcharon/plugins/eap_tls/eap_tls.h b/src/libcharon/plugins/eap_tls/eap_tls.h new file mode 100644 index 000000000..7e080230a --- /dev/null +++ b/src/libcharon/plugins/eap_tls/eap_tls.h @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_tls_i eap_tls + * @{ @ingroup eap_tls + */ + +#ifndef EAP_TLS_H_ +#define EAP_TLS_H_ + +typedef struct eap_tls_t eap_tls_t; + +#include <sa/authenticators/eap/eap_method.h> + +/** + * Implementation of eap_method_t using EAP-TLS. + */ +struct eap_tls_t { + + /** + * Implements eap_method_t interface. + */ + eap_method_t eap_method; +}; + +/** + * Creates the EAP method EAP-TLS acting as server. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_tls_t object + */ +eap_tls_t *eap_tls_create_server(identification_t *server, + identification_t *peer); + +/** + * Creates the EAP method EAP-TLS acting as peer. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_tls_t object + */ +eap_tls_t *eap_tls_create_peer(identification_t *server, + identification_t *peer); + +#endif /** EAP_TLS_H_ @}*/ diff --git a/src/libcharon/plugins/eap_tls/eap_tls_plugin.c b/src/libcharon/plugins/eap_tls/eap_tls_plugin.c new file mode 100644 index 000000000..a7c040bf4 --- /dev/null +++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.c @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_tls_plugin.h" + +#include "eap_tls.h" + +#include <daemon.h> + + +METHOD(plugin_t, destroy, void, + eap_tls_plugin_t *this) +{ + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_tls_create_server); + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_tls_create_peer); + free(this); +} + +/* + * see header file + */ +plugin_t *eap_tls_plugin_create() +{ + eap_tls_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->eap->add_method(charon->eap, EAP_TLS, 0, EAP_SERVER, + (eap_constructor_t)eap_tls_create_server); + charon->eap->add_method(charon->eap, EAP_TLS, 0, EAP_PEER, + (eap_constructor_t)eap_tls_create_peer); + + return &this->plugin; +} diff --git a/src/libcharon/plugins/eap_tls/eap_tls_plugin.h b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h new file mode 100644 index 000000000..5ea719603 --- /dev/null +++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_tls eap_tls + * @ingroup cplugins + * + * @defgroup eap_tls_plugin eap_tls_plugin + * @{ @ingroup eap_tls + */ + +#ifndef EAP_TLS_PLUGIN_H_ +#define EAP_TLS_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct eap_tls_plugin_t eap_tls_plugin_t; + +/** + * EAP-TLS plugin + */ +struct eap_tls_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +/** + * Create a eap_tls_plugin instance. + */ +plugin_t *eap_tls_plugin_create(); + +#endif /** EAP_TLS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_tnc/Makefile.am b/src/libcharon/plugins/eap_tnc/Makefile.am new file mode 100644 index 000000000..9c5a445c5 --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/Makefile.am @@ -0,0 +1,17 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-eap-tnc.la +else +plugin_LTLIBRARIES = libstrongswan-eap-tnc.la +libstrongswan_eap_tnc_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_eap_tnc_la_SOURCES = \ + eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c + +libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in new file mode 100644 index 000000000..fb7108a8a --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -0,0 +1,605 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/eap_tnc +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +@MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_DEPENDENCIES = \ +@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la +am_libstrongswan_eap_tnc_la_OBJECTS = eap_tnc_plugin.lo eap_tnc.lo +libstrongswan_eap_tnc_la_OBJECTS = \ + $(am_libstrongswan_eap_tnc_la_OBJECTS) +libstrongswan_eap_tnc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_eap_tnc_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_eap_tnc_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_eap_tnc_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_eap_tnc_la_SOURCES) +DIST_SOURCES = $(libstrongswan_eap_tnc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tnc.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tnc.la +@MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libstrongswan_eap_tnc_la_SOURCES = \ + eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c + +libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tnc/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tnc/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) + $(libstrongswan_eap_tnc_la_LINK) $(am_libstrongswan_eap_tnc_la_rpath) $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tnc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tnc_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c new file mode 100644 index 000000000..f0bff0e1f --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c @@ -0,0 +1,156 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_tnc.h" + +#include <tls_eap.h> + +#include <daemon.h> +#include <library.h> + +typedef struct private_eap_tnc_t private_eap_tnc_t; + +/** + * Private data of an eap_tnc_t object. + */ +struct private_eap_tnc_t { + + /** + * Public authenticator_t interface. + */ + eap_tnc_t public; + + /** + * TLS stack, wrapped by EAP helper + */ + tls_eap_t *tls_eap; +}; + + +/** Maximum number of EAP-TNC messages/fragments allowed */ +#define MAX_MESSAGE_COUNT 10 +/** Default size of a EAP-TNC fragment */ +#define MAX_FRAGMENT_LEN 50000 + +METHOD(eap_method_t, initiate, status_t, + private_eap_tnc_t *this, eap_payload_t **out) +{ + chunk_t data; + + if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + return NEED_MORE; + } + return FAILED; +} + +METHOD(eap_method_t, process, status_t, + private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out) +{ + status_t status; + chunk_t data; + + data = in->get_data(in); + status = this->tls_eap->process(this->tls_eap, data, &data); + if (status == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + } + return status; +} + +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_tnc_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_TNC; +} + +METHOD(eap_method_t, get_msk, status_t, + private_eap_tnc_t *this, chunk_t *msk) +{ + *msk = this->tls_eap->get_msk(this->tls_eap); + if (msk->len) + { + return SUCCESS; + } + return FAILED; +} + +METHOD(eap_method_t, is_mutual, bool, + private_eap_tnc_t *this) +{ + return FALSE; +} + +METHOD(eap_method_t, destroy, void, + private_eap_tnc_t *this) +{ + this->tls_eap->destroy(this->tls_eap); + free(this); +} + +/** + * Generic private constructor + */ +static eap_tnc_t *eap_tnc_create(identification_t *server, + identification_t *peer, bool is_server) +{ + private_eap_tnc_t *this; + size_t frag_size; + int max_msg_count; + tnccs_t *tnccs; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + ); + + frag_size = lib->settings->get_int(lib->settings, + "charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN); + max_msg_count = lib->settings->get_int(lib->settings, + "charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT); + tnccs = charon->tnccs->create_instance(charon->tnccs, TNCCS_1_1, is_server); + this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size, max_msg_count); + if (!this->tls_eap) + { + free(this); + return NULL; + } + return &this->public; +} + +eap_tnc_t *eap_tnc_create_server(identification_t *server, + identification_t *peer) +{ + return eap_tnc_create(server, peer, TRUE); +} + +eap_tnc_t *eap_tnc_create_peer(identification_t *server, + identification_t *peer) +{ + return eap_tnc_create(server, peer, FALSE); +} diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.h b/src/libcharon/plugins/eap_tnc/eap_tnc.h new file mode 100644 index 000000000..7e166fb60 --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.h @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_tnc_i eap_tnc + * @{ @ingroup eap_tnc + */ + +#ifndef EAP_TNC_H_ +#define EAP_TNC_H_ + +typedef struct eap_tnc_t eap_tnc_t; + +#include <sa/authenticators/eap/eap_method.h> + +/** + * Implementation of the eap_method_t interface using EAP-TNC. + */ +struct eap_tnc_t { + + /** + * Implemented eap_method_t interface. + */ + eap_method_t eap_method; +}; + +/** + * Creates the EAP method EAP-TNC acting as server. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_tnc_t object + */ +eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer); + +/** + * Creates the EAP method EAP-TNC acting as peer. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_tnc_t object + */ +eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer); + +#endif /** EAP_TNC_H_ @}*/ diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c new file mode 100644 index 000000000..7430e4cac --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_tnc_plugin.h" +#include "eap_tnc.h" + +#include <daemon.h> + +METHOD(plugin_t, destroy, void, + eap_tnc_plugin_t *this) +{ + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_tnc_create_server); + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_tnc_create_peer); + free(this); +} + +/* + * see header file + */ +plugin_t *eap_tnc_plugin_create() +{ + eap_tnc_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->eap->add_method(charon->eap, EAP_TNC, 0, EAP_SERVER, + (eap_constructor_t)eap_tnc_create_server); + charon->eap->add_method(charon->eap, EAP_TNC, 0, EAP_PEER, + (eap_constructor_t)eap_tnc_create_peer); + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h new file mode 100644 index 000000000..97298eb5c --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_tnc eap_tnc + * @ingroup cplugins + * + * @defgroup eap_tnc_plugin eap_tnc_plugin + * @{ @ingroup eap_tnc + */ + +#ifndef EAP_TNC_PLUGIN_H_ +#define EAP_TNC_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct eap_tnc_plugin_t eap_tnc_plugin_t; + +/** + * EAP-TNC plugin + */ +struct eap_tnc_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** EAP_TNC_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_ttls/Makefile.am b/src/libcharon/plugins/eap_ttls/Makefile.am new file mode 100644 index 000000000..94ce5cc1e --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/Makefile.am @@ -0,0 +1,21 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-eap-ttls.la +else +plugin_LTLIBRARIES = libstrongswan-eap-ttls.la +libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_eap_ttls_la_SOURCES = \ + eap_ttls_plugin.h eap_ttls_plugin.c \ + eap_ttls_avp.h eap_ttls_avp.c \ + eap_ttls.h eap_ttls.c \ + eap_ttls_peer.h eap_ttls_peer.c \ + eap_ttls_server.h eap_ttls_server.c + +libstrongswan_eap_ttls_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in new file mode 100644 index 000000000..2cdd7701d --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -0,0 +1,615 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/eap_ttls +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +@MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_DEPENDENCIES = \ +@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la +am_libstrongswan_eap_ttls_la_OBJECTS = eap_ttls_plugin.lo \ + eap_ttls_avp.lo eap_ttls.lo eap_ttls_peer.lo \ + eap_ttls_server.lo +libstrongswan_eap_ttls_la_OBJECTS = \ + $(am_libstrongswan_eap_ttls_la_OBJECTS) +libstrongswan_eap_ttls_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_ttls_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_eap_ttls_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_eap_ttls_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_eap_ttls_la_SOURCES) +DIST_SOURCES = $(libstrongswan_eap_ttls_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-ttls.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-ttls.la +@MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libstrongswan_eap_ttls_la_SOURCES = \ + eap_ttls_plugin.h eap_ttls_plugin.c \ + eap_ttls_avp.h eap_ttls_avp.c \ + eap_ttls.h eap_ttls.c \ + eap_ttls_peer.h eap_ttls_peer.c \ + eap_ttls_server.h eap_ttls_server.c + +libstrongswan_eap_ttls_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_ttls/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/eap_ttls/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) + $(libstrongswan_eap_ttls_la_LINK) $(am_libstrongswan_eap_ttls_la_rpath) $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_avp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_peer.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_server.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c new file mode 100644 index 000000000..a62af6ea4 --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c @@ -0,0 +1,165 @@ +/* + * Copyright (C) 2010 Martin Willi, revosec AG + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_ttls.h" +#include "eap_ttls_peer.h" +#include "eap_ttls_server.h" + +#include <tls_eap.h> + +#include <daemon.h> +#include <library.h> + +typedef struct private_eap_ttls_t private_eap_ttls_t; + +/** + * Private data of an eap_ttls_t object. + */ +struct private_eap_ttls_t { + + /** + * Public interface. + */ + eap_ttls_t public; + + /** + * TLS stack, wrapped by EAP helper + */ + tls_eap_t *tls_eap; +}; + +/** Maximum number of EAP-TTLS messages/fragments allowed */ +#define MAX_MESSAGE_COUNT 32 +/** Default size of a EAP-TTLS fragment */ +#define MAX_FRAGMENT_LEN 1024 + +METHOD(eap_method_t, initiate, status_t, + private_eap_ttls_t *this, eap_payload_t **out) +{ + chunk_t data; + + if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + return NEED_MORE; + } + return FAILED; +} + +METHOD(eap_method_t, process, status_t, + private_eap_ttls_t *this, eap_payload_t *in, eap_payload_t **out) +{ + status_t status; + chunk_t data; + + data = in->get_data(in); + status = this->tls_eap->process(this->tls_eap, data, &data); + if (status == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + } + return status; +} + +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_ttls_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_TTLS; +} + +METHOD(eap_method_t, get_msk, status_t, + private_eap_ttls_t *this, chunk_t *msk) +{ + *msk = this->tls_eap->get_msk(this->tls_eap); + if (msk->len) + { + return SUCCESS; + } + return FAILED; +} + +METHOD(eap_method_t, is_mutual, bool, + private_eap_ttls_t *this) +{ + return TRUE; +} + +METHOD(eap_method_t, destroy, void, + private_eap_ttls_t *this) +{ + this->tls_eap->destroy(this->tls_eap); + free(this); +} + +/** + * Generic private constructor + */ +static eap_ttls_t *eap_ttls_create(identification_t *server, + identification_t *peer, bool is_server, + tls_application_t *application) +{ + private_eap_ttls_t *this; + size_t frag_size; + int max_msg_count; + tls_t *tls; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + ); + if (is_server && !lib->settings->get_bool(lib->settings, + "charon.plugins.eap-ttls.request_peer_auth", FALSE)) + { + peer = NULL; + } + frag_size = lib->settings->get_int(lib->settings, + "charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN); + max_msg_count = lib->settings->get_int(lib->settings, + "charon.plugins.eap-ttls.max_message_count", MAX_MESSAGE_COUNT); + tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, application); + this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count); + if (!this->tls_eap) + { + application->destroy(application); + free(this); + return NULL; + } + return &this->public; +} + +eap_ttls_t *eap_ttls_create_server(identification_t *server, + identification_t *peer) +{ + return eap_ttls_create(server, peer, TRUE, + &eap_ttls_server_create(server, peer)->application); +} + +eap_ttls_t *eap_ttls_create_peer(identification_t *server, + identification_t *peer) +{ + return eap_ttls_create(server, peer, FALSE, + &eap_ttls_peer_create(server, peer)->application); +} diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.h b/src/libcharon/plugins/eap_ttls/eap_ttls.h new file mode 100644 index 000000000..6e3bf2ceb --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls.h @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_ttls_i eap_ttls + * @{ @ingroup eap_ttls + */ + +#ifndef EAP_TTLS_H_ +#define EAP_TTLS_H_ + +typedef struct eap_ttls_t eap_ttls_t; + +#include <sa/authenticators/eap/eap_method.h> + +/** + * Implementation of eap_method_t using EAP-TTLS. + */ +struct eap_ttls_t { + + /** + * Implements eap_method_t interface. + */ + eap_method_t eap_method; +}; + +/** + * Creates the EAP method EAP-TTLS acting as server. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_ttls_t object + */ +eap_ttls_t *eap_ttls_create_server(identification_t *server, + identification_t *peer); + +/** + * Creates the EAP method EAP-TTLS acting as peer. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_ttls_t object + */ +eap_ttls_t *eap_ttls_create_peer(identification_t *server, + identification_t *peer); + +#endif /** EAP_TTLS_H_ @}*/ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c new file mode 100644 index 000000000..0eb5e94be --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c @@ -0,0 +1,187 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_ttls_avp.h" + +#include <debug.h> + +#define AVP_EAP_MESSAGE 79 +#define AVP_HEADER_LEN 8 + +typedef struct private_eap_ttls_avp_t private_eap_ttls_avp_t; + +/** + * Private data of an eap_ttls_avp_t object. + */ +struct private_eap_ttls_avp_t { + + /** + * Public eap_ttls_avp_t interface. + */ + eap_ttls_avp_t public; + + /** + * AVP input buffer + */ + chunk_t input; + + /** + * Position in input buffer + */ + size_t inpos; + + /** + * process header (TRUE) or body (FALSE) + */ + bool process_header; + + /** + * Size of AVP data + */ + size_t data_len; +}; + +METHOD(eap_ttls_avp_t, build, void, + private_eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data) +{ + char zero_padding[] = { 0x00, 0x00, 0x00 }; + chunk_t avp_padding; + u_int8_t avp_flags; + u_int32_t avp_len; + + avp_flags = 0x40; + avp_len = 8 + data.len; + avp_padding = chunk_create(zero_padding, (4 - data.len) % 4); + + writer->write_uint32(writer, AVP_EAP_MESSAGE); + writer->write_uint8(writer, avp_flags); + writer->write_uint24(writer, avp_len); + writer->write_data(writer, data); + writer->write_data(writer, avp_padding); +} + +METHOD(eap_ttls_avp_t, process, status_t, + private_eap_ttls_avp_t* this, tls_reader_t *reader, chunk_t *data) +{ + size_t len; + chunk_t buf; + + if (this->process_header) + { + tls_reader_t *header; + u_int32_t avp_code; + u_int8_t avp_flags; + u_int32_t avp_len; + bool success; + + len = min(reader->remaining(reader), AVP_HEADER_LEN - this->inpos); + if (!reader->read_data(reader, len, &buf)) + { + return FAILED; + } + if (this->input.len == 0) + { + /* start of a new AVP header */ + this->input = chunk_alloc(AVP_HEADER_LEN); + memcpy(this->input.ptr, buf.ptr, len); + this->inpos = len; + } + else + { + memcpy(this->input.ptr + this->inpos, buf.ptr, len); + this->inpos += len; + } + + if (this->inpos < AVP_HEADER_LEN) + { + return NEED_MORE; + } + + /* parse AVP header */ + header = tls_reader_create(this->input); + success = header->read_uint32(header, &avp_code) && + header->read_uint8(header, &avp_flags) && + header->read_uint24(header, &avp_len); + header->destroy(header); + chunk_free(&this->input); + this->inpos = 0; + + if (!success) + { + DBG1(DBG_IKE, "received invalid AVP header"); + return FAILED; + } + if (avp_code != AVP_EAP_MESSAGE) + { + DBG1(DBG_IKE, "expected AVP_EAP_MESSAGE but received %u", avp_code); + return FAILED; + } + this->process_header = FALSE; + this->data_len = avp_len - 8; + this->input = chunk_alloc(this->data_len + (4 - avp_len) % 4); + } + + /* process AVP data */ + len = min(reader->remaining(reader), this->input.len - this->inpos); + if (!reader->read_data(reader, len, &buf)) + { + return FAILED; + } + memcpy(this->input.ptr + this->inpos, buf.ptr, len); + this->inpos += len; + if (this->inpos < this->input.len) + { + return NEED_MORE; + } + + *data = this->input; + data->len = this->data_len; + + /* preparing for next AVP */ + this->input = chunk_empty; + this->inpos = 0; + this->process_header = TRUE; + + return SUCCESS; +} + +METHOD(eap_ttls_avp_t, destroy, void, + private_eap_ttls_avp_t *this) +{ + chunk_free(&this->input); + free(this); +} + +/** + * See header + */ +eap_ttls_avp_t *eap_ttls_avp_create(void) +{ + private_eap_ttls_avp_t *this; + + INIT(this, + .public= { + .process = _process, + .build = _build, + .destroy = _destroy, + }, + .input = chunk_empty, + .inpos = 0, + .process_header = TRUE, + .data_len = 0, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h new file mode 100644 index 000000000..cad1d9c56 --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h @@ -0,0 +1,68 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_ttls_avp eap_ttls_avp + * @{ @ingroup eap_ttls + */ + +#ifndef EAP_TTLS_AVP_H_ +#define EAP_TTLS_AVP_H_ + +typedef struct eap_ttls_avp_t eap_ttls_avp_t; + +#include <library.h> + +#include <tls_reader.h> +#include <tls_writer.h> + +/** + * EAP-TTLS Attribute-Value Pair (AVP) handler. + */ +struct eap_ttls_avp_t { + + /** + * Process received EAP-TTLS EAP Message AVP. + * + * @param reader TLS data buffer + * @param data received EAP Message + * @return + * - SUCCESS if AVP processing succeeded + * - FAILED if AVP processing failed + * - NEED_MORE if another invocation of process/build needed + */ + status_t (*process)(eap_ttls_avp_t *this, tls_reader_t *reader, + chunk_t *data); + + /** + * Build EAP-TTLS EAP Message AVP to send out. + * + * @param writer TLS data buffer to write to + * @param data EAP Message to send + */ + void (*build)(eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data); + + /** + * Destroy a eap_ttls_application_t. + */ + void (*destroy)(eap_ttls_avp_t *this); +}; + +/** + * Create an eap_ttls_avp instance. + */ +eap_ttls_avp_t *eap_ttls_avp_create(void); + +#endif /** EAP_TTLS_AVP_H_ @}*/ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c new file mode 100644 index 000000000..10d08ca2a --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c @@ -0,0 +1,316 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_ttls_peer.h" +#include "eap_ttls_avp.h" + +#include <debug.h> +#include <daemon.h> + +#include <sa/authenticators/eap/eap_method.h> + +typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t; + +/** + * Private data of an eap_ttls_peer_t object. + */ +struct private_eap_ttls_peer_t { + + /** + * Public eap_ttls_peer_t interface. + */ + eap_ttls_peer_t public; + + /** + * Server identity + */ + identification_t *server; + + /** + * Peer identity + */ + identification_t *peer; + + /** + * Current EAP-TTLS state + */ + bool start_phase2; + + /** + * Current phase 2 EAP method + */ + eap_method_t *method; + + /** + * Pending outbound EAP message + */ + eap_payload_t *out; + + /** + * AVP handler + */ + eap_ttls_avp_t *avp; +}; + +/** + * EAP packet format + */ +typedef struct __attribute__((packed)) { + u_int8_t code; + u_int8_t identifier; + u_int16_t length; + u_int8_t type; + u_int8_t data; +} eap_packet_t; + +#define MAX_RADIUS_ATTRIBUTE_SIZE 253 + +METHOD(tls_application_t, process, status_t, + private_eap_ttls_peer_t *this, tls_reader_t *reader) +{ + chunk_t avp_data = chunk_empty; + chunk_t eap_data = chunk_empty; + status_t status; + payload_t *payload; + eap_payload_t *in; + eap_packet_t *pkt; + eap_code_t code; + eap_type_t type, received_type; + u_int32_t vendor, received_vendor; + u_int16_t eap_len; + size_t eap_pos = 0; + bool concatenated = FALSE; + + do + { + status = this->avp->process(this->avp, reader, &avp_data); + switch (status) + { + case SUCCESS: + break; + case NEED_MORE: + DBG1(DBG_IKE, "need more AVP data"); + return NEED_MORE; + case FAILED: + default: + return FAILED; + } + + if (eap_data.len == 0) + { + if (avp_data.len < 4) + { + DBG1(DBG_IKE, "AVP size to small to contain EAP header"); + chunk_free(&avp_data); + return FAILED; + } + pkt = (eap_packet_t*)avp_data.ptr; + eap_len = untoh16(&pkt->length); + + if (eap_len <= avp_data.len) + { + /* standard: EAP packet contained in a single AVP */ + eap_data = avp_data; + break; + } + else if (avp_data.len == MAX_RADIUS_ATTRIBUTE_SIZE) + { + /* non-standard: EAP packet segmented into multiple AVPs */ + eap_data = chunk_alloc(eap_len); + concatenated = TRUE; + } + else + { + DBG1(DBG_IKE, "non-radius segmentation of EAP packet into AVPs"); + chunk_free(&avp_data); + return FAILED; + } + } + + if (avp_data.len > eap_data.len - eap_pos) + { + DBG1(DBG_IKE, "AVP size to large to fit into EAP packet"); + chunk_free(&avp_data); + chunk_free(&eap_data); + return FAILED; + } + memcpy(eap_data.ptr + eap_pos, avp_data.ptr, avp_data.len); + eap_pos += avp_data.len; + chunk_free(&avp_data); + } + while (eap_pos < eap_data.len); + + in = eap_payload_create_data(eap_data); + chunk_free(&eap_data); + payload = (payload_t*)in; + + if (payload->verify(payload) != SUCCESS) + { + in->destroy(in); + return FAILED; + } + code = in->get_code(in); + received_type = in->get_type(in, &received_vendor); + DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP%s [EAP/%N/%N]", + concatenated ? "s" : "", + eap_code_short_names, code, + eap_type_short_names, received_type); + if (code != EAP_REQUEST) + { + DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST); + in->destroy(in); + return FAILED; + } + + if (this->method == NULL) + { + if (received_vendor) + { + DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d", + received_type, received_vendor); + } + else + { + DBG1(DBG_IKE, "server requested %N authentication", + eap_type_names, received_type); + } + this->method = charon->eap->create_instance(charon->eap, + received_type, received_vendor, + EAP_PEER, this->server, this->peer); + if (!this->method) + { + DBG1(DBG_IKE, "EAP method not supported"); + this->out = eap_payload_create_nak(in->get_identifier(in)); + in->destroy(in); + return NEED_MORE; + } + } + + type = this->method->get_type(this->method, &vendor); + + if (type != received_type || vendor != received_vendor) + { + DBG1(DBG_IKE, "received invalid EAP request"); + in->destroy(in); + return FAILED; + } + + status = this->method->process(this->method, in, &this->out); + in->destroy(in); + + switch (status) + { + case SUCCESS: + this->method->destroy(this->method); + this->method = NULL; + return NEED_MORE; + case NEED_MORE: + if (type != EAP_TNC) + { + this->method->destroy(this->method); + this->method = NULL; + } + return NEED_MORE; + case FAILED: + default: + if (vendor) + { + DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", + type, vendor); + } + else + { + DBG1(DBG_IKE, "%N method failed", eap_type_names, type); + } + return FAILED; + } +} + +METHOD(tls_application_t, build, status_t, + private_eap_ttls_peer_t *this, tls_writer_t *writer) +{ + chunk_t data; + eap_code_t code; + eap_type_t type; + u_int32_t vendor; + + if (this->method == NULL && this->start_phase2) + { + /* generate an EAP Identity response */ + this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY, + 0, EAP_PEER, this->server, this->peer); + if (this->method == NULL) + { + DBG1(DBG_IKE, "EAP_IDENTITY method not available"); + return FAILED; + } + this->method->process(this->method, NULL, &this->out); + this->method->destroy(this->method); + this->method = NULL; + this->start_phase2 = FALSE; + } + + if (this->out) + { + code = this->out->get_code(this->out); + type = this->out->get_type(this->out, &vendor); + DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]", + eap_code_short_names, code, eap_type_short_names, type); + + /* get the raw EAP message data */ + data = this->out->get_data(this->out); + this->avp->build(this->avp, writer, data); + + this->out->destroy(this->out); + this->out = NULL; + } + return INVALID_STATE; +} + +METHOD(tls_application_t, destroy, void, + private_eap_ttls_peer_t *this) +{ + this->server->destroy(this->server); + this->peer->destroy(this->peer); + DESTROY_IF(this->method); + DESTROY_IF(this->out); + this->avp->destroy(this->avp); + free(this); +} + +/** + * See header + */ +eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server, + identification_t *peer) +{ + private_eap_ttls_peer_t *this; + + INIT(this, + .public = { + .application = { + .process = _process, + .build = _build, + .destroy = _destroy, + }, + }, + .server = server->clone(server), + .peer = peer->clone(peer), + .start_phase2 = TRUE, + .avp = eap_ttls_avp_create(), + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h new file mode 100644 index 000000000..31fc0d9db --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_ttls_peer eap_ttls_peer + * @{ @ingroup eap_ttls + */ + +#ifndef EAP_TTLS_PEER_H_ +#define EAP_TTLS_PEER_H_ + +typedef struct eap_ttls_peer_t eap_ttls_peer_t; + +#include "tls_application.h" + +#include <library.h> + +/** + * TLS application data handler as peer. + */ +struct eap_ttls_peer_t { + + /** + * Implements the TLS application data handler. + */ + tls_application_t application; +}; + +/** + * Create an eap_ttls_peer instance. + */ +eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server, + identification_t *peer); + +#endif /** EAP_TTLS_PEER_H_ @}*/ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c new file mode 100644 index 000000000..48e759dcc --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_ttls_plugin.h" + +#include "eap_ttls.h" + +#include <daemon.h> + + +METHOD(plugin_t, destroy, void, + eap_ttls_plugin_t *this) +{ + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_ttls_create_server); + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_ttls_create_peer); + free(this); +} + +/* + * see header file + */ +plugin_t *eap_ttls_plugin_create() +{ + eap_ttls_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->eap->add_method(charon->eap, EAP_TTLS, 0, EAP_SERVER, + (eap_constructor_t)eap_ttls_create_server); + charon->eap->add_method(charon->eap, EAP_TTLS, 0, EAP_PEER, + (eap_constructor_t)eap_ttls_create_peer); + + return &this->plugin; +} diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h new file mode 100644 index 000000000..2abc82931 --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_ttls eap_ttls + * @ingroup cplugins + * + * @defgroup eap_ttls_plugin eap_ttls_plugin + * @{ @ingroup eap_ttls + */ + +#ifndef EAP_TTLS_PLUGIN_H_ +#define EAP_TTLS_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct eap_ttls_plugin_t eap_ttls_plugin_t; + +/** + * EAP-TTLS plugin + */ +struct eap_ttls_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +/** + * Create a eap_ttls_plugin instance. + */ +plugin_t *eap_ttls_plugin_create(); + +#endif /** EAP_TTLS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c new file mode 100644 index 000000000..835cd7306 --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c @@ -0,0 +1,365 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_ttls_server.h" +#include "eap_ttls_avp.h" + +#include <debug.h> +#include <daemon.h> + +#include <sa/authenticators/eap/eap_method.h> + +typedef struct private_eap_ttls_server_t private_eap_ttls_server_t; + +/** + * Private data of an eap_ttls_server_t object. + */ +struct private_eap_ttls_server_t { + + /** + * Public eap_ttls_server_t interface. + */ + eap_ttls_server_t public; + + /** + * Server identity + */ + identification_t *server; + + /** + * Peer identity + */ + identification_t *peer; + + /** + * Current EAP-TTLS phase2 state + */ + bool start_phase2; + + /** + * Current EAP-TTLS phase2 TNC state + */ + bool start_phase2_tnc; + + /** + * Current phase 2 EAP method + */ + eap_method_t *method; + + /** + * Pending outbound EAP message + */ + eap_payload_t *out; + + /** + * AVP handler + */ + eap_ttls_avp_t *avp; +}; + +/** + * Start EAP client authentication protocol + */ +static status_t start_phase2_auth(private_eap_ttls_server_t *this) +{ + char *eap_type_str; + eap_type_t type; + + eap_type_str = lib->settings->get_str(lib->settings, + "charon.plugins.eap-ttls.phase2_method", "md5"); + type = eap_type_from_string(eap_type_str); + if (type == 0) + { + DBG1(DBG_IKE, "unrecognized phase2 method \"%s\"", eap_type_str); + return FAILED; + } + DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type); + this->method = charon->eap->create_instance(charon->eap, type, 0, + EAP_SERVER, this->server, this->peer); + if (this->method == NULL) + { + DBG1(DBG_IKE, "%N method not available", eap_type_names, type); + return FAILED; + } + if (this->method->initiate(this->method, &this->out) == NEED_MORE) + { + return NEED_MORE; + } + else + { + DBG1(DBG_IKE, "%N method failed", eap_type_names, type); + return FAILED; + } +} + +/** + * If configured, start EAP-TNC protocol + */ +static status_t start_phase2_tnc(private_eap_ttls_server_t *this) +{ + if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings, + "charon.plugins.eap-ttls.phase2_tnc", FALSE)) + { + DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC); + this->method = charon->eap->create_instance(charon->eap, EAP_TNC, + 0, EAP_SERVER, this->server, this->peer); + if (this->method == NULL) + { + DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC); + return FAILED; + } + this->start_phase2_tnc = FALSE; + if (this->method->initiate(this->method, &this->out) == NEED_MORE) + { + return NEED_MORE; + } + else + { + DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_TNC); + return FAILED; + } + } + return SUCCESS; +} + +METHOD(tls_application_t, process, status_t, + private_eap_ttls_server_t *this, tls_reader_t *reader) +{ + chunk_t data = chunk_empty; + status_t status; + payload_t *payload; + eap_payload_t *in; + eap_code_t code; + eap_type_t type = EAP_NAK, received_type; + u_int32_t vendor, received_vendor; + + status = this->avp->process(this->avp, reader, &data); + switch (status) + { + case SUCCESS: + break; + case NEED_MORE: + return NEED_MORE; + case FAILED: + default: + return FAILED; + } + in = eap_payload_create_data(data); + chunk_free(&data); + payload = (payload_t*)in; + + if (payload->verify(payload) != SUCCESS) + { + in->destroy(in); + return FAILED; + } + code = in->get_code(in); + received_type = in->get_type(in, &received_vendor); + DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]", + eap_code_short_names, code, + eap_type_short_names, received_type); + if (code != EAP_RESPONSE) + { + DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_RESPONSE); + in->destroy(in); + return FAILED; + } + + if (this->method) + { + type = this->method->get_type(this->method, &vendor); + + if (type != received_type || vendor != received_vendor) + { + if (received_vendor == 0 && received_type == EAP_NAK) + { + DBG1(DBG_IKE, "peer does not support %N", eap_type_names, type); + } + else + { + DBG1(DBG_IKE, "received invalid EAP response"); + } + in->destroy(in); + return FAILED; + } + } + + if (!received_vendor && received_type == EAP_IDENTITY) + { + chunk_t eap_id; + + if (this->method == NULL) + { + /* Received an EAP Identity response without a matching request */ + this->method = charon->eap->create_instance(charon->eap, + EAP_IDENTITY, 0, EAP_SERVER, + this->server, this->peer); + if (this->method == NULL) + { + DBG1(DBG_IKE, "%N method not available", + eap_type_names, EAP_IDENTITY); + return FAILED; + } + } + + if (this->method->process(this->method, in, &this->out) != SUCCESS) + { + + DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_IDENTITY); + return FAILED; + } + + if (this->method->get_msk(this->method, &eap_id) == SUCCESS) + { + this->peer->destroy(this->peer); + this->peer = identification_create_from_data(eap_id); + DBG1(DBG_IKE, "received EAP identity '%Y'", this->peer); + } + + in->destroy(in); + this->method->destroy(this->method); + this->method = NULL; + + /* Start Phase 2 of EAP-TTLS authentication */ + if (lib->settings->get_bool(lib->settings, + "charon.plugins.eap-ttls.request_peer_auth", FALSE)) + { + return start_phase2_tnc(this); + } + else + { + return start_phase2_auth(this); + } + } + + if (this->method == 0) + { + DBG1(DBG_IKE, "no %N phase2 method installed", eap_type_names, EAP_TTLS); + in->destroy(in); + return FAILED; + } + + status = this->method->process(this->method, in, &this->out); + in->destroy(in); + + switch (status) + { + case SUCCESS: + DBG1(DBG_IKE, "%N phase2 authentication of '%Y' with %N successful", + eap_type_names, EAP_TTLS, this->peer, + eap_type_names, type); + this->method->destroy(this->method); + this->method = NULL; + + /* continue phase2 with EAP-TNC? */ + return start_phase2_tnc(this); + case NEED_MORE: + break; + case FAILED: + default: + if (vendor) + { + DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", + type, vendor); + } + else + { + DBG1(DBG_IKE, "%N method failed", eap_type_names, type); + } + return FAILED; + } + return status; +} + +METHOD(tls_application_t, build, status_t, + private_eap_ttls_server_t *this, tls_writer_t *writer) +{ + chunk_t data; + eap_code_t code; + eap_type_t type; + u_int32_t vendor; + + if (this->method == NULL && this->start_phase2 && + lib->settings->get_bool(lib->settings, + "charon.plugins.eap-ttls.phase2_piggyback", FALSE)) + { + /* generate an EAP Identity request which will be piggybacked right + * onto the TLS Finished message thus initiating EAP-TTLS phase2 + */ + this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY, + 0, EAP_SERVER, this->server, this->peer); + if (this->method == NULL) + { + DBG1(DBG_IKE, "%N method not available", + eap_type_names, EAP_IDENTITY); + return FAILED; + } + this->method->initiate(this->method, &this->out); + this->start_phase2 = FALSE; + } + + if (this->out) + { + code = this->out->get_code(this->out); + type = this->out->get_type(this->out, &vendor); + DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]", + eap_code_short_names, code, eap_type_short_names, type); + + /* get the raw EAP message data */ + data = this->out->get_data(this->out); + this->avp->build(this->avp, writer, data); + + this->out->destroy(this->out); + this->out = NULL; + } + return INVALID_STATE; +} + +METHOD(tls_application_t, destroy, void, + private_eap_ttls_server_t *this) +{ + this->server->destroy(this->server); + this->peer->destroy(this->peer); + DESTROY_IF(this->method); + DESTROY_IF(this->out); + this->avp->destroy(this->avp); + free(this); +} + +/** + * See header + */ +eap_ttls_server_t *eap_ttls_server_create(identification_t *server, + identification_t *peer) +{ + private_eap_ttls_server_t *this; + + INIT(this, + .public = { + .application = { + .process = _process, + .build = _build, + .destroy = _destroy, + }, + }, + .server = server->clone(server), + .peer = peer->clone(peer), + .start_phase2 = TRUE, + .start_phase2_tnc = TRUE, + .avp = eap_ttls_avp_create(), + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.h b/src/libcharon/plugins/eap_ttls/eap_ttls_server.h new file mode 100644 index 000000000..a66a813ec --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_ttls_server eap_ttls_server + * @{ @ingroup eap_ttls + */ + +#ifndef EAP_TTLS_SERVER_H_ +#define EAP_TTLS_SERVER_H_ + +typedef struct eap_ttls_server_t eap_ttls_server_t; + +#include "tls_application.h" + +#include <library.h> + +/** + * TLS application data handler as server. + */ +struct eap_ttls_server_t { + + /** + * Implements the TLS application data handler. + */ + tls_application_t application; +}; + +/** + * Create an eap_ttls_server instance. + */ +eap_ttls_server_t *eap_ttls_server_create(identification_t *server, + identification_t *peer); + +#endif /** EAP_TTLS_SERVER_H_ @}*/ diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index 47952b99e..bfd50d6da 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c index 01c2a39c8..d83bc1fd2 100644 --- a/src/libcharon/plugins/farp/farp_plugin.c +++ b/src/libcharon/plugins/farp/farp_plugin.c @@ -60,7 +60,11 @@ plugin_t *farp_plugin_create() private_farp_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, .listener = farp_listener_create(), ); diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c index 20bb44fd3..a904a6538 100644 --- a/src/libcharon/plugins/farp/farp_spoofer.c +++ b/src/libcharon/plugins/farp/farp_spoofer.c @@ -191,7 +191,7 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener) this->job = callback_job_create((callback_job_cb_t)receive_arp, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index 5ca9b464b..3600eb7c6 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c index 1ebc33ca4..9ff3fd5ff 100644 --- a/src/libcharon/plugins/ha/ha_cache.c +++ b/src/libcharon/plugins/ha/ha_cache.c @@ -354,7 +354,7 @@ ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket, if (sync) { /* request a resync as soon as we are up */ - charon->scheduler->schedule_job(charon->scheduler, (job_t*) + lib->scheduler->schedule_job(lib->scheduler, (job_t*) callback_job_create((callback_job_cb_t)request_resync, this, NULL, NULL), 1); } diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c index e188a8484..980c0551a 100644 --- a/src/libcharon/plugins/ha/ha_ctl.c +++ b/src/libcharon/plugins/ha/ha_ctl.c @@ -114,6 +114,7 @@ METHOD(ha_ctl_t, destroy, void, ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) { private_ha_ctl_t *this; + mode_t old; INIT(this, .public = { @@ -125,16 +126,23 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) if (access(HA_FIFO, R_OK|W_OK) != 0) { - if (mkfifo(HA_FIFO, 600) != 0) + old = umask(~(S_IRWXU | S_IRWXG)); + if (mkfifo(HA_FIFO, S_IRUSR | S_IWUSR) != 0) { DBG1(DBG_CFG, "creating HA FIFO %s failed: %s", HA_FIFO, strerror(errno)); } + umask(old); + } + if (chown(HA_FIFO, charon->uid, charon->gid) != 0) + { + DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s", + strerror(errno)); } this->job = callback_job_create((callback_job_cb_t)dispatch_fifo, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 3bc426ea0..b46a221bd 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -136,7 +136,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message diffie_hellman_t dh = { .get_shared_secret = get_shared_secret, .destroy = (void*)&secret }; - proposal = proposal_create(PROTO_IKE); + proposal = proposal_create(PROTO_IKE, 0); keymat = ike_sa->get_keymat(ike_sa); if (integ) { @@ -549,7 +549,7 @@ static void process_child_add(private_ha_dispatcher_t *this, child_sa->set_protocol(child_sa, PROTO_ESP); child_sa->set_ipcomp(child_sa, ipcomp); - proposal = proposal_create(PROTO_ESP); + proposal = proposal_create(PROTO_ESP, 0); if (integ) { proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, integ, 0); @@ -869,7 +869,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket, ); this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c index 10a63453a..56bdbf454 100644 --- a/src/libcharon/plugins/ha/ha_kernel.c +++ b/src/libcharon/plugins/ha/ha_kernel.c @@ -216,6 +216,11 @@ static void disable_all(private_ha_kernel_t *this) enumerator = enumerator_create_directory(CLUSTERIP_DIR); while (enumerator->enumerate(enumerator, NULL, &file, NULL)) { + if (chown(file, charon->uid, charon->gid) != 0) + { + DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s", + strerror(errno)); + } active = get_active(this, file); for (i = 1; i <= this->count; i++) { diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c index e722b4f3a..581294e60 100644 --- a/src/libcharon/plugins/ha/ha_plugin.c +++ b/src/libcharon/plugins/ha/ha_plugin.c @@ -142,7 +142,11 @@ plugin_t *ha_plugin_create() } INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, ); if (secret) diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c index be2d7e428..19e0f692e 100644 --- a/src/libcharon/plugins/ha/ha_segments.c +++ b/src/libcharon/plugins/ha/ha_segments.c @@ -283,7 +283,7 @@ static void start_watchdog(private_ha_segments_t *this) { this->job = callback_job_create((callback_job_cb_t)watchdog, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); } METHOD(ha_segments_t, handle_status, void, @@ -345,7 +345,7 @@ static job_requeue_t send_status(private_ha_segments_t *this) message->destroy(message); /* schedule next invocation */ - charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*) + lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*) callback_job_create((callback_job_cb_t) send_status, this, NULL, NULL), this->heartbeat_delay); @@ -382,7 +382,9 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel, INIT(this, .public = { - .listener.alert = _alert_hook, + .listener = { + .alert = _alert_hook, + }, .activate = _activate, .deactivate = _deactivate, .handle_status = _handle_status, diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c index 21e6eb6d5..614c70ed3 100644 --- a/src/libcharon/plugins/ha/ha_socket.c +++ b/src/libcharon/plugins/ha/ha_socket.c @@ -107,7 +107,7 @@ METHOD(ha_socket_t, push, void, job = callback_job_create((callback_job_cb_t)send_message, data, (void*)job_data_destroy, NULL); - charon->processor->queue_job(charon->processor, (job_t*)job); + lib->processor->queue_job(lib->processor, (job_t*)job); return; } DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/led/Makefile.am b/src/libcharon/plugins/led/Makefile.am new file mode 100644 index 000000000..6428361fc --- /dev/null +++ b/src/libcharon/plugins/led/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-led.la +else +plugin_LTLIBRARIES = libstrongswan-led.la +endif + +libstrongswan_led_la_SOURCES = led_plugin.h led_plugin.c \ + led_listener.h led_listener.c + +libstrongswan_led_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in new file mode 100644 index 000000000..a4e529d89 --- /dev/null +++ b/src/libcharon/plugins/led/Makefile.in @@ -0,0 +1,601 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/led +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_led_la_LIBADD = +am_libstrongswan_led_la_OBJECTS = led_plugin.lo led_listener.lo +libstrongswan_led_la_OBJECTS = $(am_libstrongswan_led_la_OBJECTS) +libstrongswan_led_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_led_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_led_la_rpath = -rpath $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_led_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_led_la_SOURCES) +DIST_SOURCES = $(libstrongswan_led_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-led.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-led.la +libstrongswan_led_la_SOURCES = led_plugin.h led_plugin.c \ + led_listener.h led_listener.c + +libstrongswan_led_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/led/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/led/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) + $(libstrongswan_led_la_LINK) $(am_libstrongswan_led_la_rpath) $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/led_listener.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/led_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/led/led_listener.c b/src/libcharon/plugins/led/led_listener.c new file mode 100644 index 000000000..18def8005 --- /dev/null +++ b/src/libcharon/plugins/led/led_listener.c @@ -0,0 +1,241 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "led_listener.h" + +#include <errno.h> + +#include <daemon.h> +#include <threading/mutex.h> +#include <processing/jobs/callback_job.h> + +typedef struct private_led_listener_t private_led_listener_t; + +/** + * Private data of an led_listener_t object. + */ +struct private_led_listener_t { + + /** + * Public led_listener_t interface. + */ + led_listener_t public; + + /** + * Mutex + */ + mutex_t *mutex; + + /** + * Number of established IKE_SAs + */ + int count; + + /** + * LED blink on/off time, in ms + */ + int blink_time; + + /** + * Activity LED fd, if any + */ + FILE *activity; + + /** + * Activity LED maximum brightness + */ + int activity_max; +}; + +/** + * Open a LED brightness control file, get max brightness + */ +static FILE *open_led(char *name, int *max_brightness) +{ + char path[PATH_MAX]; + FILE *f; + + if (!name) + { + return NULL; + } + + *max_brightness = 1; + snprintf(path, sizeof(path), "/sys/class/leds/%s/max_brightness", name); + f = fopen(path, "r"); + if (f) + { + if (fscanf(f, "%d\n", max_brightness) != 1) + { + DBG1(DBG_CFG, "reading max brightness for '%s' failed: %s, using 1", + name, strerror(errno)); + } + fclose(f); + } + else + { + DBG1(DBG_CFG, "reading max_brightness for '%s' failed: %s, using 1", + name, strerror(errno)); + } + + snprintf(path, sizeof(path), "/sys/class/leds/%s/brightness", name); + f = fopen(path, "w"); + if (!f) + { + DBG1(DBG_CFG, "opening LED file '%s' failed: %s", path, strerror(errno)); + } + return f; +} + +/** + * Set a LED to a given brightness + */ +static void set_led(FILE *led, int brightness) +{ + if (led) + { + if (fprintf(led, "%d\n", brightness) <= 0 || + fflush(led) != 0) + { + DBG1(DBG_CFG, "setting LED brightness failed: %s", strerror(errno)); + } + } +} + +/** + * Plugin unloaded? + */ +static bool plugin_gone = FALSE; + +/** + * Reset activity LED after timeout + */ +static job_requeue_t reset_activity_led(private_led_listener_t *this) +{ + if (!plugin_gone) + { /* TODO: fix race */ + this->mutex->lock(this->mutex); + if (this->count) + { + set_led(this->activity, this->activity_max); + } + else + { + set_led(this->activity, 0); + } + this->mutex->unlock(this->mutex); + } + return JOB_REQUEUE_NONE; +} + +/** + * Blink the activity LED + */ +static void blink_activity(private_led_listener_t *this) +{ + if (this->activity) + { + this->mutex->lock(this->mutex); + if (this->count) + { + set_led(this->activity, 0); + } + else + { + set_led(this->activity, this->activity_max); + } + lib->scheduler->schedule_job_ms(lib->scheduler, + (job_t*)callback_job_create((callback_job_cb_t)reset_activity_led, + this, NULL, NULL), this->blink_time); + this->mutex->unlock(this->mutex); + } +} + +METHOD(listener_t, ike_state_change, bool, + private_led_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) +{ + this->mutex->lock(this->mutex); + if (state == IKE_ESTABLISHED && ike_sa->get_state(ike_sa) != IKE_ESTABLISHED) + { + this->count++; + if (this->count == 1) + { + set_led(this->activity, this->activity_max); + } + } + if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && state != IKE_ESTABLISHED) + { + this->count--; + if (this->count == 0) + { + set_led(this->activity, 0); + } + } + this->mutex->unlock(this->mutex); + return TRUE; +} + +METHOD(listener_t, message_hook, bool, + private_led_listener_t *this, ike_sa_t *ike_sa, + message_t *message, bool incoming) +{ + if (incoming || message->get_request(message)) + { + blink_activity(this); + } + return TRUE; +} + +METHOD(led_listener_t, destroy, void, + private_led_listener_t *this) +{ + this->mutex->lock(this->mutex); + set_led(this->activity, 0); + plugin_gone = TRUE; + this->mutex->unlock(this->mutex); + if (this->activity) + { + fclose(this->activity); + } + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * See header + */ +led_listener_t *led_listener_create() +{ + private_led_listener_t *this; + + INIT(this, + .public = { + .listener = { + .ike_state_change = _ike_state_change, + .message = _message_hook, + }, + .destroy = _destroy, + }, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .blink_time = lib->settings->get_int(lib->settings, + "charon.plugins.led.blink_time", 50), + ); + + this->activity = open_led(lib->settings->get_str(lib->settings, + "charon.plugins.led.activity_led", NULL), &this->activity_max); + set_led(this->activity, 0); + + return &this->public; +} diff --git a/src/libcharon/plugins/led/led_listener.h b/src/libcharon/plugins/led/led_listener.h new file mode 100644 index 000000000..05ae28275 --- /dev/null +++ b/src/libcharon/plugins/led/led_listener.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup led_listener led_listener + * @{ @ingroup led + */ + +#ifndef LED_LISTENER_H_ +#define LED_LISTENER_H_ + +#include <bus/listeners/listener.h> + +typedef struct led_listener_t led_listener_t; + +/** + * Listener that controls LEDs based on IKEv2 activity/state. + */ +struct led_listener_t { + + /** + * Implements listener_t interface. + */ + listener_t listener; + + /** + * Destroy a led_listener_t. + */ + void (*destroy)(led_listener_t *this); +}; + +/** + * Create a led_listener instance. + */ +led_listener_t *led_listener_create(); + +#endif /** LED_LISTENER_H_ @}*/ diff --git a/src/libcharon/plugins/led/led_plugin.c b/src/libcharon/plugins/led/led_plugin.c new file mode 100644 index 000000000..322d198ff --- /dev/null +++ b/src/libcharon/plugins/led/led_plugin.c @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "led_plugin.h" + +#include "led_listener.h" + +#include <daemon.h> + +typedef struct private_led_plugin_t private_led_plugin_t; + +/** + * private data of led plugin + */ +struct private_led_plugin_t { + + /** + * implements plugin interface + */ + led_plugin_t public; + + /** + * Listener controlling LEDs + */ + led_listener_t *listener; +}; + +METHOD(plugin_t, destroy, void, + private_led_plugin_t *this) +{ + charon->bus->remove_listener(charon->bus, &this->listener->listener); + this->listener->destroy(this->listener); + free(this); +} + +/** + * Plugin constructor + */ +plugin_t *led_plugin_create() +{ + private_led_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .listener = led_listener_create(), + ); + + charon->bus->add_listener(charon->bus, &this->listener->listener); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/led/led_plugin.h b/src/libcharon/plugins/led/led_plugin.h new file mode 100644 index 000000000..a7449addd --- /dev/null +++ b/src/libcharon/plugins/led/led_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup led led + * @ingroup cplugins + * + * @defgroup led_plugin led_plugin + * @{ @ingroup led + */ + +#ifndef LED_PLUGIN_H_ +#define LED_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct led_plugin_t led_plugin_t; + +/** + * Linux LED control based on IKE activity/state. + */ +struct led_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** LED_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index d049bb41b..85db9a10b 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -170,6 +171,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -201,14 +204,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -223,24 +229,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -248,7 +261,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index 43c0ef009..aece95e12 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -36,7 +36,7 @@ struct private_load_tester_ipsec_t { METHOD(kernel_ipsec_t, get_spi, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { *spi = ++this->spi; return SUCCESS; @@ -51,7 +51,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, @@ -61,7 +61,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } METHOD(kernel_ipsec_t, update_sa, status_t, - private_load_tester_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + private_load_tester_ipsec_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark) { @@ -70,14 +70,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { return NOT_SUPPORTED; } METHOD(kernel_ipsec_t, del_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { return SUCCESS; } @@ -85,9 +85,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed) + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, + mark_t mark, bool routed) { return SUCCESS; } diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c index 96b0cf1ec..cf6dd0562 100644 --- a/src/libcharon/plugins/load_tester/load_tester_listener.c +++ b/src/libcharon/plugins/load_tester/load_tester_listener.c @@ -59,7 +59,7 @@ static bool ike_state_change(private_load_tester_listener_t *this, if (this->delete_after_established) { - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)delete_ike_sa_job_create(id, TRUE)); } diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c index 15dbccb00..cb9b80c7f 100644 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c @@ -22,6 +22,7 @@ #include <unistd.h> +#include <hydra.h> #include <daemon.h> #include <processing/jobs/callback_job.h> #include <threading/condvar.h> @@ -155,7 +156,7 @@ static void destroy(private_load_tester_plugin_t *this) this->condvar->wait(this->condvar, this->mutex); } this->mutex->unlock(this->mutex); - charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, + hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)load_tester_ipsec_create); charon->backends->remove_backend(charon->backends, &this->config->backend); lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set); @@ -215,13 +216,13 @@ plugin_t *load_tester_plugin_create() if (lib->settings->get_bool(lib->settings, "charon.plugins.load-tester.fake_kernel", FALSE)) { - charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, + hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)load_tester_ipsec_create); } this->running = 0; for (i = 0; i < this->initiators; i++) { - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)callback_job_create((callback_job_cb_t)do_load_test, this, NULL, NULL)); } diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am new file mode 100644 index 000000000..ed6c76c0f --- /dev/null +++ b/src/libcharon/plugins/maemo/Makefile.am @@ -0,0 +1,23 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon ${maemo_CFLAGS} + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-maemo.la +else +plugin_LTLIBRARIES = libstrongswan-maemo.la +endif + +libstrongswan_maemo_la_SOURCES = \ + maemo_plugin.h maemo_plugin.c \ + maemo_service.h maemo_service.c + +libstrongswan_maemo_la_LDFLAGS = -module -avoid-version +libstrongswan_maemo_la_LIBADD = ${maemo_LIBS} + +dbusservice_DATA = org.strongswan.charon.service + +EXTRA_DIST = $(dbusservice_DATA) + diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in new file mode 100644 index 000000000..978950d22 --- /dev/null +++ b/src/libcharon/plugins/maemo/Makefile.in @@ -0,0 +1,631 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/maemo +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" \ + "$(DESTDIR)$(dbusservicedir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +am__DEPENDENCIES_1 = +libstrongswan_maemo_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_libstrongswan_maemo_la_OBJECTS = maemo_plugin.lo maemo_service.lo +libstrongswan_maemo_la_OBJECTS = $(am_libstrongswan_maemo_la_OBJECTS) +libstrongswan_maemo_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_maemo_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_maemo_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_maemo_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_maemo_la_SOURCES) +DIST_SOURCES = $(libstrongswan_maemo_la_SOURCES) +DATA = $(dbusservice_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon ${maemo_CFLAGS} + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-maemo.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-maemo.la +libstrongswan_maemo_la_SOURCES = \ + maemo_plugin.h maemo_plugin.c \ + maemo_service.h maemo_service.c + +libstrongswan_maemo_la_LDFLAGS = -module -avoid-version +libstrongswan_maemo_la_LIBADD = ${maemo_LIBS} +dbusservice_DATA = org.strongswan.charon.service +EXTRA_DIST = $(dbusservice_DATA) +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) + $(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/maemo_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/maemo_service.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-dbusserviceDATA: $(dbusservice_DATA) + @$(NORMAL_INSTALL) + test -z "$(dbusservicedir)" || $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)" + @list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dbusservicedir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(dbusservicedir)" || exit $$?; \ + done + +uninstall-dbusserviceDATA: + @$(NORMAL_UNINSTALL) + @list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(dbusservicedir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(dbusservicedir)" && rm -f $$files + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(dbusservicedir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-dbusserviceDATA install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dbusserviceDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-pluginLTLIBRARIES \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-dbusserviceDATA \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/maemo/maemo_plugin.c b/src/libcharon/plugins/maemo/maemo_plugin.c new file mode 100644 index 000000000..d4549f43a --- /dev/null +++ b/src/libcharon/plugins/maemo/maemo_plugin.c @@ -0,0 +1,70 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "maemo_plugin.h" +#include "maemo_service.h" + +#include <daemon.h> + +typedef struct private_maemo_plugin_t private_maemo_plugin_t; + +/** + * private data of maemo plugin + */ +struct private_maemo_plugin_t { + + /** + * implements plugin interface + */ + maemo_plugin_t public; + + /** + * service + */ + maemo_service_t *service; + +}; + +METHOD(plugin_t, destroy, void, + private_maemo_plugin_t *this) +{ + this->service->destroy(this->service); + free(this); +} + +/* + * See header + */ +plugin_t *maemo_plugin_create() +{ + private_maemo_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); + + this->service = maemo_service_create(); + if (!this->service) + { + return NULL; + } + + return &this->public.plugin; +} + diff --git a/src/libcharon/plugins/maemo/maemo_plugin.h b/src/libcharon/plugins/maemo/maemo_plugin.h new file mode 100644 index 000000000..23d139b49 --- /dev/null +++ b/src/libcharon/plugins/maemo/maemo_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup maemo maemo + * @ingroup cplugins + * + * @defgroup maemo_plugin maemo_plugin + * @{ @ingroup maemo + */ + +#ifndef MAEMO_PLUGIN_H_ +#define MAEMO_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct maemo_plugin_t maemo_plugin_t; + +/** + * Maemo integration plugin. + */ +struct maemo_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** MAEMO_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c new file mode 100644 index 000000000..efd914a00 --- /dev/null +++ b/src/libcharon/plugins/maemo/maemo_service.c @@ -0,0 +1,510 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <glib.h> +#include <libosso.h> +#include <sys/stat.h> + +#include "maemo_service.h" + +#include <daemon.h> +#include <credentials/sets/mem_cred.h> +#include <processing/jobs/callback_job.h> + +#define OSSO_STATUS_NAME "status" +#define OSSO_STATUS_SERVICE "org.strongswan."OSSO_STATUS_NAME +#define OSSO_STATUS_OBJECT "/org/strongswan/"OSSO_STATUS_NAME +#define OSSO_STATUS_IFACE "org.strongswan."OSSO_STATUS_NAME + +#define OSSO_CHARON_NAME "charon" +#define OSSO_CHARON_SERVICE "org.strongswan."OSSO_CHARON_NAME +#define OSSO_CHARON_OBJECT "/org/strongswan/"OSSO_CHARON_NAME +#define OSSO_CHARON_IFACE "org.strongswan."OSSO_CHARON_NAME + +#define MAEMO_COMMON_CA_DIR "/etc/certs/common-ca" +#define MAEMO_USER_CA_DIR "/home/user/.maemosec-certs/wifi-ca" +/* there is also an smime-ca and an ssl-ca sub-directory and the same for + * ...-user, which store end user/server certificates */ + +typedef enum { + VPN_STATUS_DISCONNECTED, + VPN_STATUS_CONNECTING, + VPN_STATUS_CONNECTED, + VPN_STATUS_AUTH_FAILED, + VPN_STATUS_CONNECTION_FAILED, +} vpn_status_t; + +typedef struct private_maemo_service_t private_maemo_service_t; + +/** + * private data of maemo service + */ +struct private_maemo_service_t { + + /** + * public interface + */ + maemo_service_t public; + + /** + * credentials + */ + mem_cred_t *creds; + + /** + * Glib main loop for a thread, handles DBUS calls + */ + GMainLoop *loop; + + /** + * Context for OSSO + */ + osso_context_t *context; + + /** + * Current IKE_SA + */ + ike_sa_t *ike_sa; + + /** + * Status of the current connection + */ + vpn_status_t status; + + /** + * Name of the current connection + */ + gchar *current; + +}; + +static gint change_status(private_maemo_service_t *this, int status) +{ + osso_rpc_t retval; + gint res; + this->status = status; + res = osso_rpc_run (this->context, OSSO_STATUS_SERVICE, OSSO_STATUS_OBJECT, + OSSO_STATUS_IFACE, "StatusChanged", &retval, + DBUS_TYPE_INT32, status, + DBUS_TYPE_INVALID); + return res; +} + +METHOD(listener_t, ike_updown, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, bool up) +{ + /* this callback is only registered during initiation, so if the IKE_SA + * goes down we assume an authentication error */ + if (this->ike_sa == ike_sa && !up) + { + change_status(this, VPN_STATUS_AUTH_FAILED); + return FALSE; + } + return TRUE; +} + +METHOD(listener_t, child_state_change, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + child_sa_state_t state) +{ + /* this call back is only registered during initiation */ + if (this->ike_sa == ike_sa && state == CHILD_DESTROYING) + { + change_status(this, VPN_STATUS_CONNECTION_FAILED); + return FALSE; + } + return TRUE; +} + +METHOD(listener_t, child_updown, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool up) +{ + if (this->ike_sa == ike_sa) + { + if (up) + { + /* disable hooks registered to catch initiation failures */ + this->public.listener.ike_updown = NULL; + this->public.listener.child_state_change = NULL; + change_status(this, VPN_STATUS_CONNECTED); + } + else + { + change_status(this, VPN_STATUS_CONNECTION_FAILED); + return FALSE; + } + } + return TRUE; +} + +METHOD(listener_t, ike_rekey, bool, + private_maemo_service_t *this, ike_sa_t *old, ike_sa_t *new) +{ + if (this->ike_sa == old) + { + this->ike_sa = new; + } + return TRUE; +} + +/** + * load all CA certificates in the given directory + */ +static void load_ca_dir(private_maemo_service_t *this, char *dir) +{ + enumerator_t *enumerator; + char *rel, *abs; + struct stat st; + + enumerator = enumerator_create_directory(dir); + if (enumerator) + { + while (enumerator->enumerate(enumerator, &rel, &abs, &st)) + { + if (rel[0] != '.') + { + if (S_ISREG(st.st_mode)) + { + certificate_t *cert; + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509, BUILD_FROM_FILE, abs, + BUILD_END); + if (!cert) + { + DBG1(DBG_CFG, "loading CA certificate '%s' failed", + abs); + continue; + } + DBG2(DBG_CFG, "loaded CA certificate '%Y'", + cert->get_subject(cert)); + this->creds->add_cert(this->creds, TRUE, cert); + } + } + } + enumerator->destroy(enumerator); + } +} + +static void disconnect(private_maemo_service_t *this) +{ + ike_sa_t *ike_sa; + u_int id; + + if (!this->current) + { + return; + } + + /* avoid status updates, as this is called from the Glib main loop */ + charon->bus->remove_listener(charon->bus, &this->public.listener); + + ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager, + this->current, FALSE); + if (ike_sa) + { + id = ike_sa->get_unique_id(ike_sa); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + charon->controller->terminate_ike(charon->controller, id, + NULL, NULL); + } + this->current = (g_free(this->current), NULL); + this->status = VPN_STATUS_DISCONNECTED; +} + +static gboolean initiate_connection(private_maemo_service_t *this, + GArray *arguments) +{ + gint i; + gchar *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL; + identification_t *gateway = NULL, *user = NULL; + ike_sa_t *ike_sa; + ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + traffic_selector_t *ts; + auth_cfg_t *auth; + certificate_t *cert; + lifetime_cfg_t lifetime = { + .time = { + .life = 10800, /* 3h */ + .rekey = 10200, /* 2h50min */ + .jitter = 300 /* 5min */ + } + }; + + if (this->status == VPN_STATUS_CONNECTED || + this->status == VPN_STATUS_CONNECTING) + { + DBG1(DBG_CFG, "currently connected to '%s', disconnecting first", + this->current); + disconnect (this); + } + + if (arguments->len != 5) + { + DBG1(DBG_CFG, "wrong number of arguments: %d", arguments->len); + return FALSE; + } + + for (i = 0; i < arguments->len; i++) + { + osso_rpc_t *arg = &g_array_index(arguments, osso_rpc_t, i); + if (arg->type != DBUS_TYPE_STRING) + { + DBG1(DBG_CFG, "invalid argument [%d]: %d", i, arg->type); + return FALSE; + } + switch (i) + { + case 0: /* name */ + this->current = (g_free(this->current), NULL); + this->current = g_strdup(arg->value.s); + break; + case 1: /* hostname */ + hostname = arg->value.s; + break; + case 2: /* CA certificate path */ + cacert = arg->value.s; + break; + case 3: /* username */ + username = arg->value.s; + break; + case 4: /* password */ + password = arg->value.s; + break; + } + } + + DBG1(DBG_CFG, "received initiate for connection '%s'", this->current); + + this->creds->clear(this->creds); + + if (cacert && !streq(cacert, "")) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, cacert, BUILD_END); + if (cert) + { + this->creds->add_cert(this->creds, TRUE, cert); + } + else + { + DBG1(DBG_CFG, "failed to load CA certificate"); + } + /* if this is a server cert we could use the cert subject as id */ + } + else + { + load_ca_dir(this, MAEMO_COMMON_CA_DIR); + load_ca_dir(this, MAEMO_USER_CA_DIR); + } + + gateway = identification_create_from_string(hostname); + DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway); + + { + shared_key_t *shared_key; + chunk_t secret = chunk_create(password, strlen(password)); + user = identification_create_from_string(username); + shared_key = shared_key_create(SHARED_EAP, chunk_clone(secret)); + this->creds->add_shared(this->creds, shared_key, user->clone(user), + NULL); + } + + ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT, + hostname, IKEV2_UDP_PORT); + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + + peer_cfg = peer_cfg_create(this->current, 2, ike_cfg, CERT_SEND_IF_ASKED, + UNIQUE_REPLACE, 1, /* keyingtries */ + 36000, 0, /* rekey 10h, reauth none */ + 600, 600, /* jitter, over 10min */ + TRUE, 0, /* mobike, DPD */ + host_create_from_string("0.0.0.0", 0) /* virt */, + NULL, FALSE, NULL, NULL); /* pool, mediation */ + + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); + auth->add(auth, AUTH_RULE_IDENTITY, user); + peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + auth->add(auth, AUTH_RULE_IDENTITY, gateway); + peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); + + child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */, + TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE, + FALSE, 0, 0, NULL, NULL); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + ts = traffic_selector_create_dynamic(0, 0, 65535); + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); + ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0", + 0, "255.255.255.255", 65535); + child_cfg->add_traffic_selector(child_cfg, FALSE, ts); + peer_cfg->add_child_cfg(peer_cfg, child_cfg); + /* get an additional reference because initiate consumes one */ + child_cfg->get_ref(child_cfg); + + /* get us an IKE_SA */ + ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, + peer_cfg); + if (!ike_sa->get_peer_cfg(ike_sa)) + { + ike_sa->set_peer_cfg(ike_sa, peer_cfg); + } + peer_cfg->destroy(peer_cfg); + + /* store the IKE_SA, so we can track its progress */ + this->ike_sa = ike_sa; + this->status = VPN_STATUS_CONNECTING; + this->public.listener.ike_updown = _ike_updown; + this->public.listener.child_state_change = _child_state_change; + charon->bus->add_listener(charon->bus, &this->public.listener); + + if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) + { + DBG1(DBG_CFG, "failed to initiate tunnel"); + charon->bus->remove_listener(charon->bus, &this->public.listener); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); + this->status = VPN_STATUS_CONNECTION_FAILED; + return FALSE; + } + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return TRUE; +} + +/** + * Callback for libosso dbus wrapper + */ +static gint dbus_req_handler(const gchar *interface, const gchar *method, + GArray *arguments, private_maemo_service_t *this, + osso_rpc_t *retval) +{ + if (streq(method, "Start")) + { /* void start (void), dummy function to start charon as root */ + return OSSO_OK; + } + else if (streq(method, "Connect")) + { /* bool connect (name, host, cert, user, pass) */ + retval->value.b = initiate_connection(this, arguments); + retval->type = DBUS_TYPE_BOOLEAN; + } + else if (streq(method, "Disconnect")) + { /* void disconnect (void) */ + disconnect(this); + } + else + { + return OSSO_ERROR; + } + return OSSO_OK; +} + +/** + * Main loop to handle D-BUS messages. + */ +static job_requeue_t run(private_maemo_service_t *this) +{ + this->loop = g_main_loop_new(NULL, FALSE); + g_main_loop_run(this->loop); + return JOB_REQUEUE_NONE; +} + +METHOD(maemo_service_t, destroy, void, + private_maemo_service_t *this) +{ + if (this->loop) + { + if (g_main_loop_is_running(this->loop)) + { + g_main_loop_quit(this->loop); + } + g_main_loop_unref(this->loop); + } + if (this->context) + { + osso_rpc_unset_cb_f(this->context, + OSSO_CHARON_SERVICE, + OSSO_CHARON_OBJECT, + OSSO_CHARON_IFACE, + (osso_rpc_cb_f*)dbus_req_handler, + this); + osso_deinitialize(this->context); + } + charon->bus->remove_listener(charon->bus, &this->public.listener); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); + this->creds->destroy(this->creds); + this->current = (g_free(this->current), NULL); + free(this); +} + +/* + * See header + */ +maemo_service_t *maemo_service_create() +{ + osso_return_t result; + private_maemo_service_t *this; + + INIT(this, + .public = { + .listener = { + .ike_updown = _ike_updown, + .child_state_change = _child_state_change, + .child_updown = _child_updown, + .ike_rekey = _ike_rekey, + }, + .destroy = _destroy, + }, + .creds = mem_cred_create(), + ); + + lib->credmgr->add_set(lib->credmgr, &this->creds->set); + + this->context = osso_initialize(OSSO_CHARON_SERVICE, "0.0.1", TRUE, NULL); + if (!this->context) + { + DBG1(DBG_CFG, "failed to initialize OSSO context"); + destroy(this); + return NULL; + } + + result = osso_rpc_set_cb_f(this->context, + OSSO_CHARON_SERVICE, + OSSO_CHARON_OBJECT, + OSSO_CHARON_IFACE, + (osso_rpc_cb_f*)dbus_req_handler, + this); + if (result != OSSO_OK) + { + DBG1(DBG_CFG, "failed to set D-BUS callback (%d)", result); + destroy(this); + return NULL; + } + + this->loop = NULL; + if (!g_thread_supported()) + { + g_thread_init(NULL); + } + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL)); + + return &this->public; +} + diff --git a/src/libcharon/plugins/maemo/maemo_service.h b/src/libcharon/plugins/maemo/maemo_service.h new file mode 100644 index 000000000..b0240cbaa --- /dev/null +++ b/src/libcharon/plugins/maemo/maemo_service.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup maemo_service maemo_service + * @{ @ingroup maemo + */ + +#ifndef MAEMO_SERVICE_H_ +#define MAEMO_SERVICE_H_ + +#include <bus/listeners/listener.h> + +typedef struct maemo_service_t maemo_service_t; + +/** + * Maemo connection management. + */ +struct maemo_service_t { + + /** + * Implements listener_t. + */ + listener_t listener; + + /** + * Destroy a maemo_service_t. + */ + void (*destroy)(maemo_service_t *this); +}; + +/** + * Create an instance of maemo_service_t. + */ +maemo_service_t *maemo_service_create(); + +#endif /** MAEMO_SERVICE_H_ @}*/ diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service b/src/libcharon/plugins/maemo/org.strongswan.charon.service new file mode 100644 index 000000000..7dd31ed60 --- /dev/null +++ b/src/libcharon/plugins/maemo/org.strongswan.charon.service @@ -0,0 +1,4 @@ +[D-BUS Service] +Name=org.strongswan.charon +Exec=/usr/bin/run-standalone.sh /usr/libexec/ipsec/charon +User=root diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index c26d325a9..6dcbc99dd 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index 6cbaf36f2..870d87c7e 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -126,11 +126,11 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam med_cfg = peer_cfg_create( "mediation", 2, ike_cfg, CERT_NEVER_SEND, UNIQUE_REPLACE, - 1, this->rekey*60, 0, /* keytries, rekey, reauth */ - this->rekey*5, this->rekey*3, /* jitter, overtime */ - TRUE, this->dpd, /* mobike, dpddelay */ - NULL, NULL, /* vip, pool */ - TRUE, NULL, NULL); /* mediation, med by, peer id */ + 1, this->rekey*60, 0, /* keytries, rekey, reauth */ + this->rekey*5, this->rekey*3, /* jitter, overtime */ + TRUE, this->dpd, /* mobike, dpddelay */ + NULL, NULL, /* vip, pool */ + TRUE, NULL, NULL); /* mediation, med by, peer id */ e->destroy(e); auth = auth_cfg_create(); @@ -163,10 +163,10 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam peer_cfg = peer_cfg_create( name, 2, this->ike->get_ref(this->ike), CERT_NEVER_SEND, UNIQUE_REPLACE, - 1, this->rekey*60, 0, /* keytries, rekey, reauth */ - this->rekey*5, this->rekey*3, /* jitter, overtime */ - TRUE, this->dpd, /* mobike, dpddelay */ - NULL, NULL, /* vip, pool */ + 1, this->rekey*60, 0, /* keytries, rekey, reauth */ + this->rekey*5, this->rekey*3, /* jitter, overtime */ + TRUE, this->dpd, /* mobike, dpddelay */ + NULL, NULL, /* vip, pool */ FALSE, med_cfg, /* mediation, med by */ identification_create_from_encoding(ID_KEY_ID, other)); @@ -243,11 +243,11 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->current = peer_cfg_create( name, 2, this->ike->get_ref(this->ike), CERT_NEVER_SEND, UNIQUE_REPLACE, - 1, this->rekey*60, 0, /* keytries, rekey, reauth */ - this->rekey*5, this->rekey*3, /* jitter, overtime */ - TRUE, this->dpd, /* mobike, dpddelay */ - NULL, NULL, /* vip, pool */ - FALSE, NULL, NULL); /* mediation, med by, peer id */ + 1, this->rekey*60, 0, /* keytries, rekey, reauth */ + this->rekey*5, this->rekey*3, /* jitter, overtime */ + TRUE, this->dpd, /* mobike, dpddelay */ + NULL, NULL, /* vip, pool */ + FALSE, NULL, NULL); /* mediation, med by, peer id */ auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); @@ -364,7 +364,7 @@ static void schedule_autoinit(private_medcli_config_t *this) if (peer_cfg) { /* schedule asynchronous initiation job */ - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)callback_job_create( (callback_job_cb_t)initiate_config, peer_cfg, (void*)peer_cfg->destroy, NULL)); diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index 4dc9c00d0..f6db7d834 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in index 1b3e4c5a6..2f5c20971 100644 --- a/src/libcharon/plugins/nm/Makefile.in +++ b/src/libcharon/plugins/nm/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/nm/nm_creds.c b/src/libcharon/plugins/nm/nm_creds.c index 193838e6b..638787019 100644 --- a/src/libcharon/plugins/nm/nm_creds.c +++ b/src/libcharon/plugins/nm/nm_creds.c @@ -51,6 +51,16 @@ struct private_nm_creds_t { char *pass; /** + * Private key decryption password / smartcard pin + */ + char *keypass; + + /** + * private key ID of smartcard key + */ + chunk_t keyid; + + /** * users certificate */ certificate_t *usercert; @@ -239,8 +249,14 @@ static bool shared_enumerate(shared_enumerator_t *this, shared_key_t **key, return FALSE; } *key = this->key; - *me = ID_MATCH_PERFECT; - *other = ID_MATCH_ANY; + if (me) + { + *me = ID_MATCH_PERFECT; + } + if (other) + { + *other = ID_MATCH_ANY; + } this->done = TRUE; return TRUE; } @@ -262,18 +278,39 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this, identification_t *other) { shared_enumerator_t *enumerator; + chunk_t key; - if (!this->pass || !this->user) + switch (type) { - return NULL; - } - if (type != SHARED_EAP && type != SHARED_IKE) - { - return NULL; - } - if (me && !me->equals(me, this->user)) - { - return NULL; + case SHARED_EAP: + case SHARED_IKE: + if (!this->pass || !this->user) + { + return NULL; + } + if (me && !me->equals(me, this->user)) + { + return NULL; + } + key = chunk_create(this->pass, strlen(this->pass)); + break; + case SHARED_PRIVATE_KEY_PASS: + if (!this->keypass) + { + return NULL; + } + key = chunk_create(this->keypass, strlen(this->keypass)); + break; + case SHARED_PIN: + if (!this->keypass || !me || + !chunk_equals(me->get_encoding(me), this->keyid)) + { + return NULL; + } + key = chunk_create(this->keypass, strlen(this->keypass)); + break; + default: + return NULL; } enumerator = malloc_thing(shared_enumerator_t); @@ -282,9 +319,7 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this, enumerator->this = this; enumerator->done = FALSE; this->lock->read_lock(this->lock); - enumerator->key = shared_key_create(type, - chunk_clone(chunk_create(this->pass, - strlen(this->pass)))); + enumerator->key = shared_key_create(type, chunk_clone(key)); return &enumerator->public; } @@ -370,6 +405,30 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id } /** + * Implementation of nm_creds_t.set_key_password + */ +static void set_key_password(private_nm_creds_t *this, char *password) +{ + this->lock->write_lock(this->lock); + free(this->keypass); + this->keypass = password ? strdup(password) : NULL; + this->lock->unlock(this->lock); +} + +/** + * Implementation of nm_creds_t.set_pin + */ +static void set_pin(private_nm_creds_t *this, chunk_t keyid, char *pin) +{ + this->lock->write_lock(this->lock); + free(this->keypass); + free(this->keyid.ptr); + this->keypass = pin ? strdup(pin) : NULL; + this->keyid = chunk_clone(keyid); + this->lock->unlock(this->lock); +} + +/** * Implementation of nm_creds_t.set_cert_and_key */ static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert, @@ -396,12 +455,16 @@ static void clear(private_nm_creds_t *this) } DESTROY_IF(this->user); free(this->pass); + free(this->keypass); + free(this->keyid.ptr); DESTROY_IF(this->usercert); DESTROY_IF(this->key); this->key = NULL; this->usercert = NULL; this->pass = NULL; this->user = NULL; + this->keypass = NULL; + this->keyid = chunk_empty; } /** @@ -430,6 +493,8 @@ nm_creds_t *nm_creds_create() this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate; this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir; this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password; + this->public.set_key_password = (void(*)(nm_creds_t*, char *password))set_key_password; + this->public.set_pin = (void(*)(nm_creds_t*, chunk_t keyid, char *pin))set_pin; this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key; this->public.clear = (void(*)(nm_creds_t*))clear; this->public.destroy = (void(*)(nm_creds_t*))destroy; @@ -441,6 +506,8 @@ nm_creds_t *nm_creds_create() this->pass = NULL; this->usercert = NULL; this->key = NULL; + this->keypass = NULL; + this->keyid = chunk_empty; return &this->public; } diff --git a/src/libcharon/plugins/nm/nm_creds.h b/src/libcharon/plugins/nm/nm_creds.h index b55cff31e..91f645c7e 100644 --- a/src/libcharon/plugins/nm/nm_creds.h +++ b/src/libcharon/plugins/nm/nm_creds.h @@ -58,6 +58,22 @@ struct nm_creds_t { */ void (*set_username_password)(nm_creds_t *this, identification_t *id, char *password); + + /** + * Set the passphrase to use for private key decryption. + * + * @param password password to use + */ + void (*set_key_password)(nm_creds_t *this, char *password); + + /** + * Set the PIN to unlock a smartcard. + * + * @param keyid keyid of the smartcard key + * @param pin PIN + */ + void (*set_pin)(nm_creds_t *this, chunk_t keyid, char *pin); + /** * Set the certificate and private key to use for client authentication. * @@ -66,6 +82,7 @@ struct nm_creds_t { */ void (*set_cert_and_key)(nm_creds_t *this, certificate_t *cert, private_key_t *key); + /** * Clear the stored credentials. */ diff --git a/src/libcharon/plugins/nm/nm_plugin.c b/src/libcharon/plugins/nm/nm_plugin.c index 250e6f7f9..fd0580bd6 100644 --- a/src/libcharon/plugins/nm/nm_plugin.c +++ b/src/libcharon/plugins/nm/nm_plugin.c @@ -122,7 +122,7 @@ plugin_t *nm_plugin_create() /* bypass file permissions to read from users ssh-agent */ charon->keep_cap(charon, CAP_DAC_OVERRIDE); - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL)); return &this->public.plugin; diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c index 07318bbbf..72c5bbbb5 100644 --- a/src/libcharon/plugins/nm/nm_service.c +++ b/src/libcharon/plugins/nm/nm_service.c @@ -204,6 +204,59 @@ static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new) } /** + * Find a certificate for which we have a private key on a smartcard + */ +static identification_t *find_smartcard_key(NMStrongswanPluginPrivate *priv, + char *pin) +{ + enumerator_t *enumerator, *sans; + identification_t *id = NULL; + certificate_t *cert; + x509_t *x509; + private_key_t *key; + chunk_t keyid; + + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509, KEY_ANY, NULL, FALSE); + while (enumerator->enumerate(enumerator, &cert)) + { + x509 = (x509_t*)cert; + + /* there might be a lot of certificates, filter them by usage */ + if ((x509->get_flags(x509) & X509_CLIENT_AUTH) && + !(x509->get_flags(x509) & X509_CA)) + { + keyid = x509->get_subjectKeyIdentifier(x509); + if (keyid.ptr) + { + /* try to find a private key by the certificate keyid */ + priv->creds->set_pin(priv->creds, keyid, pin); + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + KEY_ANY, BUILD_PKCS11_KEYID, keyid, BUILD_END); + if (key) + { + /* prefer a more convenient subjectAltName */ + sans = x509->create_subjectAltName_enumerator(x509); + if (!sans->enumerate(sans, &id)) + { + id = cert->get_subject(cert); + } + id = id->clone(id); + sans->destroy(sans); + + DBG1(DBG_CFG, "using smartcard certificate '%Y'", id); + priv->creds->set_cert_and_key(priv->creds, + cert->get_ref(cert), key); + break; + } + } + } + } + enumerator->destroy(enumerator); + return id; +} + +/** * Connect function called from NM via DBUS */ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, @@ -224,7 +277,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, auth_class_t auth_class = AUTH_CLASS_EAP; certificate_t *cert = NULL; x509_t *x509; - bool agent = FALSE; + bool agent = FALSE, smartcard = FALSE; lifetime_cfg_t lifetime = { .time = { .life = 10800 /* 3h */, @@ -279,6 +332,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, { auth_class = AUTH_CLASS_PUBKEY; } + else if (streq(str, "smartcard")) + { + auth_class = AUTH_CLASS_PUBKEY; + smartcard = TRUE; + } } /** @@ -338,9 +396,26 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, if (auth_class == AUTH_CLASS_PUBKEY) { + if (smartcard) + { + char *pin; + + pin = (char*)nm_setting_vpn_get_secret(vpn, "password"); + if (pin) + { + user = find_smartcard_key(priv, pin); + } + if (!user) + { + g_set_error(err, NM_VPN_PLUGIN_ERROR, + NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, + "no usable smartcard certificate found."); + gateway->destroy(gateway); + return FALSE; + } + } /* ... or certificate/private key authenitcation */ - str = nm_setting_vpn_get_data_item(vpn, "usercert"); - if (str) + else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert"))) { public_key_t *public; private_key_t *private = NULL; @@ -380,16 +455,15 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, str = nm_setting_vpn_get_data_item(vpn, "userkey"); if (!agent && str) { - chunk_t secret; + char *secret; - secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password"); - if (secret.ptr) + secret = (char*)nm_setting_vpn_get_secret(vpn, "password"); + if (secret) { - secret.len = strlen(secret.ptr); + priv->creds->set_key_password(priv->creds, secret); } private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, - KEY_RSA, BUILD_FROM_FILE, str, - BUILD_PASSPHRASE, secret, BUILD_END); + KEY_RSA, BUILD_FROM_FILE, str, BUILD_END); if (!private) { g_set_error(err, NM_VPN_PLUGIN_ERROR, @@ -524,17 +598,10 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection, if (path) { private_key_t *key; - chunk_t secret; - secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password"); - if (secret.ptr) - { - secret.len = strlen(secret.ptr); - } /* try to load/decrypt the private key */ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, - KEY_RSA, BUILD_FROM_FILE, path, - BUILD_PASSPHRASE, secret, BUILD_END); + KEY_RSA, BUILD_FROM_FILE, path, BUILD_END); if (key) { key->destroy(key); @@ -542,6 +609,13 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection, } } } + else if streq(method, "smartcard") + { + if (nm_setting_vpn_get_secret(settings, "password")) + { + return FALSE; + } + } } *setting_name = NM_SETTING_VPN_SETTING_NAME; return TRUE; diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index 35fb8367f..f24e2d1e7 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c index 64820eb45..60937f23d 100644 --- a/src/libcharon/plugins/smp/smp.c +++ b/src/libcharon/plugins/smp/smp.c @@ -702,7 +702,7 @@ static job_requeue_t dispatch(private_smp_t *this) fdp = malloc_thing(int); *fdp = fd; job = callback_job_create((callback_job_cb_t)process, fdp, free, this->job); - charon->processor->queue_job(charon->processor, (job_t*)job); + lib->processor->queue_job(lib->processor, (job_t*)job); return JOB_REQUEUE_DIRECT; } @@ -761,7 +761,7 @@ plugin_t *smp_plugin_create() } this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public.plugin; } diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index df63d862e..bd85386b2 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/socket_default/socket_default_plugin.c b/src/libcharon/plugins/socket_default/socket_default_plugin.c index 45390ddae..b5dea68b6 100644 --- a/src/libcharon/plugins/socket_default/socket_default_plugin.c +++ b/src/libcharon/plugins/socket_default/socket_default_plugin.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -31,17 +33,13 @@ struct private_socket_default_plugin_t { */ socket_default_plugin_t public; - /** - * Socket instance. - */ - socket_default_socket_t *socket; }; METHOD(plugin_t, destroy, void, private_socket_default_plugin_t *this) { - charon->socket->remove_socket(charon->socket, &this->socket->socket); - this->socket->destroy(this->socket); + charon->socket->remove_socket(charon->socket, + (socket_constructor_t)socket_default_socket_create); free(this); } @@ -53,16 +51,15 @@ plugin_t *socket_default_plugin_create() private_socket_default_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, - .socket = socket_default_socket_create(), + .public = { + .plugin = { + .destroy = _destroy, + }, + }, ); - if (!this->socket) - { - free(this); - return NULL; - } - charon->socket->add_socket(charon->socket, &this->socket->socket); + charon->socket->add_socket(charon->socket, + (socket_constructor_t)socket_default_socket_create); return &this->public.plugin; } diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c index bc998182e..e95646643 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.c +++ b/src/libcharon/plugins/socket_default/socket_default_socket.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -42,11 +42,12 @@ #include <sys/sysctl.h> #endif +#include <hydra.h> #include <daemon.h> #include <threading/thread.h> /* Maximum size of a packet */ -#define MAX_PACKET 5000 +#define MAX_PACKET 10000 /* length of non-esp marker */ #define MARKER_LEN sizeof(u_int32_t) @@ -116,12 +117,17 @@ struct private_socket_default_socket_t { * IPv6 socket for NATT (4500) */ int ipv6_natt; + + /** + * Maximum packet size to receive + */ + int max_packet; }; METHOD(socket_t, receiver, status_t, private_socket_default_socket_t *this, packet_t **packet) { - char buffer[MAX_PACKET]; + char buffer[this->max_packet]; chunk_t data; packet_t *pkt; host_t *source = NULL, *dest = NULL; @@ -195,7 +201,7 @@ METHOD(socket_t, receiver, status_t, msg.msg_name = &src; msg.msg_namelen = sizeof(src); iov.iov_base = buffer; - iov.iov_len = sizeof(buffer); + iov.iov_len = this->max_packet; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = ancillary; @@ -207,6 +213,11 @@ METHOD(socket_t, receiver, status_t, DBG1(DBG_NET, "error reading socket: %s", strerror(errno)); return FAILED; } + if (msg.msg_flags & MSG_TRUNC) + { + DBG1(DBG_NET, "receive buffer too small, packet discarded"); + return FAILED; + } DBG3(DBG_NET, "received packet %b", buffer, bytes_read); if (bytes_read < MARKER_LEN) @@ -351,12 +362,6 @@ METHOD(socket_t, sender, status_t, if (data.len != 1 || data.ptr[0] != 0xFF) { /* add non esp marker to packet */ - if (data.len > MAX_PACKET - MARKER_LEN) - { - DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)", - data.len); - return FAILED; - } marked = chunk_alloc(data.len + MARKER_LEN); memset(marked.ptr, 0, MARKER_LEN); memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len); @@ -521,8 +526,8 @@ static int open_socket(private_socket_default_socket_t *this, } } - if (!charon->kernel_interface->bypass_socket(charon->kernel_interface, - skt, family)) + if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, + skt, family)) { DBG1(DBG_NET, "installing IKE bypass policy failed"); } @@ -541,7 +546,7 @@ static int open_socket(private_socket_default_socket_t *this, return skt; } -METHOD(socket_default_socket_t, destroy, void, +METHOD(socket_t, destroy, void, private_socket_default_socket_t *this) { if (this->ipv4) @@ -575,9 +580,11 @@ socket_default_socket_t *socket_default_socket_create() .socket = { .send = _sender, .receive = _receiver, + .destroy = _destroy, }, - .destroy = _destroy, }, + .max_packet = lib->settings->get_int(lib->settings, + "charon.max_packet", MAX_PACKET), ); #ifdef __APPLE__ diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.h b/src/libcharon/plugins/socket_default/socket_default_socket.h index 755016662..89aa6f435 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.h +++ b/src/libcharon/plugins/socket_default/socket_default_socket.h @@ -35,10 +35,6 @@ struct socket_default_socket_t { */ socket_t socket; - /** - * Destroy a socket_default_socket_t. - */ - void (*destroy)(socket_default_socket_t *this); }; /** diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 8a3a15188..8e0790671 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c index 3410fc7a4..a6ff14efd 100644 --- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c +++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -31,17 +33,13 @@ struct private_socket_dynamic_plugin_t { */ socket_dynamic_plugin_t public; - /** - * Socket instance. - */ - socket_dynamic_socket_t *socket; }; METHOD(plugin_t, destroy, void, private_socket_dynamic_plugin_t *this) { - charon->socket->remove_socket(charon->socket, &this->socket->socket); - this->socket->destroy(this->socket); + charon->socket->remove_socket(charon->socket, + (socket_constructor_t)socket_dynamic_socket_create); free(this); } @@ -53,16 +51,15 @@ plugin_t *socket_dynamic_plugin_create() private_socket_dynamic_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, - .socket = socket_dynamic_socket_create(), + .public = { + .plugin = { + .destroy = _destroy, + }, + }, ); - if (!this->socket) - { - free(this); - return NULL; - } - charon->socket->add_socket(charon->socket, &this->socket->socket); + charon->socket->add_socket(charon->socket, + (socket_constructor_t)socket_dynamic_socket_create); return &this->public.plugin; } diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c index a7db59ce5..74dba82cc 100644 --- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c +++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -36,13 +36,14 @@ #include <netinet/udp.h> #include <net/if.h> +#include <hydra.h> #include <daemon.h> #include <threading/thread.h> #include <threading/rwlock.h> #include <utils/hashtable.h> /* Maximum size of a packet */ -#define MAX_PACKET 5000 +#define MAX_PACKET 10000 /* length of non-esp marker */ #define MARKER_LEN sizeof(u_int32_t) @@ -100,6 +101,11 @@ struct private_socket_dynamic_socket_t { * Notification pipe to signal receiver */ int notify[2]; + + /** + * Maximum packet size to receive + */ + int max_packet; }; /** @@ -197,7 +203,7 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this, { host_t *source = NULL, *dest = NULL; ssize_t len; - char buffer[MAX_PACKET]; + char buffer[this->max_packet]; chunk_t data; packet_t *packet; struct msghdr msg; @@ -212,7 +218,7 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this, msg.msg_name = &src; msg.msg_namelen = sizeof(src); iov.iov_base = buffer; - iov.iov_len = sizeof(buffer); + iov.iov_len = this->max_packet; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = ancillary; @@ -224,6 +230,11 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this, DBG1(DBG_NET, "error reading socket: %s", strerror(errno)); return NULL; } + if (msg.msg_flags & MSG_TRUNC) + { + DBG1(DBG_NET, "receive buffer too small, packet discarded"); + return NULL; + } DBG3(DBG_NET, "received packet %b", buffer, len); if (len < MARKER_LEN) @@ -412,8 +423,8 @@ static int open_socket(private_socket_dynamic_socket_t *this, return 0; } - if (!charon->kernel_interface->bypass_socket(charon->kernel_interface, - fd, family)) + if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, + fd, family)) { DBG1(DBG_NET, "installing IKE bypass policy failed"); } @@ -495,12 +506,6 @@ METHOD(socket_t, sender, status_t, !(data.len == 1 && data.ptr[0] == 0xFF)) { /* add non esp marker to packet */ - if (data.len > MAX_PACKET - MARKER_LEN) - { - DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)", - data.len); - return FAILED; - } marked = chunk_alloc(data.len + MARKER_LEN); memset(marked.ptr, 0, MARKER_LEN); memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len); @@ -567,7 +572,7 @@ METHOD(socket_t, sender, status_t, return SUCCESS; } -METHOD(socket_dynamic_socket_t, destroy, void, +METHOD(socket_t, destroy, void, private_socket_dynamic_socket_t *this) { enumerator_t *enumerator; @@ -600,10 +605,12 @@ socket_dynamic_socket_t *socket_dynamic_socket_create() .socket = { .send = _sender, .receive = _receiver, + .destroy = _destroy, }, - .destroy = _destroy, }, .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .max_packet = lib->settings->get_int(lib->settings, + "charon.max_packet", MAX_PACKET), ); if (pipe(this->notify) != 0) diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h index 72551e545..8c93f53d6 100644 --- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h +++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h @@ -35,10 +35,6 @@ struct socket_dynamic_socket_t { */ socket_t socket; - /** - * Destroy a socket_dynamic_socket_t. - */ - void (*destroy)(socket_dynamic_socket_t *this); }; /** diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in index 32bd9e0a1..5f4cba131 100644 --- a/src/libcharon/plugins/socket_raw/Makefile.in +++ b/src/libcharon/plugins/socket_raw/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c index 5b011abcf..17a3a8db7 100644 --- a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c +++ b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -31,17 +33,13 @@ struct private_socket_raw_plugin_t { */ socket_raw_plugin_t public; - /** - * Raw socket instance. - */ - socket_raw_socket_t *socket; }; METHOD(plugin_t, destroy, void, private_socket_raw_plugin_t *this) { - charon->socket->remove_socket(charon->socket, &this->socket->socket); - this->socket->destroy(this->socket); + charon->socket->remove_socket(charon->socket, + (socket_constructor_t)socket_raw_socket_create); free(this); } @@ -53,16 +51,15 @@ plugin_t *socket_raw_plugin_create() private_socket_raw_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, - .socket = socket_raw_socket_create(), + .public = { + .plugin = { + .destroy = _destroy, + }, + }, ); - if (!this->socket) - { - free(this); - return NULL; - } - charon->socket->add_socket(charon->socket, &this->socket->socket); + charon->socket->add_socket(charon->socket, + (socket_constructor_t)socket_raw_socket_create); return &this->public.plugin; } diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.c b/src/libcharon/plugins/socket_raw/socket_raw_socket.c index 166870421..f6e87a86f 100644 --- a/src/libcharon/plugins/socket_raw/socket_raw_socket.c +++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.c @@ -1,6 +1,7 @@ /* - * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -36,11 +37,12 @@ #include <linux/filter.h> #include <net/if.h> +#include <hydra.h> #include <daemon.h> #include <threading/thread.h> /* Maximum size of a packet */ -#define MAX_PACKET 5000 +#define MAX_PACKET 10000 /* constants for packet handling */ #define IP_LEN sizeof(struct iphdr) @@ -119,12 +121,17 @@ struct private_socket_raw_socket_t { * send socket on nat-t port for IPv6 */ int send6_natt; + + /** + * Maximum packet size to receive + */ + int max_packet; }; METHOD(socket_t, receiver, status_t, private_socket_raw_socket_t *this, packet_t **packet) { - char buffer[MAX_PACKET]; + char buffer[this->max_packet]; chunk_t data; packet_t *pkt; struct udphdr *udp; @@ -161,12 +168,17 @@ METHOD(socket_t, receiver, status_t, struct iphdr *ip; struct sockaddr_in src, dst; - bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0); + bytes_read = recv(this->recv4, buffer, this->max_packet, 0); if (bytes_read < 0) { DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno)); return FAILED; } + if (bytes_read == this->max_packet) + { + DBG1(DBG_NET, "receive buffer too small, packet discarded"); + return FAILED; + } DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read); /* read source/dest from raw IP/UDP header */ @@ -216,7 +228,7 @@ METHOD(socket_t, receiver, status_t, msg.msg_name = &src; msg.msg_namelen = sizeof(src); iov.iov_base = buffer; - iov.iov_len = sizeof(buffer); + iov.iov_len = this->max_packet; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = ancillary; @@ -343,12 +355,6 @@ METHOD(socket_t, sender, status_t, if (data.len != 1 || data.ptr[0] != 0xFF) { /* add non esp marker to packet */ - if (data.len > MAX_PACKET - MARKER_LEN) - { - DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)", - data.len); - return FAILED; - } marked = chunk_alloc(data.len + MARKER_LEN); memset(marked.ptr, 0, MARKER_LEN); memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len); @@ -492,8 +498,8 @@ static int open_send_socket(private_socket_raw_socket_t *this, } } - if (!charon->kernel_interface->bypass_socket(charon->kernel_interface, - skt, family)) + if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, + skt, family)) { DBG1(DBG_NET, "installing bypass policy on send socket failed"); } @@ -598,8 +604,8 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family) return 0; } - if (!charon->kernel_interface->bypass_socket(charon->kernel_interface, - skt, family)) + if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, + skt, family)) { DBG1(DBG_NET, "installing bypass policy on receive socket failed"); } @@ -607,7 +613,7 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family) return skt; } -METHOD(socket_raw_socket_t, destroy, void, +METHOD(socket_t, destroy, void, private_socket_raw_socket_t *this) { if (this->recv4) @@ -649,9 +655,11 @@ socket_raw_socket_t *socket_raw_socket_create() .socket = { .send = _sender, .receive = _receiver, + .destroy = _destroy, }, - .destroy = _destroy, }, + .max_packet = lib->settings->get_int(lib->settings, + "charon.max_packet", MAX_PACKET), ); this->recv4 = open_recv_socket(this, AF_INET); diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.h b/src/libcharon/plugins/socket_raw/socket_raw_socket.h index 94cf666e8..23ff304a8 100644 --- a/src/libcharon/plugins/socket_raw/socket_raw_socket.h +++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.h @@ -41,10 +41,6 @@ struct socket_raw_socket_t { */ socket_t socket; - /** - * Destroy a socket_raw_socket_t. - */ - void (*destroy)(socket_raw_socket_t *this); }; /** diff --git a/src/libcharon/plugins/sql/Makefile.am b/src/libcharon/plugins/sql/Makefile.am index 68b7e8cb2..37b87117c 100644 --- a/src/libcharon/plugins/sql/Makefile.am +++ b/src/libcharon/plugins/sql/Makefile.am @@ -2,9 +2,6 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon -AM_CFLAGS = -rdynamic \ - -DPLUGINS=\""${libstrongswan_plugins}\"" - if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-sql.la else diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index e32dc7b57..7c4521785 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -258,9 +274,6 @@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon -AM_CFLAGS = -rdynamic \ - -DPLUGINS=\""${libstrongswan_plugins}\"" - @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sql.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sql.la libstrongswan_sql_la_SOURCES = \ diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index e094200ca..e6e98838b 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 617069432..165212a5e 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -15,6 +15,7 @@ #include "stroke_config.h" +#include <hydra.h> #include <daemon.h> #include <threading/mutex.h> #include <utils/lexparser.h> @@ -199,8 +200,8 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg host = host_create_from_dns(msg->add_conn.other.address, 0, 0); if (host) { - interface = charon->kernel_interface->get_interface( - charon->kernel_interface, host); + interface = hydra->kernel_interface->get_interface( + hydra->kernel_interface, host); host->destroy(host); if (interface) { @@ -215,8 +216,8 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg host = host_create_from_dns(msg->add_conn.me.address, 0, 0); if (host) { - interface = charon->kernel_interface->get_interface( - charon->kernel_interface, host); + interface = hydra->kernel_interface->get_interface( + hydra->kernel_interface, host); host->destroy(host); if (!interface) { @@ -362,7 +363,16 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } } else - { /* no second authentication round, fine */ + { /* no second authentication round, fine. But load certificates + * for other purposes (EAP-TLS) */ + if (cert) + { + certificate = this->cred->load_peer(this->cred, cert); + if (certificate) + { + certificate->destroy(certificate); + } + } return NULL; } } @@ -502,6 +512,11 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity); } + if (msg->add_conn.aaa_identity) + { + cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, + identification_create_from_string(msg->add_conn.aaa_identity)); + } } else { diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index f64421551..e0398ba78 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -354,7 +354,7 @@ static void terminate_srcip(private_stroke_control_t *this, } /* schedule delete asynchronously */ - charon->processor->queue_job(charon->processor, (job_t*) + lib->processor->queue_job(lib->processor, (job_t*) delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE)); } enumerator->destroy(enumerator); diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 2816b9bb2..91e71f1f4 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -14,10 +14,15 @@ * for more details. */ +#include <sys/types.h> #include <sys/stat.h> #include <limits.h> #include <glob.h> #include <libgen.h> +#include <sys/mman.h> +#include <fcntl.h> +#include <errno.h> +#include <unistd.h> #include "stroke_cred.h" #include "stroke_shared_key.h" @@ -25,6 +30,8 @@ #include <credentials/certificates/x509.h> #include <credentials/certificates/crl.h> #include <credentials/certificates/ac.h> +#include <credentials/sets/mem_cred.h> +#include <credentials/sets/callback_cred.h> #include <utils/linked_list.h> #include <utils/lexparser.h> #include <threading/rwlock.h> @@ -88,7 +95,8 @@ struct private_stroke_cred_t { typedef struct { private_stroke_cred_t *this; identification_t *id; - certificate_type_t type; + certificate_type_t cert; + key_type_t key; } id_data_t; /** @@ -109,15 +117,18 @@ static bool private_filter(id_data_t *data, private_key_t *key; key = *in; - if (data->id == NULL) + if (data->key == KEY_ANY || data->key == key->get_type(key)) { - *out = key; - return TRUE; - } - if (key->has_fingerprint(key, data->id->get_encoding(data->id))) - { - *out = key; - return TRUE; + if (data->id == NULL) + { + *out = key; + return TRUE; + } + if (key->has_fingerprint(key, data->id->get_encoding(data->id))) + { + *out = key; + return TRUE; + } } return FALSE; } @@ -133,6 +144,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this, data = malloc_thing(id_data_t); data->this = this; data->id = id; + data->key = type; this->lock->read_lock(this->lock); return enumerator_create_filter(this->private->create_enumerator(this->private), @@ -148,7 +160,7 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou public_key_t *public; certificate_t *cert = *in; - if (data->type != CERT_ANY && data->type != cert->get_type(cert)) + if (data->cert != CERT_ANY && data->cert != cert->get_type(cert)) { return FALSE; } @@ -161,11 +173,14 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou public = cert->get_public_key(cert); if (public) { - if (public->has_fingerprint(public, data->id->get_encoding(data->id))) + if (data->key == KEY_ANY || data->key != public->get_type(public)) { - public->destroy(public); - *out = *in; - return TRUE; + if (public->has_fingerprint(public, data->id->get_encoding(data->id))) + { + public->destroy(public); + *out = *in; + return TRUE; + } } public->destroy(public); } @@ -188,7 +203,8 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this, data = malloc_thing(id_data_t); data->this = this; data->id = id; - data->type = cert; + data->cert = cert; + data->key = key; this->lock->read_lock(this->lock); return enumerator_create_filter(this->certs->create_enumerator(this->certs), @@ -667,47 +683,443 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line) } /** - * Data to pass to passphrase_cb + * Data for passphrase callback */ typedef struct { /** socket we use for prompting */ FILE *prompt; /** private key file */ - char *file; - /** buffer for passphrase */ - char buf[256]; + char *path; + /** number of tries */ + int try; } passphrase_cb_data_t; /** - * Passphrase callback to read from whack fd + * Callback function to receive Passphrases */ -chunk_t passphrase_cb(passphrase_cb_data_t *data, int try) +static shared_key_t* passphrase_cb(passphrase_cb_data_t *data, + shared_key_type_t type, + identification_t *me, identification_t *other, + id_match_t *match_me, id_match_t *match_other) { - chunk_t secret = chunk_empty;; + chunk_t secret; + char buf[256]; - if (try > 5) + if (type != SHARED_ANY && type != SHARED_PRIVATE_KEY_PASS) { - fprintf(data->prompt, "invalid passphrase, too many trials\n"); - return chunk_empty; + return NULL; } - if (try == 1) + + if (data->try > 1) { - fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file); + if (data->try > 5) + { + fprintf(data->prompt, "PIN invalid, giving up.\n"); + return NULL; + } + fprintf(data->prompt, "PIN invalid!\n"); } - else + data->try++; + fprintf(data->prompt, "Private key '%s' is encrypted.\n", data->path); + fprintf(data->prompt, "Passphrase:\n"); + if (fgets(buf, sizeof(buf), data->prompt)) { - fprintf(data->prompt, "invalid passphrase\n"); + secret = chunk_create(buf, strlen(buf)); + if (secret.len > 1) + { /* trim appended \n */ + secret.len--; + if (match_me) + { + *match_me = ID_MATCH_PERFECT; + } + if (match_other) + { + *match_other = ID_MATCH_NONE; + } + return shared_key_create(SHARED_PRIVATE_KEY_PASS, chunk_clone(secret)); + } } - fprintf(data->prompt, "Passphrase:\n"); - if (fgets(data->buf, sizeof(data->buf), data->prompt)) + return NULL; +} + +/** + * Data for PIN callback + */ +typedef struct { + /** socket we use for prompting */ + FILE *prompt; + /** card label */ + char *card; + /** card keyid */ + chunk_t keyid; + /** number of tries */ + int try; +} pin_cb_data_t; + +/** + * Callback function to receive PINs + */ +static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type, + identification_t *me, identification_t *other, + id_match_t *match_me, id_match_t *match_other) +{ + chunk_t secret; + char buf[256]; + + if (type != SHARED_ANY && type != SHARED_PIN) + { + return NULL; + } + + if (!me || !chunk_equals(me->get_encoding(me), data->keyid)) + { + return NULL; + } + + if (data->try > 1) + { + fprintf(data->prompt, "PIN invalid, aborting.\n"); + return NULL; + } + data->try++; + fprintf(data->prompt, "Login to '%s' required\n", data->card); + fprintf(data->prompt, "PIN:\n"); + if (fgets(buf, sizeof(buf), data->prompt)) { - secret = chunk_create(data->buf, strlen(data->buf)); - if (secret.len) + secret = chunk_create(buf, strlen(buf)); + if (secret.len > 1) { /* trim appended \n */ secret.len--; + if (match_me) + { + *match_me = ID_MATCH_PERFECT; + } + if (match_other) + { + *match_other = ID_MATCH_NONE; + } + return shared_key_create(SHARED_PIN, chunk_clone(secret)); + } + } + return NULL; +} + +/** + * Load a smartcard with a PIN + */ +static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, + FILE *prompt) +{ + chunk_t sc = chunk_empty, secret = chunk_empty; + char smartcard[64], keyid[64], module[64], *pos; + private_key_t *key = NULL; + u_int slot; + chunk_t chunk; + shared_key_t *shared; + identification_t *id; + mem_cred_t *mem = NULL; + callback_cred_t *cb = NULL; + pin_cb_data_t pin_data; + enum { + SC_FORMAT_SLOT_MODULE_KEYID, + SC_FORMAT_SLOT_KEYID, + SC_FORMAT_KEYID, + } format; + + err_t ugh = extract_value(&sc, &line); + + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); + return FALSE; + } + if (sc.len == 0) + { + DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr); + return FALSE; + } + snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr); + smartcard[sizeof(smartcard) - 1] = '\0'; + + /* parse slot and key id. Three formats are supported: + * - %smartcard<slot>@<module>:<keyid> + * - %smartcard<slot>:<keyid> + * - %smartcard:<keyid> + */ + if (sscanf(smartcard, "%%smartcard%u@%s", &slot, module) == 2) + { + pos = strchr(module, ':'); + if (!pos) + { + DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is " + "invalid", line_nr); + return FALSE; + } + *pos = '\0'; + strcpy(keyid, pos + 1); + format = SC_FORMAT_SLOT_MODULE_KEYID; + } + else if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2) + { + format = SC_FORMAT_SLOT_KEYID; + } + else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1) + { + format = SC_FORMAT_KEYID; + } + else + { + DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not" + " supported or invalid", line_nr); + return FALSE; + } + + if (!eat_whitespace(&line)) + { + DBG1(DBG_CFG, "line %d: expected PIN", line_nr); + return FALSE; + } + ugh = extract_secret(&secret, &line); + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh); + return FALSE; + } + + chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); + if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7)) + { + free(secret.ptr); + if (!prompt) + { /* no IO channel to prompt, skip */ + free(chunk.ptr); + return TRUE; + } + /* use callback credential set to prompt for the pin */ + pin_data.prompt = prompt; + pin_data.card = smartcard; + pin_data.keyid = chunk; + pin_data.try = 1; + cb = callback_cred_create_shared((void*)pin_cb, &pin_data); + lib->credmgr->add_local_set(lib->credmgr, &cb->set); + } + else + { + /* provide our pin in a temporary credential set */ + shared = shared_key_create(SHARED_PIN, secret); + id = identification_create_from_encoding(ID_KEY_ID, chunk); + mem = mem_cred_create(); + mem->add_shared(mem, shared, id, NULL); + lib->credmgr->add_local_set(lib->credmgr, &mem->set); + } + + /* unlock: smartcard needs the pin and potentially calls public set */ + this->lock->unlock(this->lock); + switch (format) + { + case SC_FORMAT_SLOT_MODULE_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_SLOT, slot, + BUILD_PKCS11_MODULE, module, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + break; + case SC_FORMAT_SLOT_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_SLOT, slot, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + break; + case SC_FORMAT_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + break; + } + this->lock->write_lock(this->lock); + if (mem) + { + lib->credmgr->remove_local_set(lib->credmgr, &mem->set); + mem->destroy(mem); + } + if (cb) + { + lib->credmgr->remove_local_set(lib->credmgr, &cb->set); + cb->destroy(cb); + } + + if (key) + { + DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr); + this->private->insert_last(this->private, key); + } + return TRUE; +} + +/** + * Load a private key + */ +static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, + FILE *prompt, key_type_t key_type) +{ + char path[PATH_MAX]; + chunk_t filename; + chunk_t secret = chunk_empty; + private_key_t *key; + + err_t ugh = extract_value(&filename, &line); + + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); + return FALSE; + } + if (filename.len == 0) + { + DBG1(DBG_CFG, "line %d: empty filename", line_nr); + return FALSE; + } + if (*filename.ptr == '/') + { + /* absolute path name */ + snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr); + } + else + { + /* relative path name */ + snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, + filename.len, filename.ptr); + } + + /* check for optional passphrase */ + if (eat_whitespace(&line)) + { + ugh = extract_secret(&secret, &line); + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh); + return FALSE; + } + } + if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7)) + { + callback_cred_t *cb = NULL; + passphrase_cb_data_t pp_data = { + .prompt = prompt, + .path = path, + .try = 1, + }; + + free(secret.ptr); + if (!prompt) + { + return TRUE; + } + /* use callback credential set to prompt for the passphrase */ + pp_data.prompt = prompt; + pp_data.path = path; + pp_data.try = 1; + cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data); + lib->credmgr->add_local_set(lib->credmgr, &cb->set); + + /* unlock, as the builder might ask for a secret */ + this->lock->unlock(this->lock); + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, + BUILD_FROM_FILE, path, BUILD_END); + this->lock->write_lock(this->lock); + + lib->credmgr->remove_local_set(lib->credmgr, &cb->set); + cb->destroy(cb); + } + else + { + mem_cred_t *mem = NULL; + shared_key_t *shared; + + /* provide our pin in a temporary credential set */ + shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret); + mem = mem_cred_create(); + mem->add_shared(mem, shared, NULL); + lib->credmgr->add_local_set(lib->credmgr, &mem->set); + + /* unlock, as the builder might ask for a secret */ + this->lock->unlock(this->lock); + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, + BUILD_FROM_FILE, path, BUILD_END); + this->lock->write_lock(this->lock); + + lib->credmgr->remove_local_set(lib->credmgr, &mem->set); + mem->destroy(mem); + } + if (key) + { + DBG1(DBG_CFG, " loaded %N private key from '%s'", + key_type_names, key->get_type(key), path); + this->private->insert_last(this->private, key); + } + else + { + DBG1(DBG_CFG, " loading private key from '%s' failed", path); + } + return TRUE; +} + +/** + * Load a shared key + */ +static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, + shared_key_type_t type, chunk_t ids) +{ + stroke_shared_key_t *shared_key; + chunk_t secret = chunk_empty; + bool any = TRUE; + + err_t ugh = extract_secret(&secret, &line); + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh); + return FALSE; + } + shared_key = stroke_shared_key_create(type, secret); + DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type, + ids.len > 0 ? (char*)ids.ptr : "%any"); + DBG4(DBG_CFG, " secret: %#B", &secret); + + this->shared->insert_last(this->shared, shared_key); + while (ids.len > 0) + { + chunk_t id; + identification_t *peer_id; + + ugh = extract_value(&id, &ids); + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); + return FALSE; + } + if (id.len == 0) + { + continue; + } + + /* NULL terminate the ID string */ + *(id.ptr + id.len) = '\0'; + peer_id = identification_create_from_string(id.ptr); + if (peer_id->get_type(peer_id) == ID_ANY) + { + peer_id->destroy(peer_id); + continue; } + + shared_key->add_owner(shared_key, peer_id); + any = FALSE; + } + if (any) + { + shared_key->add_owner(shared_key, + identification_create_from_encoding(ID_ANY, chunk_empty)); } - return secret; + return TRUE; } /** @@ -716,30 +1128,36 @@ chunk_t passphrase_cb(passphrase_cb_data_t *data, int try) static void load_secrets(private_stroke_cred_t *this, char *file, int level, FILE *prompt) { - size_t bytes; - int line_nr = 0; - chunk_t chunk, src, line; - FILE *fd; + int line_nr = 0, fd; + chunk_t src, line; private_key_t *private; shared_key_t *shared; + struct stat sb; + void *addr; DBG1(DBG_CFG, "loading secrets from '%s'", file); - - fd = fopen(file, "r"); - if (fd == NULL) + fd = open(file, O_RDONLY); + if (fd == -1) { - DBG1(DBG_CFG, "opening secrets file '%s' failed", file); + DBG1(DBG_CFG, "opening secrets file '%s' failed: %s", file, + strerror(errno)); return; } - - /* TODO: do error checks */ - fseek(fd, 0, SEEK_END); - chunk.len = ftell(fd); - rewind(fd); - chunk.ptr = malloc(chunk.len); - bytes = fread(chunk.ptr, 1, chunk.len, fd); - fclose(fd); - src = chunk; + if (fstat(fd, &sb) == -1) + { + DBG1(DBG_LIB, "getting file size of '%s' failed: %s", file, + strerror(errno)); + close(fd); + return; + } + addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (addr == MAP_FAILED) + { + DBG1(DBG_LIB, "mapping '%s' failed: %s", file, strerror(errno)); + close(fd); + return; + } + src = chunk_create(addr, sb.st_size); if (level == 0) { @@ -844,223 +1262,52 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, else { DBG1(DBG_CFG, "line %d: missing ' : ' separator", line_nr); - goto error; + break; } if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line)) { DBG1(DBG_CFG, "line %d: missing token", line_nr); - goto error; + break; } if (match("RSA", &token) || match("ECDSA", &token)) { - char path[PATH_MAX]; - chunk_t filename; - chunk_t secret = chunk_empty; - private_key_t *key = NULL; - key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA; - - err_t ugh = extract_value(&filename, &line); - - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); - goto error; - } - if (filename.len == 0) - { - DBG1(DBG_CFG, "line %d: empty filename", line_nr); - goto error; - } - if (*filename.ptr == '/') - { - /* absolute path name */ - snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr); - } - else - { - /* relative path name */ - snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, - filename.len, filename.ptr); - } - - /* check for optional passphrase */ - if (eat_whitespace(&line)) - { - ugh = extract_secret(&secret, &line); - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh); - goto error; - } - } - if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7)) - { - if (prompt) - { - passphrase_cb_data_t data; - - data.prompt = prompt; - data.file = path; - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, - key_type, BUILD_FROM_FILE, path, - BUILD_PASSPHRASE_CALLBACK, - passphrase_cb, &data, BUILD_END); - } - } - else - { - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, - BUILD_FROM_FILE, path, - BUILD_PASSPHRASE, secret, BUILD_END); - } - if (key) + if (!load_private(this, line, line_nr, prompt, + match("RSA", &token) ? KEY_RSA : KEY_ECDSA)) { - DBG1(DBG_CFG, " loaded %N private key from '%s'", - key_type_names, key->get_type(key), path); - this->private->insert_last(this->private, key); - } - else - { - DBG1(DBG_CFG, " loading private key from '%s' failed", path); + break; } - chunk_clear(&secret); } else if (match("PIN", &token)) { - chunk_t sc = chunk_empty, secret = chunk_empty; - char smartcard[32], keyid[22], pin[32]; - private_key_t *key; - u_int slot; - - err_t ugh = extract_value(&sc, &line); - - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); - goto error; - } - if (sc.len == 0) - { - DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr); - goto error; - } - snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr); - smartcard[sizeof(smartcard) - 1] = '\0'; - - /* parse slot and key id. only two formats are supported. - * first try %smartcard<slot>:<keyid> */ - if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2) - { - snprintf(smartcard, sizeof(smartcard), "%u:%s", slot, keyid); - } - /* then try %smartcard:<keyid> */ - else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1) - { - snprintf(smartcard, sizeof(smartcard), "%s", keyid); - } - else - { - DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not" - " supported or invalid", line_nr); - goto error; - } - - if (!eat_whitespace(&line)) - { - DBG1(DBG_CFG, "line %d: expected PIN", line_nr); - goto error; - } - ugh = extract_secret(&secret, &line); - if (ugh != NULL) + if (!load_pin(this, line, line_nr, prompt)) { - DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh); - goto error; - } - snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr); - pin[sizeof(pin) - 1] = '\0'; - - /* we assume an RSA key */ - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_SMARTCARD_KEYID, smartcard, - BUILD_SMARTCARD_PIN, pin, BUILD_END); - - if (key) - { - DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr); - this->private->insert_last(this->private, key); + break; } - memset(pin, 0, sizeof(pin)); - chunk_clear(&secret); } else if ((match("PSK", &token) && (type = SHARED_IKE)) || (match("EAP", &token) && (type = SHARED_EAP)) || (match("NTLM", &token) && (type = SHARED_NT_HASH)) || (match("XAUTH", &token) && (type = SHARED_EAP))) { - stroke_shared_key_t *shared_key; - chunk_t secret = chunk_empty; - bool any = TRUE; - - err_t ugh = extract_secret(&secret, &line); - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh); - goto error; - } - shared_key = stroke_shared_key_create(type, secret); - DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type, - ids.len > 0 ? (char*)ids.ptr : "%any"); - DBG4(DBG_CFG, " secret: %#B", &secret); - - this->shared->insert_last(this->shared, shared_key); - while (ids.len > 0) + if (!load_shared(this, line, line_nr, type, ids)) { - chunk_t id; - identification_t *peer_id; - - ugh = extract_value(&id, &ids); - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); - goto error; - } - if (id.len == 0) - { - continue; - } - - /* NULL terminate the ID string */ - *(id.ptr + id.len) = '\0'; - peer_id = identification_create_from_string(id.ptr); - if (peer_id->get_type(peer_id) == ID_ANY) - { - peer_id->destroy(peer_id); - continue; - } - - shared_key->add_owner(shared_key, peer_id); - any = FALSE; - } - if (any) - { - shared_key->add_owner(shared_key, - identification_create_from_encoding(ID_ANY, chunk_empty)); + break; } } else { DBG1(DBG_CFG, "line %d: token must be either " "RSA, ECDSA, PSK, EAP, XAUTH or PIN", line_nr); - goto error; + break; } } -error: if (level == 0) { this->lock->unlock(this->lock); } - chunk_clear(&chunk); + munmap(addr, sb.st_size); + close(fd); } /** diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index a6de35466..86deea490 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -21,6 +21,7 @@ #include <malloc.h> #endif /* HAVE_MALLINFO */ +#include <hydra.h> #include <daemon.h> #include <utils/linked_list.h> #include <credentials/certificates/x509.h> @@ -422,12 +423,12 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo } #endif /* HAVE_MALLINFO */ fprintf(out, " worker threads: %d idle of %d,", - charon->processor->get_idle_threads(charon->processor), - charon->processor->get_total_threads(charon->processor)); + lib->processor->get_idle_threads(lib->processor), + lib->processor->get_total_threads(lib->processor)); fprintf(out, " job queue load: %d,", - charon->processor->get_job_load(charon->processor)); + lib->processor->get_job_load(lib->processor)); fprintf(out, " scheduled events: %d\n", - charon->scheduler->get_job_load(charon->scheduler)); + lib->scheduler->get_job_load(lib->scheduler)); fprintf(out, " loaded plugins: "); enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); while (enumerator->enumerate(enumerator, &plugin)) @@ -454,8 +455,8 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo } enumerator->destroy(enumerator); - enumerator = charon->kernel_interface->create_address_enumerator( - charon->kernel_interface, FALSE, FALSE); + enumerator = hydra->kernel_interface->create_address_enumerator( + hydra->kernel_interface, FALSE, FALSE); fprintf(out, "Listening IP addresses:\n"); while (enumerator->enumerate(enumerator, (void**)&host)) { @@ -638,7 +639,7 @@ static void list_public_key(public_key_t *public, FILE *out) fprintf(out, " pubkey: %N %d bits%s\n", key_type_names, public->get_type(public), - public->get_keysize(public) * 8, + public->get_keysize(public), private ? ", has private key" : ""); if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) { @@ -1026,9 +1027,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) */ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) { - bool first = TRUE; + bool first = TRUE, ok; enumerator_t *enumerator = list->create_enumerator(list); certificate_t *cert; + time_t produced, usable, now = time(NULL); while (enumerator->enumerate(enumerator, (void**)&cert)) { @@ -1039,8 +1041,20 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) fprintf(out, "\n"); first = FALSE; } - fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert)); + + /* check validity */ + ok = cert->get_validity(cert, &now, &produced, &usable); + fprintf(out, " validity: produced at %T\n", &produced, utc); + fprintf(out, " usable till %T, ", &usable, utc); + if (ok) + { + fprintf(out, "ok\n"); + } + else + { + fprintf(out, "expired (%V ago)\n", &now, &usable); + } } enumerator->destroy(enumerator); } @@ -1073,6 +1087,13 @@ static void list_algs(FILE *out) fprintf(out, "%N ", integrity_algorithm_names, integrity); } enumerator->destroy(enumerator); + fprintf(out, "\n aead: "); + enumerator = lib->crypto->create_aead_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption)) + { + fprintf(out, "%N ", encryption_algorithm_names, encryption); + } + enumerator->destroy(enumerator); fprintf(out, "\n hasher: "); enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &hash)) @@ -1184,7 +1205,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, bool on; int found = 0; - fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n", + fprintf(out, "Leases in pool '%s', usage: %u/%u, %u online\n", pool, online + offline, size, online); enumerator = this->attribute->create_lease_enumerator(this->attribute, pool); while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on)) diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 18afa5af4..0a5110fd3 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -24,10 +24,10 @@ #include <unistd.h> #include <errno.h> -#include <processing/jobs/callback_job.h> #include <hydra.h> #include <daemon.h> #include <threading/thread.h> +#include <processing/jobs/callback_job.h> #include "stroke_config.h" #include "stroke_control.h" @@ -180,11 +180,13 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg) pop_end(msg, "left", &msg->add_conn.me); pop_end(msg, "right", &msg->add_conn.other); pop_string(msg, &msg->add_conn.eap_identity); + pop_string(msg, &msg->add_conn.aaa_identity); pop_string(msg, &msg->add_conn.algorithms.ike); pop_string(msg, &msg->add_conn.algorithms.esp); pop_string(msg, &msg->add_conn.ikeme.mediated_by); pop_string(msg, &msg->add_conn.ikeme.peerid); DBG2(DBG_CFG, " eap_identity=%s", msg->add_conn.eap_identity); + DBG2(DBG_CFG, " aaa_identity=%s", msg->add_conn.aaa_identity); DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike); DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp); DBG2(DBG_CFG, " mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no"); @@ -353,6 +355,37 @@ static void stroke_purge(private_stroke_socket_t *this, } /** + * Export in-memory credentials + */ +static void stroke_export(private_stroke_socket_t *this, + stroke_msg_t *msg, FILE *out) +{ + pop_string(msg, &msg->export.selector); + + if (msg->purge.flags & EXPORT_X509) + { + enumerator_t *enumerator; + identification_t *id; + certificate_t *cert; + chunk_t encoded; + + id = identification_create_from_string(msg->export.selector); + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509, KEY_ANY, id, FALSE); + while (enumerator->enumerate(enumerator, &cert)) + { + if (cert->get_encoding(cert, CERT_PEM, &encoded)) + { + fprintf(out, "%.*s", encoded.len, encoded.ptr); + free(encoded.ptr); + } + } + enumerator->destroy(enumerator); + id->destroy(id); + } +} + +/** * list pool leases */ static void stroke_leases(private_stroke_socket_t *this, @@ -364,21 +397,6 @@ static void stroke_leases(private_stroke_socket_t *this, this->list->leases(this->list, msg, out); } -debug_t get_group_from_name(char *type) -{ - if (strcaseeq(type, "any")) return DBG_ANY; - else if (strcaseeq(type, "mgr")) return DBG_MGR; - else if (strcaseeq(type, "ike")) return DBG_IKE; - else if (strcaseeq(type, "chd")) return DBG_CHD; - else if (strcaseeq(type, "job")) return DBG_JOB; - else if (strcaseeq(type, "cfg")) return DBG_CFG; - else if (strcaseeq(type, "knl")) return DBG_KNL; - else if (strcaseeq(type, "net")) return DBG_NET; - else if (strcaseeq(type, "enc")) return DBG_ENC; - else if (strcaseeq(type, "lib")) return DBG_LIB; - else return -1; -} - /** * set the verbosity debug output */ @@ -394,7 +412,7 @@ static void stroke_loglevel(private_stroke_socket_t *this, DBG1(DBG_CFG, "received stroke: loglevel %d for %s", msg->loglevel.level, msg->loglevel.type); - group = get_group_from_name(msg->loglevel.type); + group = enum_from_name(debug_names, msg->loglevel.type); if (group < 0) { fprintf(out, "invalid type (%s)!\n", msg->loglevel.type); @@ -525,6 +543,9 @@ static job_requeue_t process(stroke_job_context_t *ctx) case STR_PURGE: stroke_purge(this, msg, out); break; + case STR_EXPORT: + stroke_export(this, msg, out); + break; case STR_LEASES: stroke_leases(this, msg, out); break; @@ -565,7 +586,7 @@ static job_requeue_t receive(private_stroke_socket_t *this) ctx->this = this; job = callback_job_create((callback_job_cb_t)process, ctx, (void*)stroke_job_context_destroy, this->job); - charon->processor->queue_job(charon->processor, (job_t*)job); + lib->processor->queue_job(lib->processor, (job_t*)job); return JOB_REQUEUE_FAIR; } @@ -663,7 +684,7 @@ stroke_socket_t *stroke_socket_create() this->job = callback_job_create((callback_job_cb_t)receive, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am new file mode 100644 index 000000000..ca8869460 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/Makefile.am @@ -0,0 +1,19 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnc_imc_la_LIBADD = -ltnc + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-tnc-imc.la +else +plugin_LTLIBRARIES = libstrongswan-tnc-imc.la +endif + +libstrongswan_tnc_imc_la_SOURCES = \ + tnc_imc_plugin.h tnc_imc_plugin.c + +libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version + diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in new file mode 100644 index 000000000..9a8794e93 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/Makefile.in @@ -0,0 +1,603 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/tnc_imc +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_tnc_imc_la_DEPENDENCIES = +am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo +libstrongswan_tnc_imc_la_OBJECTS = \ + $(am_libstrongswan_tnc_imc_la_OBJECTS) +libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_tnc_imc_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_tnc_imc_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_tnc_imc_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_tnc_imc_la_SOURCES) +DIST_SOURCES = $(libstrongswan_tnc_imc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + +AM_CFLAGS = -rdynamic +libstrongswan_tnc_imc_la_LIBADD = -ltnc +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imc.la +libstrongswan_tnc_imc_la_SOURCES = \ + tnc_imc_plugin.h tnc_imc_plugin.c + +libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imc/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imc/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) + $(libstrongswan_tnc_imc_la_LINK) $(am_libstrongswan_tnc_imc_la_rpath) $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c new file mode 100644 index 000000000..0ce930ba3 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imc_plugin.h" + +#include <libtnctncc.h> + +#include <daemon.h> + +METHOD(plugin_t, destroy, void, + tnc_imc_plugin_t *this) +{ + libtnc_tncc_Terminate(); + free(this); +} + +/* + * see header file + */ +plugin_t *tnc_imc_plugin_create() +{ + char *tnc_config, *pref_lang; + tnc_imc_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + pref_lang = lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imc.preferred_language", "en"); + tnc_config = lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imc.tnc_config", "/etc/tnc_config"); + + if (libtnc_tncc_Initialize(tnc_config) != TNC_RESULT_SUCCESS) + { + free(this); + DBG1(DBG_TNC, "TNC IMC initialization failed"); + return NULL; + } + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h new file mode 100644 index 000000000..8c5521cb2 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnc_imc tnc_imc + * @ingroup cplugins + * + * @defgroup tnc_imc_plugin tnc_imc_plugin + * @{ @ingroup tnc_imc + */ + +#ifndef TNC_IMC_PLUGIN_H_ +#define TNC_IMC_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct tnc_imc_plugin_t tnc_imc_plugin_t; + +/** + * TNC IMC plugin + */ +struct tnc_imc_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** TNC_IMC_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am new file mode 100644 index 000000000..9c3b47364 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/Makefile.am @@ -0,0 +1,19 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnc_imv_la_LIBADD = -ltnc + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-tnc-imv.la +else +plugin_LTLIBRARIES = libstrongswan-tnc-imv.la +endif + +libstrongswan_tnc_imv_la_SOURCES = \ + tnc_imv_plugin.h tnc_imv_plugin.c + +libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version + diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in new file mode 100644 index 000000000..f89b5e03b --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/Makefile.in @@ -0,0 +1,603 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/tnc_imv +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_tnc_imv_la_DEPENDENCIES = +am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo +libstrongswan_tnc_imv_la_OBJECTS = \ + $(am_libstrongswan_tnc_imv_la_OBJECTS) +libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_tnc_imv_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_tnc_imv_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_tnc_imv_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_tnc_imv_la_SOURCES) +DIST_SOURCES = $(libstrongswan_tnc_imv_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + +AM_CFLAGS = -rdynamic +libstrongswan_tnc_imv_la_LIBADD = -ltnc +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la +libstrongswan_tnc_imv_la_SOURCES = \ + tnc_imv_plugin.h tnc_imv_plugin.c + +libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imv/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imv/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) + $(libstrongswan_tnc_imv_la_LINK) $(am_libstrongswan_tnc_imv_la_rpath) $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c new file mode 100644 index 000000000..5b3d3892d --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imv_plugin.h" + +#include <libtnctncs.h> + +#include <daemon.h> + +METHOD(plugin_t, destroy, void, + tnc_imv_plugin_t *this) +{ + libtnc_tncs_Terminate(); + free(this); +} + +/* + * see header file + */ +plugin_t *tnc_imv_plugin_create() +{ + char *tnc_config; + tnc_imv_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + tnc_config = lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config"); + if (libtnc_tncs_Initialize(tnc_config) != TNC_RESULT_SUCCESS) + { + free(this); + DBG1(DBG_TNC, "TNC IMV initialization failed"); + return NULL; + } + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h new file mode 100644 index 000000000..afeee2ea2 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnc_imv tnc_imv + * @ingroup cplugins + * + * @defgroup tnc_imv_plugin tnc_imv_plugin + * @{ @ingroup tnc_imv + */ + +#ifndef TNC_IMV_PLUGIN_H_ +#define TNC_IMV_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct tnc_imv_plugin_t tnc_imv_plugin_t; + +/** + * TNC IMV plugin + */ +struct tnc_imv_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** TNC_IMV_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/Makefile.am b/src/libcharon/plugins/tnccs_11/Makefile.am new file mode 100644 index 000000000..7ccd0dfee --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/Makefile.am @@ -0,0 +1,21 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnccs_11_la_LIBADD = -ltnc + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-tnccs-11.la +else +plugin_LTLIBRARIES = libstrongswan-tnccs-11.la +libstrongswan_tnccs_11_la_LIBADD += $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_tnccs_11_la_SOURCES = \ + tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c + +libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version + diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in new file mode 100644 index 000000000..200ff7a0a --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/Makefile.in @@ -0,0 +1,607 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la +subdir = src/libcharon/plugins/tnccs_11 +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__append_1) +am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo +libstrongswan_tnccs_11_la_OBJECTS = \ + $(am_libstrongswan_tnccs_11_la_OBJECTS) +libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_11_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_tnccs_11_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_tnccs_11_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_tnccs_11_la_SOURCES) +DIST_SOURCES = $(libstrongswan_tnccs_11_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic +libstrongswan_tnccs_11_la_LIBADD = -ltnc $(am__append_1) +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-11.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-11.la +libstrongswan_tnccs_11_la_SOURCES = \ + tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c + +libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_11/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_11/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) + $(libstrongswan_tnccs_11_la_LINK) $(am_libstrongswan_tnccs_11_la_rpath) $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c new file mode 100644 index 000000000..704bf64ed --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_11.h" + +#include <libtnctncc.h> +#include <libtnctncs.h> + +#include <daemon.h> +#include <debug.h> + +#define TNC_SEND_BUFFER_SIZE 32 + +static chunk_t tnc_send_buffer[TNC_SEND_BUFFER_SIZE]; + +/** + * Buffers TNCCS batch to be sent (TODO make the buffer scalable) + */ +static TNC_Result buffer_batch(u_int32_t id, const char *data, size_t len) +{ + if (id >= TNC_SEND_BUFFER_SIZE) + { + DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be stored in " + "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE); + return TNC_RESULT_FATAL; + } + if (tnc_send_buffer[id].ptr) + { + DBG1(DBG_TNC, "send buffer slot for Connection ID %u is already " + "occupied", id); + return TNC_RESULT_FATAL; + } + tnc_send_buffer[id] = chunk_alloc(len); + memcpy(tnc_send_buffer[id].ptr, data, len); + + return TNC_RESULT_SUCCESS; +} + +/** + * Retrieves TNCCS batch to be sent + */ +static bool retrieve_batch(u_int32_t id, chunk_t *batch) +{ + if (id >= TNC_SEND_BUFFER_SIZE) + { + DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be retrieved from " + "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE); + return FALSE; + } + + *batch = tnc_send_buffer[id]; + return TRUE; +} + +/** + * Frees TNCCS batch that was sent + */ +static void free_batch(u_int32_t id) +{ + if (id < TNC_SEND_BUFFER_SIZE) + { + chunk_free(&tnc_send_buffer[id]); + } +} + +/** + * Define callback functions called by the libtnc library + */ +TNC_Result TNC_TNCC_SendBatch(libtnc_tncc_connection* conn, + const char* messageBuffer, size_t messageLength) +{ + return buffer_batch(conn->connectionID, messageBuffer, messageLength); +} + +TNC_Result TNC_TNCS_SendBatch(libtnc_tncs_connection* conn, + const char* messageBuffer, size_t messageLength) +{ + return buffer_batch(conn->connectionID, messageBuffer, messageLength); +} + +typedef struct private_tnccs_11_t private_tnccs_11_t; + +/** + * Private data of a tnccs_11_t object. + */ +struct private_tnccs_11_t { + + /** + * Public tls_t interface. + */ + tls_t public; + + /** + * TNCC if TRUE, TNCS if FALSE + */ + bool is_server; + + /** + * TNCC Connection to IMCs + */ + libtnc_tncc_connection* tncc_connection; + + /** + * TNCS Connection to IMVs + */ + libtnc_tncs_connection* tncs_connection; +}; + +METHOD(tls_t, process, status_t, + private_tnccs_11_t *this, void *buf, size_t buflen) +{ + u_int32_t conn_id; + + if (this->is_server && !this->tncs_connection) + { + this->tncs_connection = libtnc_tncs_CreateConnection(NULL); + if (!this->tncs_connection) + { + DBG1(DBG_TNC, "TNCS CreateConnection failed"); + return FAILED; + } + DBG1(DBG_TNC, "assigned TNCS Connection ID %u", + this->tncs_connection->connectionID); + if (libtnc_tncs_BeginSession(this->tncs_connection) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCS BeginSession failed"); + return FAILED; + } + } + conn_id = this->is_server ? this->tncs_connection->connectionID + : this->tncc_connection->connectionID; + + DBG1(DBG_TNC, "received TNCCS Batch (%u bytes) for Connection ID %u", + buflen, conn_id); + DBG3(DBG_TNC, "%.*s", buflen, buf); + + if (this->is_server) + { + if (libtnc_tncs_ReceiveBatch(this->tncs_connection, buf, buflen) != + TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCS ReceiveBatch failed"); + return FAILED; + } + } + else + { + if (libtnc_tncc_ReceiveBatch(this->tncc_connection, buf, buflen) != + TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCC ReceiveBatch failed"); + return FAILED; + } + } + return NEED_MORE; +} + +METHOD(tls_t, build, status_t, + private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + chunk_t batch; + u_int32_t conn_id; + size_t len; + + if (!this->is_server && !this->tncc_connection) + { + this->tncc_connection = libtnc_tncc_CreateConnection(NULL); + if (!this->tncc_connection) + { + DBG1(DBG_TNC, "TNCC CreateConnection failed"); + return FAILED; + } + DBG1(DBG_TNC, "assigned TNCC Connection ID %u", + this->tncc_connection->connectionID); + if (libtnc_tncc_BeginSession(this->tncc_connection) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCC BeginSession failed"); + return FAILED; + } + } + conn_id = this->is_server ? this->tncs_connection->connectionID + : this->tncc_connection->connectionID; + + if (!retrieve_batch(conn_id, &batch)) + { + return FAILED; + } + len = *buflen; + len = min(len, batch.len); + *buflen = len; + if (msglen) + { + *msglen = batch.len; + } + + if (batch.len) + { + DBG1(DBG_TNC, "sending TNCCS Batch (%d bytes) for Connection ID %u", + batch.len, conn_id); + DBG3(DBG_TNC, "%.*s", batch.len, batch.ptr); + memcpy(buf, batch.ptr, len); + free_batch(conn_id); + return ALREADY_DONE; + } + else + { + return INVALID_STATE; + } +} + +METHOD(tls_t, is_server, bool, + private_tnccs_11_t *this) +{ + return this->is_server; +} + +METHOD(tls_t, get_purpose, tls_purpose_t, + private_tnccs_11_t *this) +{ + return TLS_PURPOSE_EAP_TNC; +} + +METHOD(tls_t, is_complete, bool, + private_tnccs_11_t *this) +{ + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + char *group; + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + + if (libtnc_tncs_HaveRecommendation(this->tncs_connection, &rec, &eval) == + TNC_RESULT_SUCCESS) + { + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + DBG1(DBG_TNC, "TNC recommendation is allow"); + group = "allow"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + DBG1(DBG_TNC, "TNC recommendation is isolate"); + group = "isolate"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + default: + DBG1(DBG_TNC, "TNC recommendation is none"); + return FALSE; + } + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_string(group); + auth->add(auth, AUTH_RULE_GROUP, id); + DBG1(DBG_TNC, "added group membership '%s' based on TNC recommendation", group); + } + return TRUE; + } + else + { + return FALSE; + } +} + +METHOD(tls_t, get_eap_msk, chunk_t, + private_tnccs_11_t *this) +{ + return chunk_empty; +} + +METHOD(tls_t, destroy, void, + private_tnccs_11_t *this) +{ + if (this->is_server) + { + if (this->tncs_connection) + { + libtnc_tncs_DeleteConnection(this->tncs_connection); + } + } + else + { + if (this->tncc_connection) + { + libtnc_tncc_DeleteConnection(this->tncc_connection); + } + libtnc_tncc_Terminate(); + } + free(this); +} + +/** + * See header + */ +tls_t *tnccs_11_create(bool is_server) +{ + private_tnccs_11_t *this; + + INIT(this, + .public = { + .process = _process, + .build = _build, + .is_server = _is_server, + .get_purpose = _get_purpose, + .is_complete = _is_complete, + .get_eap_msk = _get_eap_msk, + .destroy = _destroy, + }, + .is_server = is_server, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.h b/src/libcharon/plugins/tnccs_11/tnccs_11.h new file mode 100644 index 000000000..7331fc8cd --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/tnccs_11.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_11_h tnccs_11 + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_11_H_ +#define TNCCS_11_H_ + +#include <library.h> + +#include <tls.h> + +/** + * Create an instance of the TNC IF-TNCCS 1.1 protocol handler. + * + * @param is_server TRUE to act as TNC Server, FALSE for TNC Client + * @return TNC_IF_TNCCS 1.1 protocol stack + */ +tls_t *tnccs_11_create(bool is_server); + +#endif /** TNCCS_11_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c new file mode 100644 index 000000000..03905ca37 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_11_plugin.h" +#include "tnccs_11.h" + +#include <daemon.h> + +METHOD(plugin_t, destroy, void, + tnccs_11_plugin_t *this) +{ + charon->tnccs->remove_method(charon->tnccs, + (tnccs_constructor_t)tnccs_11_create); + free(this); +} + +/* + * see header file + */ +plugin_t *tnccs_11_plugin_create() +{ + tnccs_11_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->tnccs->add_method(charon->tnccs, TNCCS_1_1, + (tnccs_constructor_t)tnccs_11_create); + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h new file mode 100644 index 000000000..619a073ad --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_11 tnccs_11 + * @ingroup cplugins + * + * @defgroup tnccs_11_plugin tnccs_11_plugin + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_11_PLUGIN_H_ +#define TNCCS_11_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct tnccs_11_plugin_t tnccs_11_plugin_t; + +/** + * EAP-TNC plugin + */ +struct tnccs_11_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** TNCCS_11_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am new file mode 100644 index 000000000..3018121e3 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/Makefile.am @@ -0,0 +1,21 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnccs_20_la_LIBADD = -ltnc + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-tnccs-20.la +else +plugin_LTLIBRARIES = libstrongswan-tnccs-20.la +libstrongswan_tnccs_20_la_LIBADD += $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_tnccs_20_la_SOURCES = \ + tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c + +libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version + diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in new file mode 100644 index 000000000..6101f91df --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/Makefile.in @@ -0,0 +1,607 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la +subdir = src/libcharon/plugins/tnccs_20 +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_tnccs_20_la_DEPENDENCIES = $(am__append_1) +am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo +libstrongswan_tnccs_20_la_OBJECTS = \ + $(am_libstrongswan_tnccs_20_la_OBJECTS) +libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_20_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_tnccs_20_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_tnccs_20_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_tnccs_20_la_SOURCES) +DIST_SOURCES = $(libstrongswan_tnccs_20_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic +libstrongswan_tnccs_20_la_LIBADD = -ltnc $(am__append_1) +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-20.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-20.la +libstrongswan_tnccs_20_la_SOURCES = \ + tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c + +libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_20/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_20/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) + $(libstrongswan_tnccs_20_la_LINK) $(am_libstrongswan_tnccs_20_la_rpath) $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c new file mode 100644 index 000000000..2bd1bc476 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c @@ -0,0 +1,103 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_20.h" + +#include <debug.h> + +static chunk_t tncc_output; + +typedef struct private_tnccs_20_t private_tnccs_20_t; + +/** + * Private data of a tnccs_20_t object. + */ +struct private_tnccs_20_t { + + /** + * Public tls_t interface. + */ + tls_t public; + + /** + * TNCC if TRUE, TNCS if FALSE + */ + bool is_server; +}; + +METHOD(tls_t, process, status_t, + private_tnccs_20_t *this, void *buf, size_t buflen) +{ + return NEED_MORE; +} + +METHOD(tls_t, build, status_t, + private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + return ALREADY_DONE; +} + +METHOD(tls_t, is_server, bool, + private_tnccs_20_t *this) +{ + return this->is_server; +} + +METHOD(tls_t, get_purpose, tls_purpose_t, + private_tnccs_20_t *this) +{ + return TLS_PURPOSE_EAP_TNC; +} + +METHOD(tls_t, is_complete, bool, + private_tnccs_20_t *this) +{ + return FALSE; +} + +METHOD(tls_t, get_eap_msk, chunk_t, + private_tnccs_20_t *this) +{ + return chunk_empty; +} + +METHOD(tls_t, destroy, void, + private_tnccs_20_t *this) +{ + free(this); +} + +/** + * See header + */ +tls_t *tnccs_20_create(bool is_server) +{ + private_tnccs_20_t *this; + + INIT(this, + .public = { + .process = _process, + .build = _build, + .is_server = _is_server, + .get_purpose = _get_purpose, + .is_complete = _is_complete, + .get_eap_msk = _get_eap_msk, + .destroy = _destroy, + }, + .is_server = is_server, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.h b/src/libcharon/plugins/tnccs_20/tnccs_20.h new file mode 100644 index 000000000..400d1dc12 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/tnccs_20.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_20_h tnccs_20 + * @{ @ingroup tnccs_20 + */ + +#ifndef TNCCS_20_H_ +#define TNCCS_20_H_ + +#include <library.h> + +#include <tls.h> + +/** + * Create an instance of the TNC IF-TNCCS 2.0 protocol handler. + * + * @param is_server TRUE to act as TNC Server, FALSE for TNC Client + * @return TNC_IF_TNCCS 2.0 protocol stack + */ +tls_t *tnccs_20_create(bool is_server); + +#endif /** TNCCS_20_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c new file mode 100644 index 000000000..82c78f74c --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_20_plugin.h" +#include "tnccs_20.h" + +#include <daemon.h> + +METHOD(plugin_t, destroy, void, + tnccs_20_plugin_t *this) +{ + charon->tnccs->remove_method(charon->tnccs, + (tnccs_constructor_t)tnccs_20_create); + free(this); +} + +/* + * see header file + */ +plugin_t *tnccs_20_plugin_create() +{ + tnccs_20_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->tnccs->add_method(charon->tnccs, TNCCS_2_0, + (tnccs_constructor_t)tnccs_20_create); + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h new file mode 100644 index 000000000..1c4ecf4c9 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_20 tnccs_20 + * @ingroup cplugins + * + * @defgroup tnccs_20_plugin tnccs_20_plugin + * @{ @ingroup tnccs_20 + */ + +#ifndef TNCCS_20_PLUGIN_H_ +#define TNCCS_20_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct tnccs_20_plugin_t tnccs_20_plugin_t; + +/** + * EAP-TNC plugin + */ +struct tnccs_20_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** TNCCS_20_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index 934ab6080..9cb5f794a 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c index 3c4928be4..aee2505e3 100644 --- a/src/libcharon/plugins/uci/uci_control.c +++ b/src/libcharon/plugins/uci/uci_control.c @@ -294,7 +294,7 @@ uci_control_t *uci_control_create() { this->job = callback_job_create((callback_job_cb_t)receive, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); } return &this->public; } diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in index 47850c1c5..47fff7e1d 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.in +++ b/src/libcharon/plugins/unit_tester/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -202,14 +205,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -249,7 +262,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c index 3b00421f8..342194a4c 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_cert.c +++ b/src/libcharon/plugins/unit_tester/tests/test_cert.c @@ -51,7 +51,7 @@ bool test_cert_x509() return FALSE; } - encoding = ca_cert->get_encoding(ca_cert); + ca_cert->get_encoding(ca_cert, CERT_ASN1_DER, &encoding); parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_BLOB_ASN1_DER, encoding, BUILD_END); @@ -81,7 +81,7 @@ bool test_cert_x509() return FALSE; } - encoding = peer_cert->get_encoding(peer_cert); + peer_cert->get_encoding(peer_cert, CERT_ASN1_DER, &encoding); parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_BLOB_ASN1_DER, encoding, BUILD_END); diff --git a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c index 59da15644..6ba5769b5 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c +++ b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c @@ -59,12 +59,12 @@ bool test_rsa_gen() return FALSE; } free(sig.ptr); - if (!public->encrypt(public, data, &crypt)) + if (!public->encrypt(public, ENCRYPT_RSA_PKCS1, data, &crypt)) { DBG1(DBG_CFG, "encrypting data with RSA failed"); return FALSE; } - if (!private->decrypt(private, crypt, &plain)) + if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, crypt, &plain)) { DBG1(DBG_CFG, "decrypting data with RSA failed"); return FALSE; @@ -110,7 +110,7 @@ bool test_rsa_load_any() public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, BUILD_BLOB_ASN1_DER, chunk, BUILD_END); - if (!public || public->get_keysize(public) != 256) + if (!public || public->get_keysize(public) != 2048) { return FALSE; } diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index ce233ad04..e93955d71 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index ea4a792c2..8e58b1a9b 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -18,6 +18,7 @@ #include "updown_listener.h" +#include <hydra.h> #include <daemon.h> #include <config/child_cfg.h> @@ -218,8 +219,8 @@ METHOD(listener_t, child_updown, bool, if (up) { - iface = charon->kernel_interface->get_interface( - charon->kernel_interface, me); + iface = hydra->kernel_interface->get_interface( + hydra->kernel_interface, me); if (iface) { cache_iface(this, child_sa->get_reqid(child_sa), iface); diff --git a/src/libcharon/processing/jobs/acquire_job.h b/src/libcharon/processing/jobs/acquire_job.h index eff79a9b0..2b5bf4805 100644 --- a/src/libcharon/processing/jobs/acquire_job.h +++ b/src/libcharon/processing/jobs/acquire_job.h @@ -15,7 +15,7 @@ /** * @defgroup acquire_job acquire_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef ACQUIRE_JOB_H_ diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h index 662a7b7c7..fc0e2b518 100644 --- a/src/libcharon/processing/jobs/delete_child_sa_job.h +++ b/src/libcharon/processing/jobs/delete_child_sa_job.h @@ -15,7 +15,7 @@ /** * @defgroup delete_child_sa_job delete_child_sa_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef DELETE_CHILD_SA_JOB_H_ diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.h b/src/libcharon/processing/jobs/delete_ike_sa_job.h index f641deea3..ae06b9cfc 100644 --- a/src/libcharon/processing/jobs/delete_ike_sa_job.h +++ b/src/libcharon/processing/jobs/delete_ike_sa_job.h @@ -16,7 +16,7 @@ /** * @defgroup delete_child_sa_job delete_child_sa_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef DELETE_IKE_SA_JOB_H_ diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c index 13fc5e3d0..1371000eb 100644 --- a/src/libcharon/processing/jobs/inactivity_job.c +++ b/src/libcharon/processing/jobs/inactivity_job.c @@ -87,7 +87,7 @@ METHOD(job_t, execute, void, } else { - charon->scheduler->schedule_job(charon->scheduler, + lib->scheduler->schedule_job(lib->scheduler, &this->public.job_interface, this->timeout - diff); rescheduled = TRUE; } @@ -136,9 +136,11 @@ inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout, private_inactivity_job_t *this; INIT(this, - .public.job_interface = { - .execute = _execute, - .destroy = _destroy, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, }, .reqid = reqid, .timeout = timeout, diff --git a/src/libcharon/processing/jobs/inactivity_job.h b/src/libcharon/processing/jobs/inactivity_job.h index 9c9daced8..890f7704b 100644 --- a/src/libcharon/processing/jobs/inactivity_job.h +++ b/src/libcharon/processing/jobs/inactivity_job.h @@ -15,7 +15,7 @@ /** * @defgroup inactivity_job inactivity_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef INACTIVITY_JOB_H_ diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.h b/src/libcharon/processing/jobs/initiate_mediation_job.h index fddb1dd7b..d105de2b9 100644 --- a/src/libcharon/processing/jobs/initiate_mediation_job.h +++ b/src/libcharon/processing/jobs/initiate_mediation_job.h @@ -15,7 +15,7 @@ /** * @defgroup initiate_mediation_job initiate_mediation_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef INITIATE_MEDIATION_JOB_H_ diff --git a/src/libcharon/processing/jobs/mediation_job.h b/src/libcharon/processing/jobs/mediation_job.h index 0574c65eb..41485cbc6 100644 --- a/src/libcharon/processing/jobs/mediation_job.h +++ b/src/libcharon/processing/jobs/mediation_job.h @@ -15,7 +15,7 @@ /** * @defgroup mediation_job mediation_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef MEDIATION_JOB_H_ diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h index de313d517..09679c734 100644 --- a/src/libcharon/processing/jobs/migrate_job.h +++ b/src/libcharon/processing/jobs/migrate_job.h @@ -15,7 +15,7 @@ /** * @defgroup migrate_job migrate_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef MIGRATE_JOB_H_ diff --git a/src/libcharon/processing/jobs/process_message_job.h b/src/libcharon/processing/jobs/process_message_job.h index 5e3f44d1f..2c42aa577 100644 --- a/src/libcharon/processing/jobs/process_message_job.h +++ b/src/libcharon/processing/jobs/process_message_job.h @@ -16,7 +16,7 @@ /** * @defgroup process_message_job process_message_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef PROCESS_MESSAGE_JOB_H_ diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h index 62887d6b9..fcbe65a06 100644 --- a/src/libcharon/processing/jobs/rekey_child_sa_job.h +++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h @@ -15,7 +15,7 @@ /** * @defgroup rekey_child_sa_job rekey_child_sa_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef REKEY_CHILD_SA_JOB_H_ diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.h b/src/libcharon/processing/jobs/rekey_ike_sa_job.h index a5c1028aa..3e3e13d00 100644 --- a/src/libcharon/processing/jobs/rekey_ike_sa_job.h +++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.h @@ -15,7 +15,7 @@ /** * @defgroup rekey_ike_sa_job rekey_ike_sa_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef REKEY_IKE_SA_JOB_H_ diff --git a/src/libcharon/processing/jobs/retransmit_job.h b/src/libcharon/processing/jobs/retransmit_job.h index c8c13479b..c4545534b 100644 --- a/src/libcharon/processing/jobs/retransmit_job.h +++ b/src/libcharon/processing/jobs/retransmit_job.h @@ -16,7 +16,7 @@ /** * @defgroup retransmit_job retransmit_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef RETRANSMIT_JOB_H_ diff --git a/src/libcharon/processing/jobs/roam_job.h b/src/libcharon/processing/jobs/roam_job.h index 55bdf2b28..acfb8bed8 100644 --- a/src/libcharon/processing/jobs/roam_job.h +++ b/src/libcharon/processing/jobs/roam_job.h @@ -15,7 +15,7 @@ /** * @defgroup roam_job roam_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef ROAM_JOB_H_ diff --git a/src/libcharon/processing/jobs/send_dpd_job.h b/src/libcharon/processing/jobs/send_dpd_job.h index 8078a38bc..bd2728b9a 100644 --- a/src/libcharon/processing/jobs/send_dpd_job.h +++ b/src/libcharon/processing/jobs/send_dpd_job.h @@ -15,7 +15,7 @@ /** * @defgroup send_dpd_job send_dpd_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef SEND_DPD_JOB_H_ diff --git a/src/libcharon/processing/jobs/send_keepalive_job.h b/src/libcharon/processing/jobs/send_keepalive_job.h index cda83cd7e..acf6d11aa 100644 --- a/src/libcharon/processing/jobs/send_keepalive_job.h +++ b/src/libcharon/processing/jobs/send_keepalive_job.h @@ -15,7 +15,7 @@ /** * @defgroup send_keepalive_job send_keepalive_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef SEND_KEEPALIVE_JOB_H_ diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h index 11d1ac9b6..e2344fcc4 100644 --- a/src/libcharon/processing/jobs/update_sa_job.h +++ b/src/libcharon/processing/jobs/update_sa_job.h @@ -15,7 +15,7 @@ /** * @defgroup update_sa_job update_sa_job - * @{ @ingroup jobs + * @{ @ingroup cjobs */ #ifndef UPDATE_SA_JOB_H_ diff --git a/src/libcharon/sa/authenticators/eap/eap_manager.c b/src/libcharon/sa/authenticators/eap/eap_manager.c index f795183f0..bc2c4a617 100644 --- a/src/libcharon/sa/authenticators/eap/eap_manager.c +++ b/src/libcharon/sa/authenticators/eap/eap_manager.c @@ -68,12 +68,9 @@ struct private_eap_manager_t { rwlock_t *lock; }; -/** - * Implementation of eap_manager_t.add_method. - */ -static void add_method(private_eap_manager_t *this, eap_type_t type, - u_int32_t vendor, eap_role_t role, - eap_constructor_t constructor) +METHOD(eap_manager_t, add_method, void, + private_eap_manager_t *this, eap_type_t type, u_int32_t vendor, + eap_role_t role, eap_constructor_t constructor) { eap_entry_t *entry = malloc_thing(eap_entry_t); @@ -87,10 +84,8 @@ static void add_method(private_eap_manager_t *this, eap_type_t type, this->lock->unlock(this->lock); } -/** - * Implementation of eap_manager_t.remove_method. - */ -static void remove_method(private_eap_manager_t *this, eap_constructor_t constructor) +METHOD(eap_manager_t, remove_method, void, + private_eap_manager_t *this, eap_constructor_t constructor) { enumerator_t *enumerator; eap_entry_t *entry; @@ -109,13 +104,9 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru this->lock->unlock(this->lock); } -/** - * Implementation of eap_manager_t.create_instance. - */ -static eap_method_t* create_instance(private_eap_manager_t *this, - eap_type_t type, u_int32_t vendor, - eap_role_t role, identification_t *server, - identification_t *peer) +METHOD(eap_manager_t, create_instance, eap_method_t*, + private_eap_manager_t *this, eap_type_t type, u_int32_t vendor, + eap_role_t role, identification_t *server, identification_t *peer) { enumerator_t *enumerator; eap_entry_t *entry; @@ -140,10 +131,8 @@ static eap_method_t* create_instance(private_eap_manager_t *this, return method; } -/** - * Implementation of 2008_t.destroy - */ -static void destroy(private_eap_manager_t *this) +METHOD(eap_manager_t, destroy, void, + private_eap_manager_t *this) { this->methods->destroy_function(this->methods, free); this->lock->destroy(this->lock); @@ -151,19 +140,22 @@ static void destroy(private_eap_manager_t *this) } /* - * see header file + * See header */ eap_manager_t *eap_manager_create() { - private_eap_manager_t *this = malloc_thing(private_eap_manager_t); - - this->public.add_method = (void(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, eap_constructor_t constructor))add_method; - this->public.remove_method = (void(*)(eap_manager_t*, eap_constructor_t constructor))remove_method; - this->public.create_instance = (eap_method_t*(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, identification_t*,identification_t*))create_instance; - this->public.destroy = (void(*)(eap_manager_t*))destroy; - - this->methods = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + private_eap_manager_t *this; + + INIT(this, + .public = { + .add_method = _add_method, + .remove_method = _remove_method, + .create_instance = _create_instance, + .destroy = _destroy, + }, + .methods = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); return &this->public; } diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/authenticators/eap/eap_method.c index ad7b92cfa..0fa4a00c5 100644 --- a/src/libcharon/sa/authenticators/eap/eap_method.c +++ b/src/libcharon/sa/authenticators/eap/eap_method.c @@ -15,55 +15,8 @@ #include "eap_method.h" -/* - * See header - */ -eap_type_t eap_type_from_string(char *name) -{ - int i; - static struct { - char *name; - eap_type_t type; - } types[] = { - {"identity", EAP_IDENTITY}, - {"md5", EAP_MD5}, - {"otp", EAP_OTP}, - {"gtc", EAP_GTC}, - {"sim", EAP_SIM}, - {"aka", EAP_AKA}, - {"mschapv2", EAP_MSCHAPV2}, - {"radius", EAP_RADIUS}, - }; - - for (i = 0; i < countof(types); i++) - { - if (strcaseeq(name, types[i].name)) - { - return types[i].type; - } - } - return 0; -} - -ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE, - "EAP_REQUEST", - "EAP_RESPONSE", - "EAP_SUCCESS", - "EAP_FAILURE", -); - -ENUM(eap_code_short_names, EAP_REQUEST, EAP_FAILURE, - "REQ", - "RES", - "SUCC", - "FAIL", -); - ENUM(eap_role_names, EAP_SERVER, EAP_PEER, "EAP_SERVER", "EAP_PEER", ); - - - diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/authenticators/eap/eap_method.h index df354edb4..9961039ff 100644 --- a/src/libcharon/sa/authenticators/eap/eap_method.h +++ b/src/libcharon/sa/authenticators/eap/eap_method.h @@ -23,10 +23,10 @@ typedef struct eap_method_t eap_method_t; typedef enum eap_role_t eap_role_t; -typedef enum eap_code_t eap_code_t; #include <library.h> #include <utils/identification.h> +#include <eap/eap.h> #include <encoding/payloads/eap_payload.h> /** @@ -42,34 +42,6 @@ enum eap_role_t { extern enum_name_t *eap_role_names; /** - * Lookup the EAP method type from a string. - * - * @param name EAP method name (such as "md5", "aka") - * @return method type, 0 if unkown - */ -eap_type_t eap_type_from_string(char *name); - -/** - * EAP code, type of an EAP message - */ -enum eap_code_t { - EAP_REQUEST = 1, - EAP_RESPONSE = 2, - EAP_SUCCESS = 3, - EAP_FAILURE = 4, -}; - -/** - * enum names for eap_code_t. - */ -extern enum_name_t *eap_code_names; - -/** - * short string enum names for eap_code_t. - */ -extern enum_name_t *eap_code_short_names; - -/** * Interface of an EAP method for server and client side. * * An EAP method initiates an EAP exchange and processes requests and diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c index 3c0f3c358..8b22fd1d7 100644 --- a/src/libcharon/sa/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/authenticators/eap_authenticator.c @@ -99,22 +99,30 @@ struct private_eap_authenticator_t { static eap_method_t *load_method(private_eap_authenticator_t *this, eap_type_t type, u_int32_t vendor, eap_role_t role) { - identification_t *server, *peer; + identification_t *server, *peer, *aaa; + auth_cfg_t *auth; if (role == EAP_SERVER) { server = this->ike_sa->get_my_id(this->ike_sa); peer = this->ike_sa->get_other_id(this->ike_sa); + auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); } else { server = this->ike_sa->get_other_id(this->ike_sa); peer = this->ike_sa->get_my_id(this->ike_sa); + auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); } if (this->eap_identity) { peer = this->eap_identity; } + aaa = auth->get(auth, AUTH_RULE_AAA_IDENTITY); + if (aaa) + { + server = aaa; + } return charon->eap->create_instance(charon->eap, type, vendor, role, server, peer); } @@ -458,11 +466,8 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message, chunk_free(&auth_data); } -/** - * Implementation of authenticator_t.process for a server - */ -static status_t process_server(private_eap_authenticator_t *this, - message_t *message) +METHOD(authenticator_t, process_server, status_t, + private_eap_authenticator_t *this, message_t *message) { eap_payload_t *eap_payload; @@ -492,11 +497,8 @@ static status_t process_server(private_eap_authenticator_t *this, return NEED_MORE; } -/** - * Implementation of authenticator_t.build for a server - */ -static status_t build_server(private_eap_authenticator_t *this, - message_t *message) +METHOD(authenticator_t, build_server, status_t, + private_eap_authenticator_t *this, message_t *message) { if (this->eap_payload) { @@ -519,11 +521,8 @@ static status_t build_server(private_eap_authenticator_t *this, return FAILED; } -/** - * Implementation of authenticator_t.process for a client - */ -static status_t process_client(private_eap_authenticator_t *this, - message_t *message) +METHOD(authenticator_t, process_client, status_t, + private_eap_authenticator_t *this, message_t *message) { eap_payload_t *eap_payload; @@ -603,11 +602,8 @@ static status_t process_client(private_eap_authenticator_t *this, return FAILED; } -/** - * Implementation of authenticator_t.build for a client - */ -static status_t build_client(private_eap_authenticator_t *this, - message_t *message) +METHOD(authenticator_t, build_client, status_t, + private_eap_authenticator_t *this, message_t *message) { if (this->eap_payload) { @@ -623,20 +619,16 @@ static status_t build_client(private_eap_authenticator_t *this, return NEED_MORE; } -/** - * Implementation of authenticator_t.is_mutual. - */ -static bool is_mutual(private_eap_authenticator_t *this) +METHOD(authenticator_t, is_mutual, bool, + private_eap_authenticator_t *this) { /* we don't know yet, but insist on it after EAP is complete */ this->require_mutual = TRUE; return TRUE; } -/** - * Implementation of authenticator_t.destroy. - */ -static void destroy(private_eap_authenticator_t *this) +METHOD(authenticator_t, destroy, void, + private_eap_authenticator_t *this) { DESTROY_IF(this->method); DESTROY_IF(this->eap_payload); @@ -652,25 +644,23 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, chunk_t received_init, chunk_t sent_init) { - private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t); - - this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client; - this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client; - this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual; - this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - - this->ike_sa = ike_sa; - this->received_init = received_init; - this->received_nonce = received_nonce; - this->sent_init = sent_init; - this->sent_nonce = sent_nonce; - this->msk = chunk_empty; - this->method = NULL; - this->eap_payload = NULL; - this->eap_complete = FALSE; - this->auth_complete = FALSE; - this->eap_identity = NULL; - this->require_mutual = FALSE; + private_eap_authenticator_t *this; + + INIT(this, + .public = { + .authenticator = { + .build = _build_client, + .process = _process_client, + .is_mutual = _is_mutual, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .received_init = received_init, + .received_nonce = received_nonce, + .sent_init = sent_init, + .sent_nonce = sent_nonce, + ); return &this->public; } @@ -682,25 +672,23 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, chunk_t received_init, chunk_t sent_init) { - private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t); - - this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server; - this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server; - this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual; - this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - - this->ike_sa = ike_sa; - this->received_init = received_init; - this->received_nonce = received_nonce; - this->sent_init = sent_init; - this->sent_nonce = sent_nonce; - this->msk = chunk_empty; - this->method = NULL; - this->eap_payload = NULL; - this->eap_complete = FALSE; - this->auth_complete = FALSE; - this->eap_identity = NULL; - this->require_mutual = FALSE; + private_eap_authenticator_t *this; + + INIT(this, + .public = { + .authenticator = { + .build = _build_server, + .process = _process_server, + .is_mutual = _is_mutual, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .received_init = received_init, + .received_nonce = received_nonce, + .sent_init = sent_init, + .sent_nonce = sent_nonce, + ); return &this->public; } diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c index 3c67f6db6..54b4338bb 100644 --- a/src/libcharon/sa/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c @@ -84,15 +84,15 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) /* we try to deduct the signature scheme from the keysize */ switch (private->get_keysize(private)) { - case 32: + case 256: scheme = SIGN_ECDSA_256; auth_method = AUTH_ECDSA_256; break; - case 48: + case 384: scheme = SIGN_ECDSA_384; auth_method = AUTH_ECDSA_384; break; - case 66: + case 521: scheme = SIGN_ECDSA_521; auth_method = AUTH_ECDSA_521; break; diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index bd41cba56..b6ef31da0 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter @@ -23,6 +23,7 @@ #include <string.h> #include <time.h> +#include <hydra.h> #include <daemon.h> ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING, @@ -179,170 +180,144 @@ struct private_child_sa_t { }; /** - * Implementation of child_sa_t.get_name + * convert an IKEv2 specific protocol identifier to the IP protocol identifier. */ -static char *get_name(private_child_sa_t *this) +static inline u_int8_t proto_ike2ip(protocol_id_t protocol) +{ + switch (protocol) + { + case PROTO_ESP: + return IPPROTO_ESP; + case PROTO_AH: + return IPPROTO_AH; + default: + return protocol; + } +} + +METHOD(child_sa_t, get_name, char*, + private_child_sa_t *this) { return this->config->get_name(this->config); } -/** - * Implements child_sa_t.get_reqid - */ -static u_int32_t get_reqid(private_child_sa_t *this) +METHOD(child_sa_t, get_reqid, u_int32_t, + private_child_sa_t *this) { return this->reqid; } -/** - * Implements child_sa_t.get_config - */ -static child_cfg_t* get_config(private_child_sa_t *this) +METHOD(child_sa_t, get_config, child_cfg_t*, + private_child_sa_t *this) { return this->config; } -/** - * Implements child_sa_t.set_state - */ -static void set_state(private_child_sa_t *this, child_sa_state_t state) +METHOD(child_sa_t, set_state, void, + private_child_sa_t *this, child_sa_state_t state) { charon->bus->child_state_change(charon->bus, &this->public, state); this->state = state; } -/** - * Implements child_sa_t.get_state - */ -static child_sa_state_t get_state(private_child_sa_t *this) +METHOD(child_sa_t, get_state, child_sa_state_t, + private_child_sa_t *this) { return this->state; } -/** - * Implements child_sa_t.get_spi - */ -u_int32_t get_spi(private_child_sa_t *this, bool inbound) +METHOD(child_sa_t, get_spi, u_int32_t, + private_child_sa_t *this, bool inbound) { return inbound ? this->my_spi : this->other_spi; } -/** - * Implements child_sa_t.get_cpi - */ -u_int16_t get_cpi(private_child_sa_t *this, bool inbound) +METHOD(child_sa_t, get_cpi, u_int16_t, + private_child_sa_t *this, bool inbound) { return inbound ? this->my_cpi : this->other_cpi; } -/** - * Implements child_sa_t.get_protocol - */ -protocol_id_t get_protocol(private_child_sa_t *this) +METHOD(child_sa_t, get_protocol, protocol_id_t, + private_child_sa_t *this) { return this->protocol; } -/** - * Implementation of child_sa_t.set_protocol - */ -static void set_protocol(private_child_sa_t *this, protocol_id_t protocol) +METHOD(child_sa_t, set_protocol, void, + private_child_sa_t *this, protocol_id_t protocol) { this->protocol = protocol; } -/** - * Implementation of child_sa_t.get_mode - */ -static ipsec_mode_t get_mode(private_child_sa_t *this) +METHOD(child_sa_t, get_mode, ipsec_mode_t, + private_child_sa_t *this) { return this->mode; } -/** - * Implementation of child_sa_t.set_mode - */ -static void set_mode(private_child_sa_t *this, ipsec_mode_t mode) +METHOD(child_sa_t, set_mode, void, + private_child_sa_t *this, ipsec_mode_t mode) { this->mode = mode; } -/** - * Implementation of child_sa_t.has_encap - */ -static bool has_encap(private_child_sa_t *this) +METHOD(child_sa_t, has_encap, bool, + private_child_sa_t *this) { return this->encap; } -/** - * Implementation of child_sa_t.get_ipcomp - */ -static ipcomp_transform_t get_ipcomp(private_child_sa_t *this) +METHOD(child_sa_t, get_ipcomp, ipcomp_transform_t, + private_child_sa_t *this) { return this->ipcomp; } -/** - * Implementation of child_sa_t.set_ipcomp. - */ -static void set_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp) +METHOD(child_sa_t, set_ipcomp, void, + private_child_sa_t *this, ipcomp_transform_t ipcomp) { this->ipcomp = ipcomp; } -/** - * Implementation of child_sa_t.set_close_action. - */ -static void set_close_action(private_child_sa_t *this, action_t action) +METHOD(child_sa_t, set_close_action, void, + private_child_sa_t *this, action_t action) { this->close_action = action; } -/** - * Implementation of child_sa_t.get_close_action. - */ -static action_t get_close_action(private_child_sa_t *this) +METHOD(child_sa_t, get_close_action, action_t, + private_child_sa_t *this) { return this->close_action; } -/** - * Implementation of child_sa_t.set_dpd_action. - */ -static void set_dpd_action(private_child_sa_t *this, action_t action) +METHOD(child_sa_t, set_dpd_action, void, + private_child_sa_t *this, action_t action) { this->dpd_action = action; } -/** - * Implementation of child_sa_t.get_dpd_action. - */ -static action_t get_dpd_action(private_child_sa_t *this) +METHOD(child_sa_t, get_dpd_action, action_t, + private_child_sa_t *this) { return this->dpd_action; } -/** - * Implementation of child_sa_t.get_proposal - */ -static proposal_t* get_proposal(private_child_sa_t *this) +METHOD(child_sa_t, get_proposal, proposal_t*, + private_child_sa_t *this) { return this->proposal; } -/** - * Implementation of child_sa_t.set_proposal - */ -static void set_proposal(private_child_sa_t *this, proposal_t *proposal) +METHOD(child_sa_t, set_proposal, void, + private_child_sa_t *this, proposal_t *proposal) { this->proposal = proposal->clone(proposal); } -/** - * Implementation of child_sa_t.get_traffic_selectors. - */ -static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local) +METHOD(child_sa_t, get_traffic_selectors, linked_list_t*, + private_child_sa_t *this, bool local) { return local ? this->my_ts : this->other_ts; } @@ -365,11 +340,9 @@ struct policy_enumerator_t { traffic_selector_t *ts; }; -/** - * enumerator function of create_policy_enumerator() - */ -static bool policy_enumerate(policy_enumerator_t *this, - traffic_selector_t **my_out, traffic_selector_t **other_out) +METHOD(enumerator_t, policy_enumerate, bool, + policy_enumerator_t *this, traffic_selector_t **my_out, + traffic_selector_t **other_out) { traffic_selector_t *other_ts; @@ -399,29 +372,29 @@ static bool policy_enumerate(policy_enumerator_t *this, return FALSE; } -/** - * destroy function of create_policy_enumerator() - */ -static void policy_destroy(policy_enumerator_t *this) +METHOD(enumerator_t, policy_destroy, void, + policy_enumerator_t *this) { this->mine->destroy(this->mine); this->other->destroy(this->other); free(this); } -/** - * Implementation of child_sa_t.create_policy_enumerator - */ -static enumerator_t* create_policy_enumerator(private_child_sa_t *this) +METHOD(child_sa_t, create_policy_enumerator, enumerator_t*, + private_child_sa_t *this) { - policy_enumerator_t *e = malloc_thing(policy_enumerator_t); - - e->public.enumerate = (void*)policy_enumerate; - e->public.destroy = (void*)policy_destroy; - e->mine = this->my_ts->create_enumerator(this->my_ts); - e->other = this->other_ts->create_enumerator(this->other_ts); - e->list = this->other_ts; - e->ts = NULL; + policy_enumerator_t *e; + + INIT(e, + .public = { + .enumerate = (void*)_policy_enumerate, + .destroy = _policy_destroy, + }, + .mine = this->my_ts->create_enumerator(this->my_ts), + .other = this->other_ts->create_enumerator(this->other_ts), + .list = this->other_ts, + .ts = NULL, + ); return &e->public; } @@ -441,10 +414,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) { if (this->my_spi) { - status = charon->kernel_interface->query_sa(charon->kernel_interface, - this->other_addr, this->my_addr, - this->my_spi, this->protocol, - this->mark_in, &bytes); + status = hydra->kernel_interface->query_sa(hydra->kernel_interface, + this->other_addr, this->my_addr, this->my_spi, + proto_ike2ip(this->protocol), this->mark_in, + &bytes); if (status == SUCCESS) { if (bytes > this->my_usebytes) @@ -460,10 +433,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) { if (this->other_spi) { - status = charon->kernel_interface->query_sa(charon->kernel_interface, - this->my_addr, this->other_addr, - this->other_spi, this->protocol, - this->mark_out, &bytes); + status = hydra->kernel_interface->query_sa(hydra->kernel_interface, + this->my_addr, this->other_addr, this->other_spi, + proto_ike2ip(this->protocol), this->mark_out, + &bytes); if (status == SUCCESS) { if (bytes > this->other_usebytes) @@ -494,14 +467,14 @@ static void update_usetime(private_child_sa_t *this, bool inbound) if (inbound) { - if (charon->kernel_interface->query_policy(charon->kernel_interface, + if (hydra->kernel_interface->query_policy(hydra->kernel_interface, other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS) { last_use = max(last_use, in); } if (this->mode != MODE_TRANSPORT) { - if (charon->kernel_interface->query_policy(charon->kernel_interface, + if (hydra->kernel_interface->query_policy(hydra->kernel_interface, other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS) { last_use = max(last_use, fwd); @@ -510,7 +483,7 @@ static void update_usetime(private_child_sa_t *this, bool inbound) } else { - if (charon->kernel_interface->query_policy(charon->kernel_interface, + if (hydra->kernel_interface->query_policy(hydra->kernel_interface, my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS) { last_use = max(last_use, out); @@ -533,11 +506,8 @@ static void update_usetime(private_child_sa_t *this, bool inbound) } } -/** - * Implementation of child_sa_t.get_usestats - */ -static void get_usestats(private_child_sa_t *this, bool inbound, - time_t *time, u_int64_t *bytes) +METHOD(child_sa_t, get_usestats, void, + private_child_sa_t *this, bool inbound, time_t *time, u_int64_t *bytes) { if (update_usebytes(this, inbound) != FAILED) { @@ -556,48 +526,41 @@ static void get_usestats(private_child_sa_t *this, bool inbound, } } -/** - * Implementation of child_sa_t.get_lifetime - */ -static time_t get_lifetime(private_child_sa_t *this, bool hard) +METHOD(child_sa_t, get_lifetime, time_t, + private_child_sa_t *this, bool hard) { return hard ? this->expire_time : this->rekey_time; } -/** - * Implementation of child_sa_t.alloc_spi - */ -static u_int32_t alloc_spi(private_child_sa_t *this, protocol_id_t protocol) +METHOD(child_sa_t, alloc_spi, u_int32_t, + private_child_sa_t *this, protocol_id_t protocol) { - if (charon->kernel_interface->get_spi(charon->kernel_interface, - this->other_addr, this->my_addr, protocol, - this->reqid, &this->my_spi) == SUCCESS) + if (hydra->kernel_interface->get_spi(hydra->kernel_interface, + this->other_addr, this->my_addr, + proto_ike2ip(protocol), this->reqid, + &this->my_spi) == SUCCESS) { return this->my_spi; } return 0; } -/** - * Implementation of child_sa_t.alloc_cpi - */ -static u_int16_t alloc_cpi(private_child_sa_t *this) +METHOD(child_sa_t, alloc_cpi, u_int16_t, + private_child_sa_t *this) { - if (charon->kernel_interface->get_cpi(charon->kernel_interface, - this->other_addr, this->my_addr, this->reqid, - &this->my_cpi) == SUCCESS) + if (hydra->kernel_interface->get_cpi(hydra->kernel_interface, + this->other_addr, this->my_addr, + this->reqid, &this->my_cpi) == SUCCESS) { return this->my_cpi; } return 0; } -/** - * Implementation of child_sa_t.install - */ -static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ, - u_int32_t spi, u_int16_t cpi, bool inbound, - linked_list_t *my_ts, linked_list_t *other_ts) +METHOD(child_sa_t, install, status_t, + private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi, + u_int16_t cpi, bool inbound, linked_list_t *my_ts, + linked_list_t *other_ts) { u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size; traffic_selector_t *src_ts = NULL, *dst_ts = NULL; @@ -674,8 +637,8 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ, } } - status = charon->kernel_interface->add_sa(charon->kernel_interface, - src, dst, spi, this->protocol, this->reqid, + status = hydra->kernel_interface->add_sa(hydra->kernel_interface, + src, dst, spi, proto_ike2ip(this->protocol), this->reqid, inbound ? this->mark_in : this->mark_out, lifetime, enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi, this->encap, update, src_ts, dst_ts); @@ -685,11 +648,9 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ, return status; } -/** - * Implementation of child_sa_t.add_policies - */ -static status_t add_policies(private_child_sa_t *this, - linked_list_t *my_ts_list, linked_list_t *other_ts_list) +METHOD(child_sa_t, add_policies, status_t, + private_child_sa_t *this, linked_list_t *my_ts_list, + linked_list_t *other_ts_list) { enumerator_t *enumerator; traffic_selector_t *my_ts, *other_ts; @@ -712,26 +673,55 @@ static status_t add_policies(private_child_sa_t *this, if (this->config->install_policy(this->config)) { + ipsec_sa_cfg_t my_sa = { + .mode = this->mode, + .reqid = this->reqid, + .ipcomp = { + .transform = this->ipcomp, + }, + }, other_sa = my_sa; + + my_sa.ipcomp.cpi = this->my_cpi; + other_sa.ipcomp.cpi = this->other_cpi; + + if (this->protocol == PROTO_ESP) + { + my_sa.esp.use = TRUE; + my_sa.esp.spi = this->my_spi; + other_sa.esp.use = TRUE; + other_sa.esp.spi = this->other_spi; + } + else + { + my_sa.ah.use = TRUE; + my_sa.ah.spi = this->my_spi; + other_sa.ah.use = TRUE; + other_sa.ah.spi = this->other_spi; + } + /* enumerate pairs of traffic selectors */ enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { /* install 3 policies: out, in and forward */ - status |= charon->kernel_interface->add_policy(charon->kernel_interface, - this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT, - this->other_spi, this->protocol, this->reqid, this->mark_out, - this->mode, this->ipcomp, this->other_cpi, routed); - - status |= charon->kernel_interface->add_policy(charon->kernel_interface, - this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN, - this->my_spi, this->protocol, this->reqid, this->mark_in, - this->mode, this->ipcomp, this->my_cpi, routed); + status |= hydra->kernel_interface->add_policy( + hydra->kernel_interface, + this->my_addr, this->other_addr, my_ts, other_ts, + POLICY_OUT, POLICY_IPSEC, &other_sa, + this->mark_out, routed); + + status |= hydra->kernel_interface->add_policy( + hydra->kernel_interface, + this->other_addr, this->my_addr, other_ts, my_ts, + POLICY_IN, POLICY_IPSEC, &my_sa, + this->mark_in, routed); if (this->mode != MODE_TRANSPORT) { - status |= charon->kernel_interface->add_policy(charon->kernel_interface, - this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD, - this->my_spi, this->protocol, this->reqid, this->mark_in, - this->mode, this->ipcomp, this->my_cpi, routed); + status |= hydra->kernel_interface->add_policy( + hydra->kernel_interface, + this->other_addr, this->my_addr, other_ts, my_ts, + POLICY_FWD, POLICY_IPSEC, &my_sa, + this->mark_in, routed); } if (status != SUCCESS) @@ -749,11 +739,9 @@ static status_t add_policies(private_child_sa_t *this, return status; } -/** - * Implementation of child_sa_t.update. - */ -static status_t update(private_child_sa_t *this, host_t *me, host_t *other, - host_t *vip, bool encap) +METHOD(child_sa_t, update, status_t, + private_child_sa_t *this, host_t *me, host_t *other, host_t *vip, + bool encap) { child_sa_state_t old; bool transport_proxy_mode; @@ -775,8 +763,8 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, /* update our (initator) SA */ if (this->my_spi) { - if (charon->kernel_interface->update_sa(charon->kernel_interface, - this->my_spi, this->protocol, + if (hydra->kernel_interface->update_sa(hydra->kernel_interface, + this->my_spi, proto_ike2ip(this->protocol), this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, this->other_addr, this->my_addr, other, me, this->encap, encap, this->mark_in) == NOT_SUPPORTED) @@ -788,8 +776,8 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, /* update his (responder) SA */ if (this->other_spi) { - if (charon->kernel_interface->update_sa(charon->kernel_interface, - this->other_spi, this->protocol, + if (hydra->kernel_interface->update_sa(hydra->kernel_interface, + this->other_spi, proto_ike2ip(this->protocol), this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0, this->my_addr, this->other_addr, me, other, this->encap, encap, this->mark_out) == NOT_SUPPORTED) @@ -801,6 +789,32 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, if (this->config->install_policy(this->config)) { + ipsec_sa_cfg_t my_sa = { + .mode = this->mode, + .reqid = this->reqid, + .ipcomp = { + .transform = this->ipcomp, + }, + }, other_sa = my_sa; + + my_sa.ipcomp.cpi = this->my_cpi; + other_sa.ipcomp.cpi = this->other_cpi; + + if (this->protocol == PROTO_ESP) + { + my_sa.esp.use = TRUE; + my_sa.esp.spi = this->my_spi; + other_sa.esp.use = TRUE; + other_sa.esp.spi = this->other_spi; + } + else + { + my_sa.ah.use = TRUE; + my_sa.ah.spi = this->my_spi; + other_sa.ah.use = TRUE; + other_sa.ah.spi = this->other_spi; + } + /* update policies */ if (!me->ip_equals(me, this->my_addr) || !other->ip_equals(other, this->other_addr)) @@ -813,13 +827,13 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { /* remove old policies first */ - charon->kernel_interface->del_policy(charon->kernel_interface, + hydra->kernel_interface->del_policy(hydra->kernel_interface, my_ts, other_ts, POLICY_OUT, this->mark_out, FALSE); - charon->kernel_interface->del_policy(charon->kernel_interface, + hydra->kernel_interface->del_policy(hydra->kernel_interface, other_ts, my_ts, POLICY_IN, this->mark_in, FALSE); if (this->mode != MODE_TRANSPORT) { - charon->kernel_interface->del_policy(charon->kernel_interface, + hydra->kernel_interface->del_policy(hydra->kernel_interface, other_ts, my_ts, POLICY_FWD, this->mark_in, FALSE); } @@ -839,25 +853,22 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, * correctly */ if (vip) { - charon->kernel_interface->del_ip(charon->kernel_interface, vip); - charon->kernel_interface->add_ip(charon->kernel_interface, vip, me); + hydra->kernel_interface->del_ip(hydra->kernel_interface, vip); + hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, me); } /* reinstall updated policies */ - charon->kernel_interface->add_policy(charon->kernel_interface, - me, other, my_ts, other_ts, POLICY_OUT, this->other_spi, - this->protocol, this->reqid, this->mark_out, this->mode, - this->ipcomp, this->other_cpi, FALSE); - charon->kernel_interface->add_policy(charon->kernel_interface, - other, me, other_ts, my_ts, POLICY_IN, this->my_spi, - this->protocol, this->reqid, this->mark_in, this->mode, - this->ipcomp, this->my_cpi, FALSE); + hydra->kernel_interface->add_policy(hydra->kernel_interface, + me, other, my_ts, other_ts, POLICY_OUT, POLICY_IPSEC, + &other_sa, this->mark_out, FALSE); + hydra->kernel_interface->add_policy(hydra->kernel_interface, + other, me, other_ts, my_ts, POLICY_IN, POLICY_IPSEC, + &my_sa, this->mark_in, FALSE); if (this->mode != MODE_TRANSPORT) { - charon->kernel_interface->add_policy(charon->kernel_interface, - other, me, other_ts, my_ts, POLICY_FWD, this->my_spi, - this->protocol, this->reqid, this->mark_in, this->mode, - this->ipcomp, this->my_cpi, FALSE); + hydra->kernel_interface->add_policy(hydra->kernel_interface, + other, me, other_ts, my_ts, POLICY_FWD, POLICY_IPSEC, + &my_sa, this->mark_in, FALSE); } } enumerator->destroy(enumerator); @@ -885,10 +896,8 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, return SUCCESS; } -/** - * Implementation of child_sa_t.destroy. - */ -static void destroy(private_child_sa_t *this) +METHOD(child_sa_t, destroy, void, + private_child_sa_t *this) { enumerator_t *enumerator; traffic_selector_t *my_ts, *other_ts; @@ -905,15 +914,17 @@ static void destroy(private_child_sa_t *this) { this->protocol = PROTO_ESP; } - charon->kernel_interface->del_sa(charon->kernel_interface, + hydra->kernel_interface->del_sa(hydra->kernel_interface, this->other_addr, this->my_addr, this->my_spi, - this->protocol, this->my_cpi, this->mark_in); + proto_ike2ip(this->protocol), this->my_cpi, + this->mark_in); } if (this->other_spi) { - charon->kernel_interface->del_sa(charon->kernel_interface, + hydra->kernel_interface->del_sa(hydra->kernel_interface, this->my_addr, this->other_addr, this->other_spi, - this->protocol, this->other_cpi, this->mark_out); + proto_ike2ip(this->protocol), this->other_cpi, + this->mark_out); } if (this->config->install_policy(this->config)) @@ -922,14 +933,14 @@ static void destroy(private_child_sa_t *this) enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - charon->kernel_interface->del_policy(charon->kernel_interface, - my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted); - charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_IN, this->mark_in, unrouted); + hydra->kernel_interface->del_policy(hydra->kernel_interface, + my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted); + hydra->kernel_interface->del_policy(hydra->kernel_interface, + other_ts, my_ts, POLICY_IN, this->mark_in, unrouted); if (this->mode != MODE_TRANSPORT) { - charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted); + hydra->kernel_interface->del_policy(hydra->kernel_interface, + other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted); } } enumerator->destroy(enumerator); @@ -944,75 +955,66 @@ static void destroy(private_child_sa_t *this) free(this); } -/* +/** * Described in header. */ child_sa_t * child_sa_create(host_t *me, host_t* other, child_cfg_t *config, u_int32_t rekey, bool encap) { static u_int32_t reqid = 0; - private_child_sa_t *this = malloc_thing(private_child_sa_t); - - /* public functions */ - this->public.get_name = (char*(*)(child_sa_t*))get_name; - this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid; - this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config; - this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state; - this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state; - this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi; - this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi; - this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol; - this->public.set_protocol = (void(*)(child_sa_t*, protocol_id_t protocol))set_protocol; - this->public.get_mode = (ipsec_mode_t(*)(child_sa_t*))get_mode; - this->public.set_mode = (void(*)(child_sa_t*, ipsec_mode_t mode))set_mode; - this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal; - this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal; - this->public.get_lifetime = (time_t(*)(child_sa_t*, bool))get_lifetime; - this->public.get_usestats = (void(*)(child_sa_t*,bool,time_t*,u_int64_t*))get_usestats; - this->public.has_encap = (bool(*)(child_sa_t*))has_encap; - this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp; - this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp; - this->public.get_close_action = (action_t(*)(child_sa_t*))get_close_action; - this->public.set_close_action = (void(*)(child_sa_t*,action_t))set_close_action; - this->public.get_dpd_action = (action_t(*)(child_sa_t*))get_dpd_action; - this->public.set_dpd_action = (void(*)(child_sa_t*,action_t))set_dpd_action; - this->public.alloc_spi = (u_int32_t(*)(child_sa_t*, protocol_id_t protocol))alloc_spi; - this->public.alloc_cpi = (u_int16_t(*)(child_sa_t*))alloc_cpi; - this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound, linked_list_t *my_ts_list, linked_list_t *other_ts_list))install; - this->public.update = (status_t (*)(child_sa_t*,host_t*,host_t*,host_t*,bool))update; - this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*))add_policies; - this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors; - this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator; - this->public.destroy = (void(*)(child_sa_t*))destroy; - - /* private data */ - this->my_addr = me->clone(me); - this->other_addr = other->clone(other); - this->my_spi = 0; - this->other_spi = 0; - this->my_cpi = 0; - this->other_cpi = 0; - this->encap = encap; - this->ipcomp = IPCOMP_NONE; - this->state = CHILD_CREATED; - this->my_usetime = 0; - this->other_usetime = 0; - this->my_usebytes = 0; - this->other_usebytes = 0; - this->my_ts = linked_list_create(); - this->other_ts = linked_list_create(); - this->protocol = PROTO_NONE; - this->mode = MODE_TUNNEL; - this->close_action = config->get_close_action(config); - this->dpd_action = config->get_dpd_action(config); - this->proposal = NULL; - this->rekey_time = 0; - this->expire_time = 0; + private_child_sa_t *this; + + INIT(this, + .public = { + .get_name = _get_name, + .get_reqid = _get_reqid, + .get_config = _get_config, + .get_state = _get_state, + .set_state = _set_state, + .get_spi = _get_spi, + .get_cpi = _get_cpi, + .get_protocol = _get_protocol, + .set_protocol = _set_protocol, + .get_mode = _get_mode, + .set_mode = _set_mode, + .get_proposal = _get_proposal, + .set_proposal = _set_proposal, + .get_lifetime = _get_lifetime, + .get_usestats = _get_usestats, + .has_encap = _has_encap, + .get_ipcomp = _get_ipcomp, + .set_ipcomp = _set_ipcomp, + .get_close_action = _get_close_action, + .set_close_action = _set_close_action, + .get_dpd_action = _get_dpd_action, + .set_dpd_action = _set_dpd_action, + .alloc_spi = _alloc_spi, + .alloc_cpi = _alloc_cpi, + .install = _install, + .update = _update, + .add_policies = _add_policies, + .get_traffic_selectors = _get_traffic_selectors, + .create_policy_enumerator = _create_policy_enumerator, + .destroy = _destroy, + }, + .my_addr = me->clone(me), + .other_addr = other->clone(other), + .encap = encap, + .ipcomp = IPCOMP_NONE, + .state = CHILD_CREATED, + .my_ts = linked_list_create(), + .other_ts = linked_list_create(), + .protocol = PROTO_NONE, + .mode = MODE_TUNNEL, + .close_action = config->get_close_action(config), + .dpd_action = config->get_dpd_action(config), + .reqid = config->get_reqid(config), + .mark_in = config->get_mark(config, TRUE), + .mark_out = config->get_mark(config, FALSE), + ); + this->config = config; config->get_ref(config); - this->reqid = config->get_reqid(config); - this->mark_in = config->get_mark(config, TRUE); - this->mark_out = config->get_mark(config, FALSE); if (!this->reqid) { diff --git a/src/libcharon/sa/connect_manager.c b/src/libcharon/sa/connect_manager.c index b78ba070d..1fb286863 100644 --- a/src/libcharon/sa/connect_manager.c +++ b/src/libcharon/sa/connect_manager.c @@ -932,7 +932,7 @@ static void update_checklist_state(private_connect_manager_t *this, callback_data_t *data = callback_data_create(this, checklist->connect_id); job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL); - charon->scheduler->schedule_job_ms(charon->scheduler, job, ME_WAIT_TO_FINISH); + lib->scheduler->schedule_job_ms(lib->scheduler, job, ME_WAIT_TO_FINISH); checklist->is_finishing = TRUE; } @@ -1031,7 +1031,7 @@ static void queue_retransmission(private_connect_manager_t *this, check_list_t * DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms", retransmission, pair->id, rto); - charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)job, rto); + lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)job, rto); } /** @@ -1064,7 +1064,7 @@ static void send_check(private_connect_manager_t *this, check_list_t *checklist, DBG2(DBG_IKE, "send ME_CONNECTAUTH %#B", &check->auth); packet_t *packet; - if (message->generate(message, NULL, NULL, &packet) == SUCCESS) + if (message->generate(message, NULL, &packet) == SUCCESS) { charon->sender->send(charon->sender, packet->clone(packet)); @@ -1170,7 +1170,7 @@ static void schedule_checks(private_connect_manager_t *this, check_list_t *check { callback_data_t *data = callback_data_create(this, checklist->connect_id); checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender, data, (callback_job_cleanup_t)callback_data_destroy, NULL); - charon->scheduler->schedule_job_ms(charon->scheduler, checklist->sender, time); + lib->scheduler->schedule_job_ms(lib->scheduler, checklist->sender, time); } /** @@ -1222,7 +1222,7 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli initiate_data_t *data = initiate_data_create(checklist, initiated); job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiate_mediated, data, (callback_job_cleanup_t)initiate_data_destroy, NULL); - charon->processor->queue_job(charon->processor, job); + lib->processor->queue_job(lib->processor, job); return; } else @@ -1357,7 +1357,7 @@ static void process_request(private_connect_manager_t *this, check_t *check, */ static void process_check(private_connect_manager_t *this, message_t *message) { - if (message->parse_body(message, NULL, NULL) != SUCCESS) + if (message->parse_body(message, NULL) != SUCCESS) { DBG1(DBG_IKE, "%N %s with message ID %d processing failed", exchange_type_names, message->get_exchange_type(message), @@ -1477,7 +1477,7 @@ static void check_and_initiate(private_connect_manager_t *this, { job_t *job = (job_t*)reinitiate_mediation_job_create(mediation_sa, waiting_sa); - charon->processor->queue_job(charon->processor, job); + lib->processor->queue_job(lib->processor, job); } iterator->destroy(iterator); diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 7536662ca..a4e4028ab 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -24,8 +24,8 @@ #include "ike_sa.h" #include <library.h> -#include <daemon.h> #include <hydra.h> +#include <daemon.h> #include <utils/linked_list.h> #include <utils/lexparser.h> #include <sa/task_manager.h> @@ -470,8 +470,8 @@ METHOD(ike_sa_t, send_keepalive, void, diff = 0; } job = send_keepalive_job_create(this->ike_sa_id); - charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, - this->keepalive_interval - diff); + lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, + this->keepalive_interval - diff); } METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*, @@ -605,7 +605,7 @@ METHOD(ike_sa_t, send_dpd, status_t, } /* recheck in "interval" seconds */ job = (job_t*)send_dpd_job_create(this->ike_sa_id); - charon->scheduler->schedule_job(charon->scheduler, job, delay - diff); + lib->scheduler->schedule_job(lib->scheduler, job, delay - diff); return SUCCESS; } @@ -644,7 +644,7 @@ METHOD(ike_sa_t, set_state, void, { this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED]; job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE); - charon->scheduler->schedule_job(charon->scheduler, job, t); + lib->scheduler->schedule_job(lib->scheduler, job, t); DBG1(DBG_IKE, "scheduling rekeying in %ds", t); } t = this->peer_cfg->get_reauth_time(this->peer_cfg); @@ -653,7 +653,7 @@ METHOD(ike_sa_t, set_state, void, { this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED]; job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE); - charon->scheduler->schedule_job(charon->scheduler, job, t); + lib->scheduler->schedule_job(lib->scheduler, job, t); DBG1(DBG_IKE, "scheduling reauthentication in %ds", t); } t = this->peer_cfg->get_over_time(this->peer_cfg); @@ -675,7 +675,7 @@ METHOD(ike_sa_t, set_state, void, this->stats[STAT_DELETE] += t; t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED]; job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE); - charon->scheduler->schedule_job(charon->scheduler, job, t); + lib->scheduler->schedule_job(lib->scheduler, job, t); DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t); } @@ -688,8 +688,8 @@ METHOD(ike_sa_t, set_state, void, { /* delete may fail if a packet gets lost, so set a timeout */ job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE); - charon->scheduler->schedule_job(charon->scheduler, job, - HALF_OPEN_IKE_SA_TIMEOUT); + lib->scheduler->schedule_job(lib->scheduler, job, + HALF_OPEN_IKE_SA_TIMEOUT); break; } default: @@ -730,14 +730,14 @@ METHOD(ike_sa_t, set_virtual_ip, void, if (local) { DBG1(DBG_IKE, "installing new virtual IP %H", ip); - if (charon->kernel_interface->add_ip(charon->kernel_interface, ip, - this->my_host) == SUCCESS) + if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip, + this->my_host) == SUCCESS) { if (this->my_virtual_ip) { DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip); - charon->kernel_interface->del_ip(charon->kernel_interface, - this->my_virtual_ip); + hydra->kernel_interface->del_ip(hydra->kernel_interface, + this->my_virtual_ip); } DESTROY_IF(this->my_virtual_ip); this->my_virtual_ip = ip->clone(ip); @@ -810,6 +810,20 @@ METHOD(ike_sa_t, get_pending_updates, u_int32_t, return this->pending_updates; } +METHOD(ike_sa_t, float_ports, void, + private_ike_sa_t *this) +{ + /* do not switch if we have a custom port from MOBIKE/NAT */ + if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT) + { + this->my_host->set_port(this->my_host, IKEV2_NATT_PORT); + } + if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT) + { + this->other_host->set_port(this->other_host, IKEV2_NATT_PORT); + } +} + METHOD(ike_sa_t, update_hosts, void, private_ike_sa_t *this, host_t *me, host_t *other) { @@ -843,10 +857,8 @@ METHOD(ike_sa_t, update_hosts, void, if (!other->equals(other, this->other_host)) { - /* update others adress if we are NOT NATed, - * and allow port changes if we are NATed */ - if (!has_condition(this, COND_NAT_HERE) || - other->ip_equals(other, this->other_host)) + /* update others adress if we are NOT NATed */ + if (!has_condition(this, COND_NAT_HERE)) { set_other_host(this, other->clone(other)); update = TRUE; @@ -882,8 +894,7 @@ METHOD(ike_sa_t, generate_message, status_t, this->stats[STAT_OUTBOUND] = time_monotonic(NULL); message->set_ike_sa_id(message, this->ike_sa_id); return message->generate(message, - this->keymat->get_crypter(this->keymat, FALSE), - this->keymat->get_signer(this->keymat, FALSE), packet); + this->keymat->get_aead(this->keymat, FALSE), packet); } /** @@ -1049,8 +1060,8 @@ static void resolve_hosts(private_ike_sa_t *this) !this->other_host->is_anyaddr(this->other_host)) { host->destroy(host); - host = charon->kernel_interface->get_source_addr( - charon->kernel_interface, this->other_host, NULL); + host = hydra->kernel_interface->get_source_addr( + hydra->kernel_interface, this->other_host, NULL); if (host) { host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg)); @@ -1150,7 +1161,7 @@ METHOD(ike_sa_t, initiate, status_t, { /* mediated connection, initiate mediation process */ job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id); - charon->processor->queue_job(charon->processor, job); + lib->processor->queue_job(lib->processor, job); return SUCCESS; } #endif /* ME */ @@ -1173,8 +1184,7 @@ METHOD(ike_sa_t, process_message, status_t, is_request = message->get_request(message); status = message->parse_body(message, - this->keymat->get_crypter(this->keymat, TRUE), - this->keymat->get_signer(this->keymat, TRUE)); + this->keymat->get_aead(this->keymat, TRUE)); if (status != SUCCESS) { @@ -1229,15 +1239,12 @@ METHOD(ike_sa_t, process_message, status_t, } else { - host_t *me, *other; - - me = message->get_destination(message); - other = message->get_source(message); - /* if this IKE_SA is virgin, we check for a config */ if (this->ike_cfg == NULL) { job_t *job; + host_t *me = message->get_destination(message), + *other = message->get_source(message); this->ike_cfg = charon->backends->get_ike_cfg(charon->backends, me, other); if (this->ike_cfg == NULL) @@ -1250,20 +1257,12 @@ METHOD(ike_sa_t, process_message, status_t, } /* add a timeout if peer does not establish it completely */ job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE); - charon->scheduler->schedule_job(charon->scheduler, job, - HALF_OPEN_IKE_SA_TIMEOUT); + lib->scheduler->schedule_job(lib->scheduler, job, + HALF_OPEN_IKE_SA_TIMEOUT); } this->stats[STAT_INBOUND] = time_monotonic(NULL); - /* check if message is trustworthy, and update host information */ - if (this->state == IKE_CREATED || this->state == IKE_CONNECTING || - message->get_exchange_type(message) != IKE_SA_INIT) - { - if (!supports_extension(this, EXT_MOBIKE)) - { /* with MOBIKE, we do no implicit updates */ - update_hosts(this, me, other); - } - } - status = this->task_manager->process_message(this->task_manager, message); + status = this->task_manager->process_message(this->task_manager, + message); if (message->get_exchange_type(message) == IKE_AUTH && this->state == IKE_ESTABLISHED && lib->settings->get_bool(lib->settings, @@ -1697,7 +1696,7 @@ METHOD(ike_sa_t, set_auth_lifetime, void, { DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication", lifetime); - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE)); } else if (this->stats[STAT_REAUTH] == 0 || @@ -1706,7 +1705,7 @@ METHOD(ike_sa_t, set_auth_lifetime, void, this->stats[STAT_REAUTH] = reauth_time; DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication" " in %ds", lifetime, lifetime - reduction); - charon->scheduler->schedule_job(charon->scheduler, + lib->scheduler->schedule_job(lib->scheduler, (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), lifetime - reduction); } @@ -1718,10 +1717,65 @@ METHOD(ike_sa_t, set_auth_lifetime, void, } } +/** + * Check if the current combination of source and destination address is still + * valid. + */ +static bool is_current_path_valid(private_ike_sa_t *this) +{ + bool valid = FALSE; + host_t *src; + src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, + this->other_host, this->my_host); + if (src) + { + if (src->ip_equals(src, this->my_host)) + { + valid = TRUE; + } + src->destroy(src); + } + return valid; +} + +/** + * Check if we have any path avialable for this IKE SA. + */ +static bool is_any_path_valid(private_ike_sa_t *this) +{ + bool valid = FALSE; + enumerator_t *enumerator; + host_t *src, *addr; + DBG1(DBG_IKE, "old path is not available anymore, try to find another"); + src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, + this->other_host, NULL); + if (!src) + { + enumerator = this->additional_addresses->create_enumerator( + this->additional_addresses); + while (enumerator->enumerate(enumerator, &addr)) + { + DBG1(DBG_IKE, "looking for a route to %H ...", addr); + src = hydra->kernel_interface->get_source_addr( + hydra->kernel_interface, addr, NULL); + if (src) + { + break; + } + } + enumerator->destroy(enumerator); + } + if (src) + { + valid = TRUE; + src->destroy(src); + } + return valid; +} + METHOD(ike_sa_t, roam, status_t, private_ike_sa_t *this, bool address) { - host_t *src; ike_mobike_t *mobike; switch (this->state) @@ -1734,81 +1788,61 @@ METHOD(ike_sa_t, roam, status_t, default: break; } - /* responder just updates the peer about changed address config */ - if (!this->ike_sa_id->is_initiator(this->ike_sa_id)) + + /* keep existing path if possible */ + if (is_current_path_valid(this)) { + DBG2(DBG_IKE, "keeping connection path %H - %H", + this->my_host, this->other_host); + set_condition(this, COND_STALE, FALSE); + if (supports_extension(this, EXT_MOBIKE) && address) - { + { /* if any addresses changed, send an updated list */ DBG1(DBG_IKE, "sending address list update using MOBIKE"); mobike = ike_mobike_create(&this->public, TRUE); - this->task_manager->queue_task(this->task_manager, (task_t*)mobike); + mobike->addresses(mobike); + this->task_manager->queue_task(this->task_manager, + (task_t*)mobike); return this->task_manager->initiate(this->task_manager); } return SUCCESS; } - /* keep existing path if possible */ - src = charon->kernel_interface->get_source_addr(charon->kernel_interface, - this->other_host, this->my_host); - if (src) + if (!is_any_path_valid(this)) { - if (src->ip_equals(src, this->my_host)) - { - DBG2(DBG_IKE, "keeping connection path %H - %H", - src, this->other_host); - src->destroy(src); - set_condition(this, COND_STALE, FALSE); - return SUCCESS; - } - src->destroy(src); - - } - else - { - /* check if we find a route at all */ - enumerator_t *enumerator; - host_t *addr; - - src = charon->kernel_interface->get_source_addr(charon->kernel_interface, - this->other_host, NULL); - if (!src) - { - enumerator = this->additional_addresses->create_enumerator( - this->additional_addresses); - while (enumerator->enumerate(enumerator, &addr)) - { - DBG1(DBG_IKE, "looking for a route to %H ...", addr); - src = charon->kernel_interface->get_source_addr( - charon->kernel_interface, addr, NULL); - if (src) - { - break; - } - } - enumerator->destroy(enumerator); - } - if (!src) - { - DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred", - this->other_host); - set_condition(this, COND_STALE, TRUE); - return SUCCESS; - } - src->destroy(src); + DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred", + this->other_host); + set_condition(this, COND_STALE, TRUE); + return SUCCESS; } set_condition(this, COND_STALE, FALSE); /* update addresses with mobike, if supported ... */ if (supports_extension(this, EXT_MOBIKE)) { - DBG1(DBG_IKE, "requesting address change using MOBIKE"); + if (!has_condition(this, COND_ORIGINAL_INITIATOR)) + { /* responder updates the peer about changed address config */ + DBG1(DBG_IKE, "sending address list update using MOBIKE, " + "implicitly requesting an address change"); + address = TRUE; + } + else + { + DBG1(DBG_IKE, "requesting address change using MOBIKE"); + } mobike = ike_mobike_create(&this->public, TRUE); mobike->roam(mobike, address); this->task_manager->queue_task(this->task_manager, (task_t*)mobike); return this->task_manager->initiate(this->task_manager); } - DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change"); + /* ... reauth if not */ + if (!has_condition(this, COND_ORIGINAL_INITIATOR)) + { /* responder does not reauthenticate */ + set_condition(this, COND_STALE, TRUE); + return SUCCESS; + } + DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change"); return reauth(this); } @@ -1907,9 +1941,9 @@ METHOD(ike_sa_t, inherit, status_t, this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete; DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, " "lifetime reduced to %ds", reauth, delete); - charon->scheduler->schedule_job(charon->scheduler, + lib->scheduler->schedule_job(lib->scheduler, (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth); - charon->scheduler->schedule_job(charon->scheduler, + lib->scheduler->schedule_job(lib->scheduler, (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete); } /* we have to initate here, there may be new tasks to handle */ @@ -1946,8 +1980,8 @@ METHOD(ike_sa_t, destroy, void, if (this->my_virtual_ip) { - charon->kernel_interface->del_ip(charon->kernel_interface, - this->my_virtual_ip); + hydra->kernel_interface->del_ip(hydra->kernel_interface, + this->my_virtual_ip); this->my_virtual_ip->destroy(this->my_virtual_ip); } if (this->other_virtual_ip) @@ -2025,6 +2059,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) .get_other_host = _get_other_host, .set_other_host = _set_other_host, .set_message_id = _set_message_id, + .float_ports = _float_ports, .update_hosts = _update_hosts, .get_my_id = _get_my_id, .set_my_id = _set_my_id, diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index 34842a573..c0007e27d 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -329,6 +329,14 @@ struct ike_sa_t { void (*set_other_host) (ike_sa_t *this, host_t *other); /** + * Float to port 4500 (e.g. if a NAT is detected). + * + * The port of either endpoint is changed only if it is currently + * set to the default value of 500. + */ + void (*float_ports)(ike_sa_t *this); + + /** * Update the IKE_SAs host. * * Hosts may be NULL to use current host. diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index c71c3b297..fa94bb86d 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1613,6 +1613,9 @@ static void flush(private_ike_sa_manager_t *this) enumerator->destroy(enumerator); charon->bus->set_sa(charon->bus, NULL); unlock_all_segments(this); + + this->rng->destroy(this->rng); + this->hasher->destroy(this->hasher); } /** @@ -1652,8 +1655,6 @@ static void destroy(private_ike_sa_manager_t *this) free(this->half_open_segments); free(this->connected_peers_segments); - this->rng->destroy(this->rng); - this->hasher->destroy(this->hasher); free(this); } diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index 38f5454e1..f4eabf808 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -199,6 +199,8 @@ struct ike_sa_manager_t { * Delete all existing IKE_SAs and destroy them immediately. * * Threads will be driven out, so all SAs can be deleted cleanly. + * To a flush(), an immediate call to destroy() is mandatory; no other + * method may be used. */ void (*flush)(ike_sa_manager_t *this); diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c index 837cbe428..878ad124f 100644 --- a/src/libcharon/sa/keymat.c +++ b/src/libcharon/sa/keymat.c @@ -36,24 +36,14 @@ struct private_keymat_t { bool initiator; /** - * inbound signer (verify) + * inbound AEAD */ - signer_t *signer_in; + aead_t *aead_in; /** - * outbound signer (sign) + * outbound AEAD */ - signer_t *signer_out; - - /** - * inbound crypter (decrypt) - */ - crypter_t *crypter_in; - - /** - * outbound crypter (encrypt) - */ - crypter_t *crypter_out; + aead_t *aead_out; /** * General purpose PRF @@ -134,30 +124,135 @@ static int lookup_keylen(keylen_entry_t *list, int algo) return 0; } +METHOD(keymat_t, create_dh, diffie_hellman_t*, + private_keymat_t *this, diffie_hellman_group_t group) +{ + return lib->crypto->create_dh(lib->crypto, group);; +} + /** - * Implementation of keymat_t.create_dh + * Derive IKE keys for a combined AEAD algorithm */ -static diffie_hellman_t* create_dh(private_keymat_t *this, - diffie_hellman_group_t group) +static bool derive_ike_aead(private_keymat_t *this, u_int16_t alg, + u_int16_t key_size, prf_plus_t *prf_plus) { - return lib->crypto->create_dh(lib->crypto, group);; + aead_t *aead_i, *aead_r; + chunk_t key; + + /* SK_ei/SK_er used for encryption */ + aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8); + aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8); + if (aead_i == NULL || aead_r == NULL) + { + DBG1(DBG_IKE, "%N %N (key size %d) not supported!", + transform_type_names, ENCRYPTION_ALGORITHM, + encryption_algorithm_names, alg, key_size); + return FALSE; + } + key_size = aead_i->get_key_size(aead_i); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_ei secret %B", &key); + aead_i->set_key(aead_i, key); + chunk_clear(&key); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_er secret %B", &key); + aead_r->set_key(aead_r, key); + chunk_clear(&key); + + if (this->initiator) + { + this->aead_in = aead_r; + this->aead_out = aead_i; + } + else + { + this->aead_in = aead_i; + this->aead_out = aead_r; + } + return TRUE; } /** - * Implementation of keymat_t.derive_keys + * Derive IKE keys for traditional encryption and MAC algorithms */ -static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal, - diffie_hellman_t *dh, chunk_t nonce_i, - chunk_t nonce_r, ike_sa_id_t *id, - pseudo_random_function_t rekey_function, - chunk_t rekey_skd) +static bool derive_ike_traditional(private_keymat_t *this, u_int16_t enc_alg, + u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus) { - chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed; - chunk_t spi_i, spi_r; crypter_t *crypter_i, *crypter_r; signer_t *signer_i, *signer_r; + size_t key_size; + chunk_t key; + + /* SK_ai/SK_ar used for integrity protection */ + signer_i = lib->crypto->create_signer(lib->crypto, int_alg); + signer_r = lib->crypto->create_signer(lib->crypto, int_alg); + if (signer_i == NULL || signer_r == NULL) + { + DBG1(DBG_IKE, "%N %N not supported!", + transform_type_names, INTEGRITY_ALGORITHM, + integrity_algorithm_names, int_alg); + return FALSE; + } + key_size = signer_i->get_key_size(signer_i); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_ai secret %B", &key); + signer_i->set_key(signer_i, key); + chunk_clear(&key); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_ar secret %B", &key); + signer_r->set_key(signer_r, key); + chunk_clear(&key); + + /* SK_ei/SK_er used for encryption */ + crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8); + crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8); + if (crypter_i == NULL || crypter_r == NULL) + { + DBG1(DBG_IKE, "%N %N (key size %d) not supported!", + transform_type_names, ENCRYPTION_ALGORITHM, + encryption_algorithm_names, enc_alg, key_size); + signer_i->destroy(signer_i); + signer_r->destroy(signer_r); + return FALSE; + } + key_size = crypter_i->get_key_size(crypter_i); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_ei secret %B", &key); + crypter_i->set_key(crypter_i, key); + chunk_clear(&key); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_er secret %B", &key); + crypter_r->set_key(crypter_r, key); + chunk_clear(&key); + + if (this->initiator) + { + this->aead_in = aead_create(crypter_r, signer_r); + this->aead_out = aead_create(crypter_i, signer_i); + } + else + { + this->aead_in = aead_create(crypter_i, signer_i); + this->aead_out = aead_create(crypter_r, signer_r); + } + return TRUE; +} + +METHOD(keymat_t, derive_ike_keys, bool, + private_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, + pseudo_random_function_t rekey_function, chunk_t rekey_skd) +{ + chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed; + chunk_t spi_i, spi_r; prf_plus_t *prf_plus; - u_int16_t alg, key_size; + u_int16_t alg, key_size, int_alg; prf_t *rekey_prf = NULL; spi_i = chunk_alloca(sizeof(u_int64_t)); @@ -195,6 +290,9 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal, /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does * not and therefore fixed key semantics apply to XCBC for key * derivation. */ + case PRF_CAMELLIA128_XCBC: + /* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we + * assume fixed key length. */ key_size = this->prf->get_key_size(this->prf)/2; nonce_i.len = min(nonce_i.len, key_size); nonce_r.len = min(nonce_r.len, key_size); @@ -255,50 +353,6 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal, prf_plus->allocate_bytes(prf_plus, key_size, &this->skd); DBG4(DBG_IKE, "Sk_d secret %B", &this->skd); - /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */ - if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)) - { - DBG1(DBG_IKE, "no %N selected", - transform_type_names, INTEGRITY_ALGORITHM); - prf_plus->destroy(prf_plus); - DESTROY_IF(rekey_prf); - return FALSE; - } - signer_i = lib->crypto->create_signer(lib->crypto, alg); - signer_r = lib->crypto->create_signer(lib->crypto, alg); - if (signer_i == NULL || signer_r == NULL) - { - DBG1(DBG_IKE, "%N %N not supported!", - transform_type_names, INTEGRITY_ALGORITHM, - integrity_algorithm_names ,alg); - prf_plus->destroy(prf_plus); - DESTROY_IF(rekey_prf); - return FALSE; - } - key_size = signer_i->get_key_size(signer_i); - - prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(DBG_IKE, "Sk_ai secret %B", &key); - signer_i->set_key(signer_i, key); - chunk_clear(&key); - - prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(DBG_IKE, "Sk_ar secret %B", &key); - signer_r->set_key(signer_r, key); - chunk_clear(&key); - - if (this->initiator) - { - this->signer_in = signer_r; - this->signer_out = signer_i; - } - else - { - this->signer_in = signer_i; - this->signer_out = signer_r; - } - - /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */ if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size)) { DBG1(DBG_IKE, "no %N selected", @@ -307,38 +361,33 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal, DESTROY_IF(rekey_prf); return FALSE; } - crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8); - crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8); - if (crypter_i == NULL || crypter_r == NULL) - { - DBG1(DBG_IKE, "%N %N (key size %d) not supported!", - transform_type_names, ENCRYPTION_ALGORITHM, - encryption_algorithm_names, alg, key_size); - prf_plus->destroy(prf_plus); - DESTROY_IF(rekey_prf); - return FALSE; - } - key_size = crypter_i->get_key_size(crypter_i); - prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(DBG_IKE, "Sk_ei secret %B", &key); - crypter_i->set_key(crypter_i, key); - chunk_clear(&key); - - prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(DBG_IKE, "Sk_er secret %B", &key); - crypter_r->set_key(crypter_r, key); - chunk_clear(&key); - - if (this->initiator) + if (encryption_algorithm_is_aead(alg)) { - this->crypter_in = crypter_r; - this->crypter_out = crypter_i; + if (!derive_ike_aead(this, alg, key_size, prf_plus)) + { + prf_plus->destroy(prf_plus); + DESTROY_IF(rekey_prf); + return FALSE; + } } else { - this->crypter_in = crypter_i; - this->crypter_out = crypter_r; + if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, + &int_alg, NULL)) + { + DBG1(DBG_IKE, "no %N selected", + transform_type_names, INTEGRITY_ALGORITHM); + prf_plus->destroy(prf_plus); + DESTROY_IF(rekey_prf); + return FALSE; + } + if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus)) + { + prf_plus->destroy(prf_plus); + DESTROY_IF(rekey_prf); + return FALSE; + } } /* SK_pi/SK_pr used for authentication => stored for later */ @@ -371,14 +420,10 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal, return TRUE; } -/** - * Implementation of keymat_t.derive_child_keys - */ -static bool derive_child_keys(private_keymat_t *this, - proposal_t *proposal, diffie_hellman_t *dh, - chunk_t nonce_i, chunk_t nonce_r, - chunk_t *encr_i, chunk_t *integ_i, - chunk_t *encr_r, chunk_t *integ_r) +METHOD(keymat_t, derive_child_keys, bool, + private_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, + chunk_t *encr_r, chunk_t *integ_r) { u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0; chunk_t seed, secret = chunk_empty; @@ -480,37 +525,22 @@ static bool derive_child_keys(private_keymat_t *this, return TRUE; } -/** - * Implementation of keymat_t.get_skd - */ -static pseudo_random_function_t get_skd(private_keymat_t *this, chunk_t *skd) +METHOD(keymat_t, get_skd, pseudo_random_function_t, + private_keymat_t *this, chunk_t *skd) { *skd = this->skd; return this->prf_alg; } -/** - * Implementation of keymat_t.get_signer - */ -static signer_t* get_signer(private_keymat_t *this, bool in) -{ - return in ? this->signer_in : this->signer_out; -} - -/** - * Implementation of keymat_t.get_crypter - */ -static crypter_t* get_crypter(private_keymat_t *this, bool in) +METHOD(keymat_t, get_aead, aead_t*, + private_keymat_t *this, bool in) { - return in ? this->crypter_in : this->crypter_out; + return in ? this->aead_in : this->aead_out; } -/** - * Implementation of keymat_t.get_auth_octets - */ -static chunk_t get_auth_octets(private_keymat_t *this, bool verify, - chunk_t ike_sa_init, chunk_t nonce, - identification_t *id) +METHOD(keymat_t, get_auth_octets, chunk_t, + private_keymat_t *this, bool verify, chunk_t ike_sa_init, + chunk_t nonce, identification_t *id) { chunk_t chunk, idx, octets; chunk_t skp; @@ -538,12 +568,9 @@ static chunk_t get_auth_octets(private_keymat_t *this, bool verify, #define IKEV2_KEY_PAD "Key Pad for IKEv2" #define IKEV2_KEY_PAD_LENGTH 17 -/** - * Implementation of keymat_t.get_psk_sig - */ -static chunk_t get_psk_sig(private_keymat_t *this, bool verify, - chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, - identification_t *id) +METHOD(keymat_t, get_psk_sig, chunk_t, + private_keymat_t *this, bool verify, chunk_t ike_sa_init, + chunk_t nonce, chunk_t secret, identification_t *id) { chunk_t key_pad, key, sig, octets; @@ -567,15 +594,11 @@ static chunk_t get_psk_sig(private_keymat_t *this, bool verify, return sig; } -/** - * Implementation of keymat_t.destroy. - */ -static void destroy(private_keymat_t *this) +METHOD(keymat_t, destroy, void, + private_keymat_t *this) { - DESTROY_IF(this->signer_in); - DESTROY_IF(this->signer_out); - DESTROY_IF(this->crypter_in); - DESTROY_IF(this->crypter_out); + DESTROY_IF(this->aead_in); + DESTROY_IF(this->aead_out); DESTROY_IF(this->prf); chunk_clear(&this->skd); chunk_clear(&this->skp_verify); @@ -588,29 +611,22 @@ static void destroy(private_keymat_t *this) */ keymat_t *keymat_create(bool initiator) { - private_keymat_t *this = malloc_thing(private_keymat_t); - - this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh; - this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys; - this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys; - this->public.get_skd = (pseudo_random_function_t(*)(keymat_t*, chunk_t *skd))get_skd; - this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer; - this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter; - this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets; - this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig; - this->public.destroy = (void(*)(keymat_t*))destroy; - - this->initiator = initiator; - - this->signer_in = NULL; - this->signer_out = NULL; - this->crypter_in = NULL; - this->crypter_out = NULL; - this->prf = NULL; - this->prf_alg = PRF_UNDEFINED; - this->skd = chunk_empty; - this->skp_verify = chunk_empty; - this->skp_build = chunk_empty; + private_keymat_t *this; + + INIT(this, + .public = { + .create_dh = _create_dh, + .derive_ike_keys = _derive_ike_keys, + .derive_child_keys = _derive_child_keys, + .get_skd = _get_skd, + .get_aead = _get_aead, + .get_auth_octets = _get_auth_octets, + .get_psk_sig = _get_psk_sig, + .destroy = _destroy, + }, + .initiator = initiator, + .prf_alg = PRF_UNDEFINED, + ); return &this->public; } diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h index e51709e8d..4f01aa411 100644 --- a/src/libcharon/sa/keymat.h +++ b/src/libcharon/sa/keymat.h @@ -24,8 +24,7 @@ #include <library.h> #include <utils/identification.h> #include <crypto/prfs/prf.h> -#include <crypto/crypters/crypter.h> -#include <crypto/signers/signer.h> +#include <crypto/aead.h> #include <config/proposal.h> #include <sa/ike_sa_id.h> @@ -99,21 +98,13 @@ struct keymat_t { */ pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd); - /** - * Get a signer to sign/verify IKE messages. - * - * @param in TRUE for inbound (verify), FALSE for outbound (sign) - * @return signer - */ - signer_t* (*get_signer)(keymat_t *this, bool in); - /* - * Get a crypter to en-/decrypt IKE messages. + * Get a AEAD transform to en-/decrypt and sign/verify IKE messages. * * @param in TRUE for inbound (decrypt), FALSE for outbound (encrypt) * @return crypter */ - crypter_t* (*get_crypter)(keymat_t *this, bool in); + aead_t* (*get_aead)(keymat_t *this, bool in); /** * Generate octets to use for authentication procedure (RFC4306 2.15). diff --git a/src/libcharon/sa/mediation_manager.c b/src/libcharon/sa/mediation_manager.c index 035f49053..2fbab7c7c 100644 --- a/src/libcharon/sa/mediation_manager.c +++ b/src/libcharon/sa/mediation_manager.c @@ -241,7 +241,7 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe (void**)&requester) == SUCCESS) { job_t *job = (job_t*)mediation_callback_job_create(requester, peer_id); - charon->processor->queue_job(charon->processor, job); + lib->processor->queue_job(lib->processor, job); requester->destroy(requester); } diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c index a68826440..18703ce36 100644 --- a/src/libcharon/sa/task_manager.c +++ b/src/libcharon/sa/task_manager.c @@ -274,7 +274,7 @@ METHOD(task_manager_t, retransmit, status_t, this->initiating.retransmitted++; job = (job_t*)retransmit_job_create(this->initiating.mid, this->ike_sa->get_id(this->ike_sa)); - charon->scheduler->schedule_job_ms(charon->scheduler, job, timeout); + lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout); } return SUCCESS; } @@ -883,11 +883,21 @@ METHOD(task_manager_t, process_message, status_t, private_task_manager_t *this, message_t *msg) { u_int32_t mid = msg->get_message_id(msg); + host_t *me = msg->get_destination(msg), *other = msg->get_source(msg); if (msg->get_request(msg)) { if (mid == this->responding.mid) { + if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || + this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING || + msg->get_exchange_type(msg) != IKE_SA_INIT) + { /* only do host updates based on verified messages */ + if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) + { /* with MOBIKE, we do no implicit updates */ + this->ike_sa->update_hosts(this->ike_sa, me, other); + } + } charon->bus->message(charon->bus, msg, TRUE); if (process_request(this, msg) != SUCCESS) { @@ -920,6 +930,15 @@ METHOD(task_manager_t, process_message, status_t, { if (mid == this->initiating.mid) { + if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || + this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING || + msg->get_exchange_type(msg) != IKE_SA_INIT) + { /* only do host updates based on verified messages */ + if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) + { /* with MOBIKE, we do no implicit updates */ + this->ike_sa->update_hosts(this->ike_sa, me, other); + } + } charon->bus->message(charon->bus, msg, TRUE); if (process_response(this, msg) != SUCCESS) { diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c index 3de27ee3f..57beedba9 100644 --- a/src/libcharon/sa/tasks/child_create.c +++ b/src/libcharon/sa/tasks/child_create.c @@ -261,7 +261,7 @@ static void schedule_inactivity_timeout(private_child_create_t *this) { close_ike = lib->settings->get_bool(lib->settings, "charon.inactivity_close_ike", FALSE); - charon->scheduler->schedule_job(charon->scheduler, (job_t*) + lib->scheduler->schedule_job(lib->scheduler, (job_t*) inactivity_job_create(this->child_sa->get_reqid(this->child_sa), timeout, close_ike), timeout); } @@ -871,7 +871,7 @@ static void handle_child_sa_failure(private_child_create_t *this, /* we delay the delete for 100ms, as the IKE_AUTH response must arrive * first */ DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure"); - charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*) + lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*) delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE), 100); } diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/tasks/child_delete.c index b0cd30e1e..45e97e4cd 100644 --- a/src/libcharon/sa/tasks/child_delete.c +++ b/src/libcharon/sa/tasks/child_delete.c @@ -117,11 +117,10 @@ static void build_payloads(private_child_delete_t *this, message_t *message) */ static void process_payloads(private_child_delete_t *this, message_t *message) { - enumerator_t *payloads; - iterator_t *spis; + enumerator_t *payloads, *spis; payload_t *payload; delete_payload_t *delete_payload; - u_int32_t *spi; + u_int32_t spi; protocol_id_t protocol; child_sa_t *child_sa; @@ -136,19 +135,19 @@ static void process_payloads(private_child_delete_t *this, message_t *message) { continue; } - spis = delete_payload->create_spi_iterator(delete_payload); - while (spis->iterate(spis, (void**)&spi)) + spis = delete_payload->create_spi_enumerator(delete_payload); + while (spis->enumerate(spis, &spi)) { child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, - *spi, FALSE); + spi, FALSE); if (child_sa == NULL) { DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x, " - "but no such SA", protocol_id_names, protocol, ntohl(*spi)); + "but no such SA", protocol_id_names, protocol, ntohl(spi)); continue; } DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x", - protocol_id_names, protocol, ntohl(*spi)); + protocol_id_names, protocol, ntohl(spi)); switch (child_sa->get_state(child_sa)) { @@ -161,7 +160,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message) if (!this->initiator) { this->ike_sa->destroy_child_sa(this->ike_sa, - protocol, *spi); + protocol, spi); continue; } case CHILD_INSTALLED: diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c index fb3452efd..fdaaea4b8 100644 --- a/src/libcharon/sa/tasks/child_rekey.c +++ b/src/libcharon/sa/tasks/child_rekey.c @@ -75,6 +75,15 @@ struct private_child_rekey_t { * colliding task, may be delete or rekey */ task_t *collision; + + /** + * Indicate that peer destroyed the redundant child from collision. + * This happens if a peer's delete notification for the redundant + * child gets processed before the rekey job. If so, we must not + * touch the child created in the collision since it points to + * memory already freed. + */ + bool other_child_destroyed; }; /** @@ -239,9 +248,13 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) DBG1(DBG_IKE, "CHILD_SA rekey collision won, " "deleting rekeyed child"); to_delete = this->child_sa; - /* disable close action for the redundand child */ - child_sa = other->child_create->get_child(other->child_create); - child_sa->set_close_action(child_sa, ACTION_NONE); + /* don't touch child other created, it has already been deleted */ + if (!this->other_child_destroyed) + { + /* disable close action for the redundand child */ + child_sa = other->child_create->get_child(other->child_create); + child_sa->set_close_action(child_sa, ACTION_NONE); + } } else { @@ -286,7 +299,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, " "starting reauthentication"); this->child_sa->set_state(this->child_sa, CHILD_INSTALLED); - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)rekey_ike_sa_job_create( this->ike_sa->get_id(this->ike_sa), TRUE)); return SUCCESS; @@ -316,7 +329,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) DBG1(DBG_IKE, "CHILD_SA rekeying failed, " "trying again in %d seconds", retry); this->child_sa->set_state(this->child_sa, CHILD_INSTALLED); - charon->scheduler->schedule_job(charon->scheduler, job, retry); + lib->scheduler->schedule_job(lib->scheduler, job, retry); } return SUCCESS; } @@ -380,6 +393,13 @@ static void collide(private_child_rekey_t *this, task_t *other) else if (other->get_type(other) == CHILD_DELETE) { child_delete_t *del = (child_delete_t*)other; + if (del->get_child(del) == this->child_create->get_child(this->child_create)) + { + /* peer deletes redundant child created in collision */ + this->other_child_destroyed = TRUE; + other->destroy(other); + return; + } if (del == NULL || del->get_child(del) != this->child_sa) { /* not the same child => no collision */ @@ -466,6 +486,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol, this->spi = spi; this->collision = NULL; this->child_delete = NULL; + this->other_child_destroyed = FALSE; return &this->public; } diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c index a954782f2..b440ec811 100644 --- a/src/libcharon/sa/tasks/ike_auth.c +++ b/src/libcharon/sa/tasks/ike_auth.c @@ -481,9 +481,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) { this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH); } - if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) && - message->get_notify(message, EAP_ONLY_AUTHENTICATION)) - { /* EAP-only has no official notify, accept only from strongSwan */ + if (message->get_notify(message, EAP_ONLY_AUTHENTICATION)) + { this->ike_sa->enable_extension(this->ike_sa, EXT_EAP_ONLY_AUTHENTICATION); } @@ -538,6 +537,11 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) { cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id)); } + id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY); + if (id) + { + cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id)); + } } /* verify authentication data */ @@ -821,7 +825,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) break; default: { - if (type < 16383) + if (type <= 16383) { DBG1(DBG_IKE, "received %N notify error", notify_type_names, type); diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c index 38fb572f4..dd4a5f5c0 100644 --- a/src/libcharon/sa/tasks/ike_init.c +++ b/src/libcharon/sa/tasks/ike_init.c @@ -468,7 +468,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message) } default: { - if (type < 16383) + if (type <= 16383) { DBG1(DBG_IKE, "received %N notify error", notify_type_names, type); diff --git a/src/libcharon/sa/tasks/ike_me.c b/src/libcharon/sa/tasks/ike_me.c index 2d2847ae0..1de6ae8fc 100644 --- a/src/libcharon/sa/tasks/ike_me.c +++ b/src/libcharon/sa/tasks/ike_me.c @@ -17,6 +17,7 @@ #include <string.h> +#include <hydra.h> #include <daemon.h> #include <config/peer_cfg.h> #include <encoding/payloads/id_payload.h> @@ -134,8 +135,8 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message) host = this->ike_sa->get_my_host(this->ike_sa); port = host->get_port(host); - enumerator = charon->kernel_interface->create_address_enumerator( - charon->kernel_interface, FALSE, FALSE); + enumerator = hydra->kernel_interface->create_address_enumerator( + hydra->kernel_interface, FALSE, FALSE); while (enumerator->enumerate(enumerator, (void**)&addr)) { host = addr->clone(addr); @@ -454,6 +455,9 @@ static status_t process_i(private_ike_me_t *this, message_t *message) DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting"); return FAILED; } + /* if we are on a mediation connection we switch to port 4500 even + * if no NAT is detected. */ + this->ike_sa->float_ports(this->ike_sa); return NEED_MORE; } case IKE_AUTH: @@ -689,7 +693,7 @@ static status_t build_r_ms(private_ike_me_t *this, message_t *message) job_t *job = (job_t*)mediation_job_create(this->peer_id, this->ike_sa->get_other_id(this->ike_sa), this->connect_id, this->connect_key, this->remote_endpoints, this->response); - charon->processor->queue_job(charon->processor, job); + lib->processor->queue_job(lib->processor, job); break; } default: diff --git a/src/libcharon/sa/tasks/ike_mobike.c b/src/libcharon/sa/tasks/ike_mobike.c index a62886f02..5b12eaaac 100644 --- a/src/libcharon/sa/tasks/ike_mobike.c +++ b/src/libcharon/sa/tasks/ike_mobike.c @@ -17,6 +17,7 @@ #include <string.h> +#include <hydra.h> #include <daemon.h> #include <sa/tasks/ike_natd.h> #include <encoding/payloads/notify_payload.h> @@ -70,6 +71,11 @@ struct private_ike_mobike_t { * include address list update */ bool address; + + /** + * additional addresses got updated + */ + bool addresses_updated; }; /** @@ -153,6 +159,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message) host = host_create_from_chunk(family, data, 0); DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host); this->ike_sa->add_additional_address(this->ike_sa, host); + this->addresses_updated = TRUE; break; } case UPDATE_SA_ADDRESSES: @@ -163,6 +170,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message) case NO_ADDITIONAL_ADDRESSES: { flush_additional_addresses(this); + this->addresses_updated = TRUE; break; } case NAT_DETECTION_SOURCE_IP: @@ -193,8 +201,8 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message) int added = 0; me = this->ike_sa->get_my_host(this->ike_sa); - enumerator = charon->kernel_interface->create_address_enumerator( - charon->kernel_interface, FALSE, FALSE); + enumerator = hydra->kernel_interface->create_address_enumerator( + hydra->kernel_interface, FALSE, FALSE); while (enumerator->enumerate(enumerator, (void**)&host)) { if (me->ip_equals(me, host)) @@ -269,32 +277,23 @@ static void update_children(private_ike_mobike_t *this) } /** - * Apply port of old address if it equals new, port otherwise + * Apply the port of the old host, if its ip equals the new, use port otherwise. */ -static void apply_port(private_ike_mobike_t *this, host_t *host, host_t *old, - u_int16_t port) +static void apply_port(host_t *host, host_t *old, u_int16_t port) { if (host->ip_equals(host, old)) { - host->set_port(host, old->get_port(old)); + port = old->get_port(old); } - else + else if (port == IKEV2_UDP_PORT) { - if (port == IKEV2_UDP_PORT) - { - host->set_port(host, IKEV2_NATT_PORT); - } - else - { - host->set_port(host, port); - } + port = IKEV2_NATT_PORT; } + host->set_port(host, port); } -/** - * Implementation of ike_mobike_t.transmit - */ -static void transmit(private_ike_mobike_t *this, packet_t *packet) +METHOD(ike_mobike_t, transmit, void, + private_ike_mobike_t *this, packet_t *packet) { host_t *me, *other, *me_old, *other_old; iterator_t *iterator; @@ -310,11 +309,11 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet) other_old = this->ike_sa->get_other_host(this->ike_sa); ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); - me = charon->kernel_interface->get_source_addr( - charon->kernel_interface, other_old, NULL); + me = hydra->kernel_interface->get_source_addr( + hydra->kernel_interface, other_old, NULL); if (me) { - apply_port(this, me, me_old, ike_cfg->get_my_port(ike_cfg)); + apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg)); DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old); copy = packet->clone(packet); copy->set_source(copy, me); @@ -324,8 +323,8 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet) iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa); while (iterator->iterate(iterator, (void**)&other)) { - me = charon->kernel_interface->get_source_addr( - charon->kernel_interface, other, NULL); + me = hydra->kernel_interface->get_source_addr( + hydra->kernel_interface, other, NULL); if (me) { if (me->get_family(me) != other->get_family(other)) @@ -334,9 +333,9 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet) continue; } /* reuse port for an active address, 4500 otherwise */ - apply_port(this, me, me_old, ike_cfg->get_my_port(ike_cfg)); + apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg)); other = other->clone(other); - apply_port(this, other, other_old, ike_cfg->get_other_port(ike_cfg)); + apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg)); DBG1(DBG_IKE, "checking path %#H - %#H", me, other); copy = packet->clone(packet); copy->set_source(copy, me); @@ -347,12 +346,11 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet) iterator->destroy(iterator); } -/** - * Implementation of task_t.process for initiator - */ -static status_t build_i(private_ike_mobike_t *this, message_t *message) +METHOD(task_t, build_i, status_t, + private_ike_mobike_t *this, message_t *message) { - if (message->get_message_id(message) == 1) + if (message->get_exchange_type(message) == IKE_AUTH && + message->get_message_id(message) == 1) { /* only in first IKE_AUTH */ message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty); build_address_list(this, message); @@ -363,7 +361,7 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message) /* we check if the existing address is still valid */ old = message->get_source(message); - new = charon->kernel_interface->get_source_addr(charon->kernel_interface, + new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, message->get_destination(message), old); if (new) { @@ -379,11 +377,12 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message) } if (this->update) { - message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty); + message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, + chunk_empty); build_cookie(this, message); update_children(this); } - if (this->address) + if (this->address && !this->check) { build_address_list(this, message); } @@ -395,12 +394,11 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.process for responder - */ -static status_t process_r(private_ike_mobike_t *this, message_t *message) +METHOD(task_t, process_r, status_t, + private_ike_mobike_t *this, message_t *message) { - if (message->get_message_id(message) == 1) + if (message->get_exchange_type(message) == IKE_AUTH && + message->get_message_id(message) == 1) { /* only first IKE_AUTH */ process_payloads(this, message); } @@ -421,14 +419,25 @@ static status_t process_r(private_ike_mobike_t *this, message_t *message) { this->natd->task.process(&this->natd->task, message); } + if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa, + COND_ORIGINAL_INITIATOR)) + { + host_t *other = message->get_source(message); + host_t *other_old = this->ike_sa->get_other_host(this->ike_sa); + if (!other->equals(other, other_old)) + { + DBG1(DBG_IKE, "remote address changed from %H to %H", other_old, + other); + this->ike_sa->set_other_host(this->ike_sa, other->clone(other)); + this->update = TRUE; + } + } } return NEED_MORE; } -/** - * Implementation of task_t.build for responder - */ -static status_t build_r(private_ike_mobike_t *this, message_t *message) +METHOD(task_t, build_r, status_t, + private_ike_mobike_t *this, message_t *message) { if (message->get_exchange_type(message) == IKE_AUTH && this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED) @@ -460,10 +469,8 @@ static status_t build_r(private_ike_mobike_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.process for initiator - */ -static status_t process_i(private_ike_mobike_t *this, message_t *message) +METHOD(task_t, process_i, status_t, + private_ike_mobike_t *this, message_t *message) { if (message->get_exchange_type(message) == IKE_AUTH && this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED) @@ -536,14 +543,22 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message) } if (this->update) { - /* start the update with the same task */ - this->check = FALSE; - this->address = FALSE; - if (this->natd) - { - this->natd->task.destroy(&this->natd->task); + /* use the same task to ... */ + if (!this->ike_sa->has_condition(this->ike_sa, + COND_ORIGINAL_INITIATOR)) + { /*... send an updated list of addresses as responder */ + update_children(this); + this->update = FALSE; + } + else + { /* ... send the update as original initiator */ + if (this->natd) + { + this->natd->task.destroy(&this->natd->task); + } + this->natd = ike_natd_create(this->ike_sa, this->initiator); } - this->natd = ike_natd_create(this->ike_sa, this->initiator); + this->check = FALSE; this->ike_sa->set_pending_updates(this->ike_sa, 1); return NEED_MORE; } @@ -553,51 +568,48 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of ike_mobike_t.roam. - */ -static void roam(private_ike_mobike_t *this, bool address) +METHOD(ike_mobike_t, addresses, void, + private_ike_mobike_t *this) +{ + this->address = TRUE; + this->ike_sa->set_pending_updates(this->ike_sa, + this->ike_sa->get_pending_updates(this->ike_sa) + 1); +} + +METHOD(ike_mobike_t, roam, void, + private_ike_mobike_t *this, bool address) { this->check = TRUE; this->address = address; this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) + 1); + this->ike_sa->get_pending_updates(this->ike_sa) + 1); } -/** - * Implementation of ike_mobike_t.dpd - */ -static void dpd(private_ike_mobike_t *this) +METHOD(ike_mobike_t, dpd, void, + private_ike_mobike_t *this) { if (!this->natd) { this->natd = ike_natd_create(this->ike_sa, this->initiator); } - this->address = FALSE; this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) + 1); + this->ike_sa->get_pending_updates(this->ike_sa) + 1); } -/** - * Implementation of ike_mobike_t.is_probing. - */ -static bool is_probing(private_ike_mobike_t *this) +METHOD(ike_mobike_t, is_probing, bool, + private_ike_mobike_t *this) { return this->check; } -/** - * Implementation of task_t.get_type - */ -static task_type_t get_type(private_ike_mobike_t *this) +METHOD(task_t, get_type, task_type_t, + private_ike_mobike_t *this) { return IKE_MOBIKE; } -/** - * Implementation of task_t.migrate - */ -static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa) +METHOD(task_t, migrate, void, + private_ike_mobike_t *this, ike_sa_t *ike_sa) { chunk_free(&this->cookie2); this->ike_sa = ike_sa; @@ -607,10 +619,8 @@ static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa) } } -/** - * Implementation of task_t.destroy - */ -static void destroy(private_ike_mobike_t *this) +METHOD(task_t, destroy, void, + private_ike_mobike_t *this) { chunk_free(&this->cookie2); if (this->natd) @@ -625,35 +635,36 @@ static void destroy(private_ike_mobike_t *this) */ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator) { - private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t); - - this->public.roam = (void(*)(ike_mobike_t*,bool))roam; - this->public.dpd = (void(*)(ike_mobike_t*))dpd; - this->public.transmit = (void(*)(ike_mobike_t*,packet_t*))transmit; - this->public.is_probing = (bool(*)(ike_mobike_t*))is_probing; - this->public.task.get_type = (task_type_t(*)(task_t*))get_type; - this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; - this->public.task.destroy = (void(*)(task_t*))destroy; + private_ike_mobike_t *this; + + INIT(this, + .public = { + .task = { + .get_type = _get_type, + .migrate = _migrate, + .destroy = _destroy, + }, + .addresses = _addresses, + .roam = _roam, + .dpd = _dpd, + .transmit = _transmit, + .is_probing = _is_probing, + }, + .ike_sa = ike_sa, + .initiator = initiator, + ); if (initiator) { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; + this->public.task.build = _build_i; + this->public.task.process = _process_i; } else { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; + this->public.task.build = _build_r; + this->public.task.process = _process_r; } - this->ike_sa = ike_sa; - this->initiator = initiator; - this->update = FALSE; - this->check = FALSE; - this->address = TRUE; - this->cookie2 = chunk_empty; - this->natd = NULL; - return &this->public; } diff --git a/src/libcharon/sa/tasks/ike_mobike.h b/src/libcharon/sa/tasks/ike_mobike.h index 05b2224d1..16611939e 100644 --- a/src/libcharon/sa/tasks/ike_mobike.h +++ b/src/libcharon/sa/tasks/ike_mobike.h @@ -46,6 +46,11 @@ struct ike_mobike_t { task_t task; /** + * Use the task to update the list of additional addresses. + */ + void (*addresses)(ike_mobike_t *this); + + /** * Use the task to roam to other addresses. * * @param address TRUE to include address list update diff --git a/src/libcharon/sa/tasks/ike_natd.c b/src/libcharon/sa/tasks/ike_natd.c index 9ea20ba36..7839b52eb 100644 --- a/src/libcharon/sa/tasks/ike_natd.c +++ b/src/libcharon/sa/tasks/ike_natd.c @@ -18,6 +18,7 @@ #include <string.h> +#include <hydra.h> #include <daemon.h> #include <config/peer_cfg.h> #include <crypto/hashers/hasher.h> @@ -265,41 +266,15 @@ static status_t process_i(private_ike_natd_t *this, message_t *message) if (message->get_exchange_type(message) == IKE_SA_INIT) { peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - -#ifdef ME - /* if we are on a mediated connection we have already switched to - * port 4500 and the correct destination port is already configured, - * therefore we must not switch again */ - if (peer_cfg->get_mediated_by(peer_cfg)) - { - return SUCCESS; - } -#endif /* ME */ - if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) || -#ifdef ME - /* if we are on a mediation connection we switch to port 4500 even - * if no NAT is detected. */ - peer_cfg->is_mediation(peer_cfg) || -#endif /* ME */ /* if peer supports NAT-T, we switch to port 4500 even - * if no NAT is detected. MOBIKE requires this. */ + * if no NAT is detected. can't be done later (when we would know + * whether the peer supports MOBIKE) because there would be no + * exchange to actually do the switch (other than a forced DPD). */ (peer_cfg->use_mobike(peer_cfg) && this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))) { - host_t *me, *other; - - /* do not switch if we have a custom port from mobike/NAT */ - me = this->ike_sa->get_my_host(this->ike_sa); - if (me->get_port(me) == IKEV2_UDP_PORT) - { - me->set_port(me, IKEV2_NATT_PORT); - } - other = this->ike_sa->get_other_host(this->ike_sa); - if (other->get_port(other) == IKEV2_UDP_PORT) - { - other->set_port(other, IKEV2_NATT_PORT); - } + this->ike_sa->float_ports(this->ike_sa); } } @@ -342,7 +317,7 @@ static status_t build_i(private_ike_natd_t *this, message_t *message) } else { - host = charon->kernel_interface->get_source_addr(charon->kernel_interface, + host = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, this->ike_sa->get_other_host(this->ike_sa), NULL); if (host) { /* 2. */ @@ -353,8 +328,8 @@ static status_t build_i(private_ike_natd_t *this, message_t *message) } else { /* 3. */ - enumerator = charon->kernel_interface->create_address_enumerator( - charon->kernel_interface, FALSE, FALSE); + enumerator = hydra->kernel_interface->create_address_enumerator( + hydra->kernel_interface, FALSE, FALSE); while (enumerator->enumerate(enumerator, (void**)&host)) { /* apply port 500 to host, but work on a copy */ diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c index a2275e796..1a6c140c4 100644 --- a/src/libcharon/sa/tasks/ike_rekey.c +++ b/src/libcharon/sa/tasks/ike_rekey.c @@ -196,7 +196,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) DBG1(DBG_IKE, "peer seems to not support IKE rekeying, " "starting reauthentication"); this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)rekey_ike_sa_job_create( this->ike_sa->get_id(this->ike_sa), TRUE)); return SUCCESS; @@ -217,7 +217,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) DBG1(DBG_IKE, "IKE_SA rekeying failed, " "trying again in %d seconds", retry); this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - charon->scheduler->schedule_job(charon->scheduler, job, retry); + lib->scheduler->schedule_job(lib->scheduler, job, retry); } return SUCCESS; case NEED_MORE: @@ -241,51 +241,56 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) if (this->collision && this->collision->get_type(this->collision) == IKE_REKEY) { - chunk_t this_nonce, other_nonce; - host_t *host; private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision; - this_nonce = this->ike_init->get_lower_nonce(this->ike_init); - other_nonce = other->ike_init->get_lower_nonce(other->ike_init); - - /* if we have the lower nonce, delete rekeyed SA. If not, delete - * the redundant. */ - if (memcmp(this_nonce.ptr, other_nonce.ptr, - min(this_nonce.len, other_nonce.len)) < 0) - { - /* peer should delete this SA. Add a timeout just in case. */ - job_t *job = (job_t*)delete_ike_sa_job_create( - other->new_sa->get_id(other->new_sa), TRUE); - charon->scheduler->schedule_job(charon->scheduler, job, 10); - DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA"); - charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa); - other->new_sa = NULL; - } - else + /* ike_init can be NULL, if child_sa is half-open */ + if (other->ike_init) { - DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA"); - /* apply host for a proper delete */ - host = this->ike_sa->get_my_host(this->ike_sa); - this->new_sa->set_my_host(this->new_sa, host->clone(host)); - host = this->ike_sa->get_other_host(this->ike_sa); - this->new_sa->set_other_host(this->new_sa, host->clone(host)); - this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - if (this->new_sa->delete(this->new_sa) == DESTROY_ME) + host_t *host; + chunk_t this_nonce, other_nonce; + + this_nonce = this->ike_init->get_lower_nonce(this->ike_init); + other_nonce = other->ike_init->get_lower_nonce(other->ike_init); + + /* if we have the lower nonce, delete rekeyed SA. If not, delete + * the redundant. */ + if (memcmp(this_nonce.ptr, other_nonce.ptr, + min(this_nonce.len, other_nonce.len)) < 0) { - charon->ike_sa_manager->checkin_and_destroy( - charon->ike_sa_manager, this->new_sa); + /* peer should delete this SA. Add a timeout just in case. */ + job_t *job = (job_t*)delete_ike_sa_job_create( + other->new_sa->get_id(other->new_sa), TRUE); + lib->scheduler->schedule_job(lib->scheduler, job, 10); + DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA"); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa); + other->new_sa = NULL; } else { - charon->ike_sa_manager->checkin( - charon->ike_sa_manager, this->new_sa); + DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA"); + /* apply host for a proper delete */ + host = this->ike_sa->get_my_host(this->ike_sa); + this->new_sa->set_my_host(this->new_sa, host->clone(host)); + host = this->ike_sa->get_other_host(this->ike_sa); + this->new_sa->set_other_host(this->new_sa, host->clone(host)); + this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); + if (this->new_sa->delete(this->new_sa) == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, this->new_sa); + } + else + { + charon->ike_sa_manager->checkin( + charon->ike_sa_manager, this->new_sa); + } + /* set threads active IKE_SA after checkin */ + charon->bus->set_sa(charon->bus, this->ike_sa); + /* inherit to other->new_sa in destroy() */ + this->new_sa = other->new_sa; + other->new_sa = NULL; + return SUCCESS; } - /* set threads active IKE_SA after checkin */ - charon->bus->set_sa(charon->bus, this->ike_sa); - /* inherit to other->new_sa in destroy() */ - this->new_sa = other->new_sa; - other->new_sa = NULL; - return SUCCESS; } /* set threads active IKE_SA after checkin */ charon->bus->set_sa(charon->bus, this->ike_sa); diff --git a/src/libcharon/sa/tasks/ike_vendor.c b/src/libcharon/sa/tasks/ike_vendor.c index 7c435b6d1..1c14ee06b 100644 --- a/src/libcharon/sa/tasks/ike_vendor.c +++ b/src/libcharon/sa/tasks/ike_vendor.c @@ -123,12 +123,14 @@ ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator) private_ike_vendor_t *this; INIT(this, - .public.task = { - .build = _build, - .process = _process, - .migrate = _migrate, - .get_type = _get_type, - .destroy = _destroy, + .public = { + .task = { + .build = _build, + .process = _process, + .migrate = _migrate, + .get_type = _get_type, + .destroy = _destroy, + }, }, .initiator = initiator, .ike_sa = ike_sa, diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 80bf647cd..f91eff077 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -15,6 +15,7 @@ #include "trap_manager.h" +#include <hydra.h> #include <daemon.h> #include <threading/rwlock.h> #include <utils/linked_list.h> @@ -138,8 +139,8 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer, if (!me || me->is_anyaddr(me)) { DESTROY_IF(me); - me = charon->kernel_interface->get_source_addr( - charon->kernel_interface, other, NULL); + me = hydra->kernel_interface->get_source_addr( + hydra->kernel_interface, other, NULL); if (!me) { DBG1(DBG_CFG, "installing trap failed, local address unknown"); diff --git a/src/pluto/kernel_noklips.h b/src/libcharon/tnccs/tnccs.c index 3da55d80b..2facf02c8 100644 --- a/src/pluto/kernel_noklips.h +++ b/src/libcharon/tnccs/tnccs.c @@ -1,6 +1,6 @@ -/* declarations of routines that interface with the kernel's pfkey mechanism - * Copyright (C) 1998-2001 D. Hugh Redelmeier. - * Copyright (C) 2003 Herbert Xu +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -13,5 +13,10 @@ * for more details. */ -extern void init_noklips(void); -extern const struct kernel_ops noklips_kernel_ops; +#include "tnccs.h" + +ENUM(eap_type_names, TNCCS_1_1, TNCCS_2_0, + "TNCCS 1.1", + "TNCCS SOH", + "TNCCS 2.0", +); diff --git a/src/libcharon/tnccs/tnccs.h b/src/libcharon/tnccs/tnccs.h new file mode 100644 index 000000000..583512e82 --- /dev/null +++ b/src/libcharon/tnccs/tnccs.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs tnccs + * @{ @ingroup libcharon + */ + +#ifndef TNCCS_H_ +#define TNCCS_H_ + +typedef enum tnccs_type_t tnccs_type_t; + +#include <library.h> + +/** + * Type of TNC Client/Server protocol + */ +enum tnccs_type_t { + TNCCS_1_1, + TNCCS_SOH, + TNCCS_2_0 +}; + +/** + * enum names for tnccs_type_t. + */ +extern enum_name_t *tnccs_type_names; + +typedef struct tnccs_t tnccs_t; + +/** + * Constructor definition for a pluggable TNCCS protocol implementation. + * + * @param is_server TRUE if TNC Server, FALSE if TNC Client + * @return implementation of the tnccs_t interface + */ +typedef tnccs_t* (*tnccs_constructor_t)(bool is_server); + +#endif /** TNC_H_ @}*/ diff --git a/src/libcharon/tnccs/tnccs_manager.c b/src/libcharon/tnccs/tnccs_manager.c new file mode 100644 index 000000000..0fd6737c0 --- /dev/null +++ b/src/libcharon/tnccs/tnccs_manager.c @@ -0,0 +1,148 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_manager.h" + +#include <utils/linked_list.h> +#include <threading/rwlock.h> + +typedef struct private_tnccs_manager_t private_tnccs_manager_t; +typedef struct tnccs_entry_t tnccs_entry_t; + +/** + * TNCCS constructor entry + */ +struct tnccs_entry_t { + + /** + * TNCCS protocol type + */ + tnccs_type_t type; + + /** + * constructor function to create instance + */ + tnccs_constructor_t constructor; +}; + +/** + * private data of tnccs_manager + */ +struct private_tnccs_manager_t { + + /** + * public functions + */ + tnccs_manager_t public; + + /** + * list of tnccs_entry_t's + */ + linked_list_t *protocols; + + /** + * rwlock to lock methods + */ + rwlock_t *lock; +}; + +METHOD(tnccs_manager_t, add_method, void, + private_tnccs_manager_t *this, tnccs_type_t type, + tnccs_constructor_t constructor) +{ + tnccs_entry_t *entry = malloc_thing(tnccs_entry_t); + + entry->type = type; + entry->constructor = constructor; + + this->lock->write_lock(this->lock); + this->protocols->insert_last(this->protocols, entry); + this->lock->unlock(this->lock); +} + +METHOD(tnccs_manager_t, remove_method, void, + private_tnccs_manager_t *this, tnccs_constructor_t constructor) +{ + enumerator_t *enumerator; + tnccs_entry_t *entry; + + this->lock->write_lock(this->lock); + enumerator = this->protocols->create_enumerator(this->protocols); + while (enumerator->enumerate(enumerator, &entry)) + { + if (constructor == entry->constructor) + { + this->protocols->remove_at(this->protocols, enumerator); + free(entry); + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); +} + +METHOD(tnccs_manager_t, create_instance, tnccs_t*, + private_tnccs_manager_t *this, tnccs_type_t type, bool is_server) +{ + enumerator_t *enumerator; + tnccs_entry_t *entry; + tnccs_t *protocol = NULL; + + this->lock->read_lock(this->lock); + enumerator = this->protocols->create_enumerator(this->protocols); + while (enumerator->enumerate(enumerator, &entry)) + { + if (type == entry->type) + { + protocol = entry->constructor(is_server); + if (protocol) + { + break; + } + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + return protocol; +} + +METHOD(tnccs_manager_t, destroy, void, + private_tnccs_manager_t *this) +{ + this->protocols->destroy_function(this->protocols, free); + this->lock->destroy(this->lock); + free(this); +} + +/* + * See header + */ +tnccs_manager_t *tnccs_manager_create() +{ + private_tnccs_manager_t *this; + + INIT(this, + .public = { + .add_method = _add_method, + .remove_method = _remove_method, + .create_instance = _create_instance, + .destroy = _destroy, + }, + .protocols = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + return &this->public; +} + diff --git a/src/libcharon/tnccs/tnccs_manager.h b/src/libcharon/tnccs/tnccs_manager.h new file mode 100644 index 000000000..2f4a961a7 --- /dev/null +++ b/src/libcharon/tnccs/tnccs_manager.h @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_manager tnccs_manager + * @{ @ingroup tnccs + */ + +#ifndef TNCCS_MANAGER_H_ +#define TNCCS_MANAGER_H_ + +#include "tnccs.h" + +typedef struct tnccs_manager_t tnccs_manager_t; + +/** + * The TNCCS manager manages all TNCCS implementations and creates instances. + * + * A plugin registers its implemented TNCCS protocol with the manager by + * providing type and a constructor function. The manager then creates + * TNCCS protocol instances via the provided constructor. + */ +struct tnccs_manager_t { + + /** + * Register a TNCCS protocol implementation. + * + * @param type TNCCS protocol type + * @param constructor constructor, returns a TNCCS protocol implementation + */ + void (*add_method)(tnccs_manager_t *this, tnccs_type_t type, + tnccs_constructor_t constructor); + + /** + * Unregister a TNCCS protocol implementation using it's constructor. + * + * @param constructor constructor function to remove, as added in add_method + */ + void (*remove_method)(tnccs_manager_t *this, tnccs_constructor_t constructor); + + /** + * Create a new TNCCS protocol instance. + * + * @param type type of the TNCCS protocol + * @param is_server TRUE if TNC Server, FALSE if TNC Client + * @return TNCCS protocol instance, NULL if no constructor found + */ + tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type, + bool is_server); + + /** + * Destroy a tnccs_manager instance. + */ + void (*destroy)(tnccs_manager_t *this); +}; + +/** + * Create a tnccs_manager instance. + */ +tnccs_manager_t *tnccs_manager_create(); + +#endif /** TNCCS_MANAGER_H_ @}*/ diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index a84b272dc..777f1fd10 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -162,6 +163,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -193,14 +196,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -215,24 +221,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -240,7 +253,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am index 44dd31577..5fee39da9 100644 --- a/src/libfreeswan/Makefile.am +++ b/src/libfreeswan/Makefile.am @@ -11,6 +11,7 @@ libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c ato INCLUDES = \ -I$(top_srcdir)/src/libstrongswan \ +-I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in index 6d640d778..28ba035c6 100644 --- a/src/libfreeswan/Makefile.in +++ b/src/libfreeswan/Makefile.in @@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -179,6 +180,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -210,14 +213,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -232,24 +238,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -257,7 +270,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -282,6 +298,7 @@ libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c ato INCLUDES = \ -I$(top_srcdir)/src/libstrongswan \ +-I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk index caad7447a..2418e76ad 100644 --- a/src/libhydra/Android.mk +++ b/src/libhydra/Android.mk @@ -7,13 +7,21 @@ hydra.c hydra.h \ attributes/attributes.c attributes/attributes.h \ attributes/attribute_provider.h attributes/attribute_handler.h \ attributes/attribute_manager.c attributes/attribute_manager.h \ -attributes/mem_pool.c attributes/mem_pool.h +attributes/mem_pool.c attributes/mem_pool.h \ +kernel/kernel_interface.c kernel/kernel_interface.h \ +kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ +kernel/kernel_net.h \ +kernel/kernel_listener.h # adding the plugin source files LOCAL_SRC_FILES += $(call add_plugin, attr) -# build libcharon -------------------------------------------------------------- +LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey) + +LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink) + +# build libhydra --------------------------------------------------------------- LOCAL_C_INCLUDES += \ $(libvstr_PATH) \ diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am index 4e5c55d3f..d0698d0f5 100644 --- a/src/libhydra/Makefile.am +++ b/src/libhydra/Makefile.am @@ -5,7 +5,11 @@ hydra.c hydra.h \ attributes/attributes.c attributes/attributes.h \ attributes/attribute_provider.h attributes/attribute_handler.h \ attributes/attribute_manager.c attributes/attribute_manager.h \ -attributes/mem_pool.c attributes/mem_pool.h +attributes/mem_pool.c attributes/mem_pool.h \ +kernel/kernel_interface.c kernel/kernel_interface.h \ +kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ +kernel/kernel_net.h \ +kernel/kernel_listener.h libhydra_la_LIBADD = @@ -40,6 +44,34 @@ if MONOLITHIC endif endif +if USE_KERNEL_PFKEY + SUBDIRS += plugins/kernel_pfkey +if MONOLITHIC + libhydra_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la +endif +endif + +if USE_KERNEL_PFROUTE + SUBDIRS += plugins/kernel_pfroute +if MONOLITHIC + libhydra_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la +endif +endif + +if USE_KERNEL_KLIPS + SUBDIRS += plugins/kernel_klips +if MONOLITHIC + libhydra_la_LIBADD += plugins/kernel_klips/libstrongswan-kernel-klips.la +endif +endif + +if USE_KERNEL_NETLINK + SUBDIRS += plugins/kernel_netlink +if MONOLITHIC + libhydra_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la +endif +endif + if USE_RESOLVE SUBDIRS += plugins/resolve if MONOLITHIC diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in index a3aec26c9..8e5697b79 100644 --- a/src/libhydra/Makefile.in +++ b/src/libhydra/Makefile.in @@ -38,8 +38,16 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_2 = plugins/attr/libstrongswan-attr.la @USE_ATTR_SQL_TRUE@am__append_3 = plugins/attr_sql @MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_4 = plugins/attr_sql/libstrongswan-attr-sql.la -@USE_RESOLVE_TRUE@am__append_5 = plugins/resolve -@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_6 = plugins/resolve/libstrongswan-resolve.la +@USE_KERNEL_PFKEY_TRUE@am__append_5 = plugins/kernel_pfkey +@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_6 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la +@USE_KERNEL_PFROUTE_TRUE@am__append_7 = plugins/kernel_pfroute +@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_8 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la +@USE_KERNEL_KLIPS_TRUE@am__append_9 = plugins/kernel_klips +@MONOLITHIC_TRUE@@USE_KERNEL_KLIPS_TRUE@am__append_10 = plugins/kernel_klips/libstrongswan-kernel-klips.la +@USE_KERNEL_NETLINK_TRUE@am__append_11 = plugins/kernel_netlink +@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_12 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la +@USE_RESOLVE_TRUE@am__append_13 = plugins/resolve +@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_14 = plugins/resolve/libstrongswan-resolve.la subdir = src/libhydra DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -50,6 +58,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -80,9 +89,10 @@ am__base_list = \ am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \ - $(am__append_6) + $(am__append_6) $(am__append_8) $(am__append_10) \ + $(am__append_12) $(am__append_14) am_libhydra_la_OBJECTS = hydra.lo attributes.lo attribute_manager.lo \ - mem_pool.lo + mem_pool.lo kernel_interface.lo kernel_ipsec.lo libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -113,7 +123,9 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/resolve +DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/kernel_pfkey \ + plugins/kernel_pfroute plugins/kernel_klips \ + plugins/kernel_netlink plugins/resolve DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -205,6 +217,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -236,14 +250,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -258,24 +275,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -283,7 +307,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -301,9 +328,15 @@ hydra.c hydra.h \ attributes/attributes.c attributes/attributes.h \ attributes/attribute_provider.h attributes/attribute_handler.h \ attributes/attribute_manager.c attributes/attribute_manager.h \ -attributes/mem_pool.c attributes/mem_pool.h - -libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6) +attributes/mem_pool.c attributes/mem_pool.h \ +kernel/kernel_interface.c kernel/kernel_interface.h \ +kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ +kernel/kernel_net.h \ +kernel/kernel_listener.h + +libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6) \ + $(am__append_8) $(am__append_10) $(am__append_12) \ + $(am__append_14) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ -DIPSEC_DIR=\"${ipsecdir}\" \ @@ -312,12 +345,16 @@ AM_CFLAGS = \ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3) \ -@MONOLITHIC_FALSE@ $(am__append_5) +@MONOLITHIC_FALSE@ $(am__append_5) $(am__append_7) \ +@MONOLITHIC_FALSE@ $(am__append_9) $(am__append_11) \ +@MONOLITHIC_FALSE@ $(am__append_13) # build optional plugins ######################## @MONOLITHIC_TRUE@SUBDIRS = $(am__append_1) $(am__append_3) \ -@MONOLITHIC_TRUE@ $(am__append_5) +@MONOLITHIC_TRUE@ $(am__append_5) $(am__append_7) \ +@MONOLITHIC_TRUE@ $(am__append_9) $(am__append_11) \ +@MONOLITHIC_TRUE@ $(am__append_13) all: all-recursive .SUFFIXES: @@ -395,6 +432,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attribute_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attributes.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_ipsec.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem_pool.Plo@am__quote@ .c.o: @@ -439,6 +478,20 @@ mem_pool.lo: attributes/mem_pool.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c +kernel_interface.lo: kernel/kernel_interface.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c + +kernel_ipsec.lo: kernel/kernel_ipsec.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c + mostlyclean-libtool: -rm -f *.lo diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c index e1d69fd6b..8af97dc78 100644 --- a/src/libhydra/attributes/mem_pool.c +++ b/src/libhydra/attributes/mem_pool.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2010 Tobias Brunner - * Copyright (C) 2008 Martin Willi + * Copyright (C) 2008-2010 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -18,7 +18,8 @@ #include <debug.h> #include <utils/hashtable.h> -#include <threading/rwlock.h> +#include <utils/linked_list.h> +#include <threading/mutex.h> #define POOL_LIMIT (sizeof(uintptr_t)*8) @@ -54,27 +55,29 @@ struct private_mem_pool_t { u_int unused; /** - * hashtable [identity => offset], for online leases + * lease hashtable [identity => entry] */ - hashtable_t *online; - - /** - * hashtable [identity => offset], for offline leases - */ - hashtable_t *offline; - - /** - * hashtable [identity => identity], handles identity references - */ - hashtable_t *ids; + hashtable_t *leases; /** * lock to safely access the pool */ - rwlock_t *lock; + mutex_t *mutex; }; /** + * Lease entry. + */ +typedef struct { + /* identitiy reference */ + identification_t *id; + /* list of online leases, as offset */ + linked_list_t *online; + /* list of offline leases, as offset */ + linked_list_t *offline; +} entry_t; + +/** * hashtable hash function for identities */ static u_int id_hash(identification_t *id) @@ -154,43 +157,61 @@ static int host2offset(private_mem_pool_t *pool, host_t *addr) } METHOD(mem_pool_t, get_name, const char*, - private_mem_pool_t *this) + private_mem_pool_t *this) { return this->name; } METHOD(mem_pool_t, get_size, u_int, - private_mem_pool_t *this) + private_mem_pool_t *this) { return this->size; } METHOD(mem_pool_t, get_online, u_int, - private_mem_pool_t *this) + private_mem_pool_t *this) { - u_int count; - this->lock->read_lock(this->lock); - count = this->online->get_count(this->online); - this->lock->unlock(this->lock); + enumerator_t *enumerator; + entry_t *entry; + u_int count = 0; + + this->mutex->lock(this->mutex); + enumerator = this->leases->create_enumerator(this->leases); + while (enumerator->enumerate(enumerator, NULL, &entry)) + { + count += entry->online->get_count(entry->online); + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + return count; } METHOD(mem_pool_t, get_offline, u_int, - private_mem_pool_t *this) + private_mem_pool_t *this) { - u_int count; - this->lock->read_lock(this->lock); - count = this->offline->get_count(this->offline); - this->lock->unlock(this->lock); + enumerator_t *enumerator; + entry_t *entry; + u_int count = 0; + + this->mutex->lock(this->mutex); + enumerator = this->leases->create_enumerator(this->leases); + while (enumerator->enumerate(enumerator, NULL, &entry)) + { + count += entry->offline->get_count(entry->offline); + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + return count; } METHOD(mem_pool_t, acquire_address, host_t*, - private_mem_pool_t *this, identification_t *id, host_t *requested) + private_mem_pool_t *this, identification_t *id, host_t *requested) { - uintptr_t offset = 0; + uintptr_t offset = 0, current; enumerator_t *enumerator; - identification_t *old_id; + entry_t *entry, *old; /* if the pool is empty (e.g. in the %config case) we simply return the * requested address */ @@ -207,108 +228,114 @@ METHOD(mem_pool_t, acquire_address, host_t*, return NULL; } - this->lock->write_lock(this->lock); + this->mutex->lock(this->mutex); while (TRUE) { - /* check for a valid offline lease, refresh */ - offset = (uintptr_t)this->offline->remove(this->offline, id); - if (offset) + entry = this->leases->get(this->leases, id); + if (entry) { - id = this->ids->get(this->ids, id); - if (id) + /* check for a valid offline lease, refresh */ + enumerator = entry->offline->create_enumerator(entry->offline); + if (enumerator->enumerate(enumerator, ¤t)) + { + entry->offline->remove_at(entry->offline, enumerator); + entry->online->insert_last(entry->online, (void*)current); + offset = current; + } + enumerator->destroy(enumerator); + if (offset) { DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id); - this->online->put(this->online, id, (void*)offset); break; } - } - - /* check for a valid online lease, reassign */ - offset = (uintptr_t)this->online->get(this->online, id); - if (offset) - { - if (offset == host2offset(this, requested)) + /* check for a valid online lease to reassign */ + enumerator = entry->online->create_enumerator(entry->online); + while (enumerator->enumerate(enumerator, ¤t)) { - DBG1(DBG_CFG, "reassigning online lease to '%Y'", id); + if (current == host2offset(this, requested)) + { + offset = current; + break; + } } - else + enumerator->destroy(enumerator); + if (offset) { - DBG1(DBG_CFG, "'%Y' already has an online lease, " - "unable to assign address", id); - offset = 0; + DBG1(DBG_CFG, "reassigning online lease to '%Y'", id); + break; } - break; } - + else + { + INIT(entry, + .id = id->clone(id), + .online = linked_list_create(), + .offline = linked_list_create(), + ); + this->leases->put(this->leases, entry->id, entry); + } if (this->unused < this->size) { - /* assigning offset, starting by 1. Handling 0 in hashtable - * is difficult. */ + /* assigning offset, starting by 1 */ offset = ++this->unused; - id = id->clone(id); - this->ids->put(this->ids, id, id); - this->online->put(this->online, id, (void*)offset); + entry->online->insert_last(entry->online, (void*)offset); DBG1(DBG_CFG, "assigning new lease to '%Y'", id); break; } /* no more addresses, replace the first found offline lease */ - enumerator = this->offline->create_enumerator(this->offline); - if (enumerator->enumerate(enumerator, &old_id, &offset)) + enumerator = this->leases->create_enumerator(this->leases); + while (enumerator->enumerate(enumerator, NULL, &old)) { - offset = (uintptr_t)this->offline->remove(this->offline, old_id); - if (offset) + if (old->offline->remove_first(old->offline, + (void**)¤t) == SUCCESS) { - /* destroy reference to old ID */ - old_id = this->ids->remove(this->ids, old_id); + offset = current; + entry->online->insert_last(entry->online, (void*)offset); DBG1(DBG_CFG, "reassigning existing offline lease by '%Y'" - " to '%Y'", old_id, id); - if (old_id) - { - old_id->destroy(old_id); - } - id = id->clone(id); - this->ids->put(this->ids, id, id); - this->online->put(this->online, id, (void*)offset); - enumerator->destroy(enumerator); + " to '%Y'", old->id, id); break; } } enumerator->destroy(enumerator); - - DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", - this->name); break; } - this->lock->unlock(this->lock); + this->mutex->unlock(this->mutex); if (offset) { return offset2host(this, offset); } + else + { + DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", + this->name); + } return NULL; } METHOD(mem_pool_t, release_address, bool, - private_mem_pool_t *this, host_t *address, identification_t *id) + private_mem_pool_t *this, host_t *address, identification_t *id) { bool found = FALSE; + entry_t *entry; + uintptr_t offset; + if (this->size != 0) { - uintptr_t offset; - this->lock->write_lock(this->lock); - offset = (uintptr_t)this->online->remove(this->online, id); - if (offset) + this->mutex->lock(this->mutex); + entry = this->leases->get(this->leases, id); + if (entry) { - id = this->ids->get(this->ids, id); - if (id) + offset = host2offset(this, address); + if (entry->online->remove(entry->online, (void*)offset, NULL) > 0) { DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id); - this->offline->put(this->offline, id, (void*)offset); + entry->offline->insert_last(entry->offline, (void*)offset); found = TRUE; } } - this->lock->unlock(this->lock); + this->mutex->unlock(this->mutex); } return found; } @@ -319,52 +346,69 @@ METHOD(mem_pool_t, release_address, bool, typedef struct { /** implemented enumerator interface */ enumerator_t public; - /** inner hash-table enumerator */ - enumerator_t *inner; + /** hash-table enumerator */ + enumerator_t *entries; + /** online enumerator */ + enumerator_t *online; + /** offline enumerator */ + enumerator_t *offline; /** enumerated pool */ private_mem_pool_t *pool; + /** currently enumerated entry */ + entry_t *entry; /** currently enumerated lease address */ - host_t *current; + host_t *addr; } lease_enumerator_t; METHOD(enumerator_t, lease_enumerate, bool, - lease_enumerator_t *this, identification_t **id_out, host_t **addr_out, - bool *online) + lease_enumerator_t *this, identification_t **id, host_t **addr, bool *online) { - identification_t *id; uintptr_t offset; - DESTROY_IF(this->current); - this->current = NULL; + DESTROY_IF(this->addr); + this->addr = NULL; - if (this->inner->enumerate(this->inner, &id, NULL)) + while (TRUE) { - offset = (uintptr_t)this->pool->online->get(this->pool->online, id); - if (offset) + if (this->entry) { - *id_out = id; - *addr_out = this->current = offset2host(this->pool, offset); - *online = TRUE; - return TRUE; + if (this->online->enumerate(this->online, (void**)&offset)) + { + *id = this->entry->id; + *addr = this->addr = offset2host(this->pool, offset); + *online = TRUE; + return TRUE; + } + if (this->offline->enumerate(this->offline, (void**)&offset)) + { + *id = this->entry->id; + *addr = this->addr = offset2host(this->pool, offset); + *online = FALSE; + return TRUE; + } + this->online->destroy(this->online); + this->offline->destroy(this->offline); + this->online = this->offline = NULL; } - offset = (uintptr_t)this->pool->offline->get(this->pool->offline, id); - if (offset) + if (!this->entries->enumerate(this->entries, NULL, &this->entry)) { - *id_out = id; - *addr_out = this->current = offset2host(this->pool, offset); - *online = FALSE; - return TRUE; + return FALSE; } + this->online = this->entry->online->create_enumerator( + this->entry->online); + this->offline = this->entry->offline->create_enumerator( + this->entry->offline); } - return FALSE; } METHOD(enumerator_t, lease_enumerator_destroy, void, - lease_enumerator_t *this) + lease_enumerator_t *this) { - DESTROY_IF(this->current); - this->inner->destroy(this->inner); - this->pool->lock->unlock(this->pool->lock); + DESTROY_IF(this->addr); + DESTROY_IF(this->online); + DESTROY_IF(this->offline); + this->entries->destroy(this->entries); + this->pool->mutex->unlock(this->pool->mutex); free(this); } @@ -372,35 +416,37 @@ METHOD(mem_pool_t, create_lease_enumerator, enumerator_t*, private_mem_pool_t *this) { lease_enumerator_t *enumerator; - this->lock->read_lock(this->lock); + + this->mutex->lock(this->mutex); INIT(enumerator, .public = { .enumerate = (void*)_lease_enumerate, - .destroy = (void*)_lease_enumerator_destroy, + .destroy = _lease_enumerator_destroy, }, .pool = this, - .inner = this->ids->create_enumerator(this->ids), + .entries = this->leases->create_enumerator(this->leases), ); return &enumerator->public; } METHOD(mem_pool_t, destroy, void, - private_mem_pool_t *this) + private_mem_pool_t *this) { enumerator_t *enumerator; - identification_t *id; + entry_t *entry; - enumerator = this->ids->create_enumerator(this->ids); - while (enumerator->enumerate(enumerator, &id, NULL)) + enumerator = this->leases->create_enumerator(this->leases); + while (enumerator->enumerate(enumerator, NULL, &entry)) { - id->destroy(id); + entry->id->destroy(entry->id); + entry->online->destroy(entry->online); + entry->offline->destroy(entry->offline); + free(entry); } enumerator->destroy(enumerator); - this->ids->destroy(this->ids); - this->online->destroy(this->online); - this->offline->destroy(this->offline); - this->lock->destroy(this->lock); + this->leases->destroy(this->leases); + this->mutex->destroy(this->mutex); DESTROY_IF(this->base); free(this->name); free(this); @@ -412,6 +458,7 @@ METHOD(mem_pool_t, destroy, void, mem_pool_t *mem_pool_create(char *name, host_t *base, int bits) { private_mem_pool_t *this; + int addr_bits; INIT(this, .public = { @@ -425,18 +472,14 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits) .destroy = _destroy, }, .name = strdup(name), - .online = hashtable_create((hashtable_hash_t)id_hash, + .leases = hashtable_create((hashtable_hash_t)id_hash, (hashtable_equals_t)id_equals, 16), - .offline = hashtable_create((hashtable_hash_t)id_hash, - (hashtable_equals_t)id_equals, 16), - .ids = hashtable_create((hashtable_hash_t)id_hash, - (hashtable_equals_t)id_equals, 16), - .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); if (base) { - int addr_bits = base->get_family(base) == AF_INET ? 32 : 128; + addr_bits = base->get_family(base) == AF_INET ? 32 : 128; /* net bits -> host bits */ bits = addr_bits - bits; if (bits > POOL_LIMIT) diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c index 16a8193ea..f180e36bb 100644 --- a/src/libhydra/hydra.c +++ b/src/libhydra/hydra.c @@ -42,6 +42,7 @@ void libhydra_deinit() { private_hydra_t *this = (private_hydra_t*)hydra; this->public.attributes->destroy(this->public.attributes); + this->public.kernel_interface->destroy(this->public.kernel_interface); free((void*)this->public.daemon); free(this); hydra = NULL; @@ -57,6 +58,7 @@ bool libhydra_init(const char *daemon) INIT(this, .public = { .attributes = attribute_manager_create(), + .kernel_interface = kernel_interface_create(), .daemon = strdup(daemon ?: "libhydra"), }, ); diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h index 8670f3969..d7a7d8de4 100644 --- a/src/libhydra/hydra.h +++ b/src/libhydra/hydra.h @@ -19,6 +19,9 @@ * @defgroup attributes attributes * @ingroup libhydra * + * @defgroup hkernel kernel + * @ingroup libhydra + * * @defgroup hplugins plugins * @ingroup libhydra * @@ -32,6 +35,7 @@ typedef struct hydra_t hydra_t; #include <attributes/attribute_manager.h> +#include <kernel/kernel_interface.h> #include <library.h> @@ -46,6 +50,11 @@ struct hydra_t { attribute_manager_t *attributes; /** + * kernel interface to communicate with kernel + */ + kernel_interface_t *kernel_interface; + + /** * name of the daemon that initialized the library */ const char *daemon; diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index 837e628bc..3e6d46205 100644 --- a/src/libcharon/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2009 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -17,7 +17,9 @@ #include "kernel_interface.h" -#include <daemon.h> +#include <debug.h> +#include <threading/mutex.h> +#include <utils/linked_list.h> typedef struct private_kernel_interface_t private_kernel_interface_t; @@ -40,11 +42,21 @@ struct private_kernel_interface_t { * network interface */ kernel_net_t *net; + + /** + * mutex for listeners + */ + mutex_t *mutex; + + /** + * list of registered listeners + */ + linked_list_t *listeners; }; METHOD(kernel_interface_t, get_spi, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { if (!this->ipsec) { @@ -66,7 +78,7 @@ METHOD(kernel_interface_t, get_cpi, status_t, METHOD(kernel_interface_t, add_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, @@ -82,7 +94,7 @@ METHOD(kernel_interface_t, add_sa, status_t, } METHOD(kernel_interface_t, update_sa, status_t, - private_kernel_interface_t *this, u_int32_t spi, protocol_id_t protocol, + private_kernel_interface_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark) { @@ -96,7 +108,7 @@ METHOD(kernel_interface_t, update_sa, status_t, METHOD(kernel_interface_t, query_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { if (!this->ipsec) { @@ -107,7 +119,7 @@ METHOD(kernel_interface_t, query_sa, status_t, METHOD(kernel_interface_t, del_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int8_t protocol, u_int16_t cpi, mark_t mark) { if (!this->ipsec) { @@ -119,16 +131,15 @@ METHOD(kernel_interface_t, del_sa, status_t, METHOD(kernel_interface_t, add_policy, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed) + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, + mark_t mark, bool routed) { if (!this->ipsec) { return NOT_SUPPORTED; } return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts, - direction, spi, protocol, reqid, mark, mode, ipcomp, cpi, routed); + direction, type, sa, mark, routed); } METHOD(kernel_interface_t, query_policy, status_t, @@ -338,11 +349,124 @@ METHOD(kernel_interface_t, remove_net_interface, void, /* TODO: replace if interface currently in use */ } +METHOD(kernel_interface_t, add_listener, void, + private_kernel_interface_t *this, kernel_listener_t *listener) +{ + this->mutex->lock(this->mutex); + this->listeners->insert_last(this->listeners, listener); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, remove_listener, void, + private_kernel_interface_t *this, kernel_listener_t *listener) +{ + this->mutex->lock(this->mutex); + this->listeners->remove(this->listeners, listener, NULL); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, acquire, void, + private_kernel_interface_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->acquire && + !listener->acquire(listener, reqid, src_ts, dst_ts)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, expire, void, + private_kernel_interface_t *this, u_int32_t reqid, u_int8_t protocol, + u_int32_t spi, bool hard) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->expire && + !listener->expire(listener, reqid, protocol, spi, hard)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, mapping, void, + private_kernel_interface_t *this, u_int32_t reqid, u_int32_t spi, + host_t *remote) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->mapping && + !listener->mapping(listener, reqid, spi, remote)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, migrate, void, + private_kernel_interface_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, host_t *local, host_t *remote) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->migrate && + !listener->migrate(listener, reqid, src_ts, dst_ts, direction, + local, remote)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +static bool call_roam(kernel_listener_t *listener, bool *roam) +{ + return listener->roam && !listener->roam(listener, *roam); +} + +METHOD(kernel_interface_t, roam, void, + private_kernel_interface_t *this, bool address) +{ + this->mutex->lock(this->mutex); + this->listeners->remove(this->listeners, &address, (void*)call_roam); + this->mutex->unlock(this->mutex); +} + METHOD(kernel_interface_t, destroy, void, private_kernel_interface_t *this) { DESTROY_IF(this->ipsec); DESTROY_IF(this->net); + this->mutex->destroy(this->mutex); + this->listeners->destroy(this->listeners); free(this); } @@ -379,8 +503,18 @@ kernel_interface_t *kernel_interface_create() .remove_ipsec_interface = _remove_ipsec_interface, .add_net_interface = _add_net_interface, .remove_net_interface = _remove_net_interface, + + .add_listener = _add_listener, + .remove_listener = _remove_listener, + .acquire = _acquire, + .expire = _expire, + .mapping = _mapping, + .migrate = _migrate, + .roam = _roam, .destroy = _destroy, }, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .listeners = linked_list_create(), ); return &this->public; diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index 92d85f9c9..8b0c7a296 100644 --- a/src/libcharon/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -18,7 +18,7 @@ /** * @defgroup kernel_interface kernel_interface - * @{ @ingroup kernel + * @{ @ingroup hkernel */ #ifndef KERNEL_INTERFACE_H_ @@ -28,8 +28,8 @@ typedef struct kernel_interface_t kernel_interface_t; #include <utils/host.h> #include <crypto/prf_plus.h> -#include <encoding/payloads/proposal_substructure.h> +#include <kernel/kernel_listener.h> #include <kernel/kernel_ipsec.h> #include <kernel/kernel_net.h> @@ -62,7 +62,7 @@ struct kernel_interface_t { * @return SUCCESS if operation completed */ status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi); + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi); /** * Get a Compression Parameter Index (CPI) from the kernel. @@ -107,7 +107,7 @@ struct kernel_interface_t { */ status_t (*add_sa) (kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, @@ -137,7 +137,7 @@ struct kernel_interface_t { * the kernel interface can't update the SA */ status_t (*update_sa)(kernel_interface_t *this, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark); @@ -154,7 +154,7 @@ struct kernel_interface_t { * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes); /** @@ -169,7 +169,7 @@ struct kernel_interface_t { * @return SUCCESS if operation completed */ status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark); /** @@ -182,14 +182,10 @@ struct kernel_interface_t { * @param dst dest address of SA * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD - * @param spi SPI of SA - * @param protocol protocol to use to protect traffic (AH/ESP) - * @param reqid unique ID of an SA to use to enforce policy + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) + * @param sa details about the SA(s) tied to this policy * @param mark mark for this policy - * @param mode mode of SA (tunnel, transport) - * @param ipcomp the IPComp transform used - * @param cpi CPI for IPComp * @param routed TRUE, if this policy is routed in the kernel * @return SUCCESS if operation completed */ @@ -197,10 +193,8 @@ struct kernel_interface_t { host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, - mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed); + policy_dir_t direction, policy_type_t type, + ipsec_sa_cfg_t *sa, mark_t mark, bool routed); /** * Query the use time of a policy. @@ -210,7 +204,7 @@ struct kernel_interface_t { * * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) * @param mark optional mark * @param[out] use_time the time of this SA's last use * @return SUCCESS if operation completed @@ -231,7 +225,7 @@ struct kernel_interface_t { * * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) * @param mark optional mark * @param unrouted TRUE, if this policy is unrouted from the kernel * @return SUCCESS if operation completed @@ -272,7 +266,7 @@ struct kernel_interface_t { * Get the interface name of a local address. * * @param host address to get interface name from - * @return allocated interface name, or NULL if not found + * @return allocated interface name, or NULL if not found */ char* (*get_interface) (kernel_interface_t *this, host_t *host); @@ -324,10 +318,11 @@ struct kernel_interface_t { * @param src_ip sourc ip of the route * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed - * ALREADY_DONE if the route already exists + * ALREADY_DONE if the route already exists */ - status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen, - host_t *gateway, host_t *src_ip, char *if_name); + status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, + char *if_name); /** * Delete a route. @@ -339,8 +334,9 @@ struct kernel_interface_t { * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed */ - status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen, - host_t *gateway, host_t *src_ip, char *if_name); + status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, + char *if_name); /** * Set up a bypass policy for a given socket. @@ -363,36 +359,108 @@ struct kernel_interface_t { * @param ip returned ip (has to be destroyed) * @return SUCCESS if address found */ - status_t (*get_address_by_ts) (kernel_interface_t *this, - traffic_selector_t *ts, host_t **ip); + status_t (*get_address_by_ts)(kernel_interface_t *this, + traffic_selector_t *ts, host_t **ip); /** * Register an ipsec kernel interface constructor on the manager. * * @param create constructor to register */ - void (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create); + void (*add_ipsec_interface)(kernel_interface_t *this, + kernel_ipsec_constructor_t create); /** * Unregister an ipsec kernel interface constructor. * * @param create constructor to unregister */ - void (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create); + void (*remove_ipsec_interface)(kernel_interface_t *this, + kernel_ipsec_constructor_t create); /** * Register a network kernel interface constructor on the manager. * * @param create constructor to register */ - void (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create); + void (*add_net_interface)(kernel_interface_t *this, + kernel_net_constructor_t create); /** * Unregister a network kernel interface constructor. * * @param create constructor to unregister */ - void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create); + void (*remove_net_interface)(kernel_interface_t *this, + kernel_net_constructor_t create); + + /** + * Add a listener to the kernel interface. + * + * @param listener listener to add + */ + void (*add_listener)(kernel_interface_t *this, + kernel_listener_t *listener); + + /** + * Remove a listener from the kernel interface. + * + * @param listener listener to remove + */ + void (*remove_listener)(kernel_interface_t *this, + kernel_listener_t *listener); + + /** + * Raise an acquire event. + * + * @param reqid reqid of the policy to acquire + * @param src_ts source traffic selector + * @param dst_ts destination traffic selector + */ + void (*acquire)(kernel_interface_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts); + + /** + * Raise an expire event. + * + * @param reqid reqid of the expired SA + * @param protocol protocol of the expired SA + * @param spi spi of the expired SA + * @param hard TRUE if it is a hard expire, FALSE otherwise + */ + void (*expire)(kernel_interface_t *this, u_int32_t reqid, + u_int8_t protocol, u_int32_t spi, bool hard); + + /** + * Raise a mapping event. + * + * @param reqid reqid of the SA + * @param spi spi of the SA + * @param remote new remote host + */ + void (*mapping)(kernel_interface_t *this, u_int32_t reqid, u_int32_t spi, + host_t *remote); + + /** + * Raise a migrate event. + * + * @param reqid reqid of the policy + * @param src_ts source traffic selector + * @param dst_ts destination traffic selector + * @param direction direction of the policy (in|out) + * @param local local host address to be used in the IKE_SA + * @param remote remote host address to be used in the IKE_SA + */ + void (*migrate)(kernel_interface_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, host_t *local, host_t *remote); + + /** + * Raise a roam event. + * + * @param address TRUE if address list, FALSE if routing changed + */ + void (*roam)(kernel_interface_t *this, bool address); /** * Destroys a kernel_interface_manager_t object. diff --git a/src/libcharon/kernel/kernel_ipsec.c b/src/libhydra/kernel/kernel_ipsec.c index 5b0335b16..383685426 100644 --- a/src/libcharon/kernel/kernel_ipsec.c +++ b/src/libhydra/kernel/kernel_ipsec.c @@ -27,3 +27,11 @@ ENUM(policy_dir_names, POLICY_IN, POLICY_FWD, "fwd" ); +ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH, + "IPCOMP_NONE", + "IPCOMP_OUI", + "IPCOMP_DEFLATE", + "IPCOMP_LZS", + "IPCOMP_LZJH" +); + diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index d09265cc9..49d9cc07a 100644 --- a/src/libcharon/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -18,7 +18,7 @@ /** * @defgroup kernel_ipsec kernel_ipsec - * @{ @ingroup kernel + * @{ @ingroup hkernel */ #ifndef KERNEL_IPSEC_H_ @@ -26,15 +26,19 @@ typedef enum ipsec_mode_t ipsec_mode_t; typedef enum policy_dir_t policy_dir_t; +typedef enum policy_type_t policy_type_t; +typedef enum ipcomp_transform_t ipcomp_transform_t; typedef struct kernel_ipsec_t kernel_ipsec_t; +typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t; +typedef struct lifetime_cfg_t lifetime_cfg_t; +typedef struct mark_t mark_t; #include <utils/host.h> #include <crypto/prf_plus.h> -#include <config/proposal.h> -#include <config/child_cfg.h> +#include <selectors/traffic_selector.h> /** - * Mode of a CHILD_SA. + * Mode of an IPsec SA. */ enum ipsec_mode_t { /** transport mode, no inner address */ @@ -70,6 +74,84 @@ enum policy_dir_t { extern enum_name_t *policy_dir_names; /** + * Type of a policy. + */ +enum policy_type_t { + /** Normal IPsec policy */ + POLICY_IPSEC = 1, + /** Passthrough policy (traffic is ignored by IPsec) */ + POLICY_PASS, + /** Drop policy (traffic is discarded) */ + POLICY_DROP, +}; + +/** + * IPComp transform IDs, as in RFC 4306 + */ +enum ipcomp_transform_t { + IPCOMP_NONE = 0, + IPCOMP_OUI = 1, + IPCOMP_DEFLATE = 2, + IPCOMP_LZS = 3, + IPCOMP_LZJH = 4, +}; + +/** + * enum strings for ipcomp_transform_t. + */ +extern enum_name_t *ipcomp_transform_names; + +/** + * This struct contains details about IPsec SA(s) tied to a policy. + */ +struct ipsec_sa_cfg_t { + /** mode of SA (tunnel, transport) */ + ipsec_mode_t mode; + /** unique ID */ + u_int32_t reqid; + /** details about ESP/AH */ + struct { + /** TRUE if this protocol is used */ + bool use; + /** SPI for ESP/AH */ + u_int32_t spi; + } esp, ah; + /** details about IPComp */ + struct { + /** the IPComp transform used */ + u_int16_t transform; + /** CPI for IPComp */ + u_int16_t cpi; + } ipcomp; +}; + +/** + * A lifetime_cfg_t defines the lifetime limits of an SA. + * + * Set any of these values to 0 to ignore. + */ +struct lifetime_cfg_t { + struct { + /** Limit before the SA gets invalid. */ + u_int64_t life; + /** Limit before the SA gets rekeyed. */ + u_int64_t rekey; + /** The range of a random value subtracted from rekey. */ + u_int64_t jitter; + } time, bytes, packets; +}; + +/** + * A mark_t defines an optional mark in an IPsec SA. + */ +struct mark_t { + /** Mark value */ + u_int32_t value; + /** Mark mask */ + u_int32_t mask; +}; + +/** * Interface to the ipsec subsystem of the kernel. * * The kernel ipsec interface handles the communication with the kernel @@ -93,7 +175,7 @@ struct kernel_ipsec_t { * @return SUCCESS if operation completed */ status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi); + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi); /** * Get a Compression Parameter Index (CPI) from the kernel. @@ -138,7 +220,7 @@ struct kernel_ipsec_t { */ status_t (*add_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, + u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, @@ -168,7 +250,7 @@ struct kernel_ipsec_t { * the kernel interface can't update the SA */ status_t (*update_sa)(kernel_ipsec_t *this, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark); @@ -185,7 +267,7 @@ struct kernel_ipsec_t { * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes); /** @@ -200,7 +282,7 @@ struct kernel_ipsec_t { * @return SUCCESS if operation completed */ status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark); /** @@ -213,14 +295,10 @@ struct kernel_ipsec_t { * @param dst dest address of SA * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD - * @param spi SPI of SA - * @param protocol protocol to use to protect traffic (AH/ESP) - * @param reqid unique ID of an SA to use to enforce policy + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) + * @param sa details about the SA(s) tied to this policy * @param mark mark for this policy - * @param mode mode of SA (tunnel, transport) - * @param ipcomp the IPComp transform used - * @param cpi CPI for IPComp * @param routed TRUE, if this policy is routed in the kernel * @return SUCCESS if operation completed */ @@ -228,10 +306,8 @@ struct kernel_ipsec_t { host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, - mark_t mark, ipsec_mode_t mode, - u_int16_t ipcomp, u_int16_t cpi, bool routed); + policy_dir_t direction, policy_type_t type, + ipsec_sa_cfg_t *sa, mark_t mark, bool routed); /** * Query the use time of a policy. @@ -242,7 +318,7 @@ struct kernel_ipsec_t { * * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) * @param mark optional mark * @param[out] use_time the monotonic timestamp of this SA's last use * @return SUCCESS if operation completed @@ -263,7 +339,7 @@ struct kernel_ipsec_t { * * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) * @param mark optional mark * @param unrouted TRUE, if this policy is unrouted from the kernel * @return SUCCESS if operation completed diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h new file mode 100644 index 000000000..6f2dbd23b --- /dev/null +++ b/src/libhydra/kernel/kernel_listener.h @@ -0,0 +1,96 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup kernel_listener kernel_listener + * @{ @ingroup hkernel + */ + +#ifndef KERNEL_LISTENER_H_ +#define KERNEL_LISTENER_H_ + +typedef struct kernel_listener_t kernel_listener_t; + +#include <kernel/kernel_ipsec.h> +#include <selectors/traffic_selector.h> +#include <utils/host.h> + +/** + * Interface for components interested in kernel events. + * + * All hooks are optional. + */ +struct kernel_listener_t { + + /** + * Hook called if an acquire event for a policy is received. + * + * @param reqid reqid of the policy to acquire + * @param src_ts source traffic selector + * @param dst_ts destination traffic selector + * @return TRUE to remain registered, FALSE to unregister + */ + bool (*acquire)(kernel_listener_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts); + + /** + * Hook called if an exire event for an IPsec SA is received. + * + * @param reqid reqid of the expired SA + * @param protocol protocol of the expired SA + * @param spi spi of the expired SA + * @param hard TRUE if it is a hard expire, FALSE otherwise + * @return TRUE to remain registered, FALSE to unregister + */ + bool (*expire)(kernel_listener_t *this, u_int32_t reqid, + u_int8_t protocol, u_int32_t spi, bool hard); + + /** + * Hook called if the NAT mappings of an IPsec SA changed. + * + * @param reqid reqid of the SA + * @param spi spi of the SA + * @param remote new remote host + * @return TRUE to remain registered, FALSE to unregister + */ + bool (*mapping)(kernel_listener_t *this, u_int32_t reqid, u_int32_t spi, + host_t *remote); + + /** + * Hook called if a migrate event for a policy is received. + * + * @param reqid reqid of the policy + * @param src_ts source traffic selector + * @param dst_ts destination traffic selector + * @param direction direction of the policy (in|out) + * @param local local host address to be used in the IKE_SA + * @param remote remote host address to be used in the IKE_SA + * @return TRUE to remain registered, FALSE to unregister + */ + bool (*migrate)(kernel_listener_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, host_t *local, host_t *remote); + + /** + * Hook called if changes in the networking layer occured (interfaces + * up/down, routes added/deleted etc.). + * + * @param address TRUE if address list, FALSE if routing changed + * @return TRUE to remain registered, FALSE to unregister + */ + bool (*roam)(kernel_listener_t *this, bool address); +}; + +#endif /** KERNEL_LISTENER_H_ @}*/ diff --git a/src/libcharon/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h index efb221f88..69e01f43f 100644 --- a/src/libcharon/kernel/kernel_net.h +++ b/src/libhydra/kernel/kernel_net.h @@ -16,7 +16,7 @@ /** * @defgroup kernel_net kernel_net - * @{ @ingroup kernel + * @{ @ingroup hkernel */ #ifndef KERNEL_NET_H_ @@ -64,7 +64,7 @@ struct kernel_net_t { * Get the interface name of a local address. * * @param host address to get interface name from - * @return allocated interface name, or NULL if not found + * @return allocated interface name, or NULL if not found */ char* (*get_interface) (kernel_net_t *this, host_t *host); @@ -116,10 +116,11 @@ struct kernel_net_t { * @param src_ip sourc ip of the route * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed - * ALREADY_DONE if the route already exists + * ALREADY_DONE if the route already exists */ - status_t (*add_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen, - host_t *gateway, host_t *src_ip, char *if_name); + status_t (*add_route) (kernel_net_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, + char *if_name); /** * Delete a route. @@ -131,8 +132,9 @@ struct kernel_net_t { * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed */ - status_t (*del_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen, - host_t *gateway, host_t *src_ip, char *if_name); + status_t (*del_route) (kernel_net_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, + char *if_name); /** * Destroy the implementation. diff --git a/src/libhydra/plugins/attr/Makefile.am b/src/libhydra/plugins/attr/Makefile.am index 71401648e..fe0c39ebd 100644 --- a/src/libhydra/plugins/attr/Makefile.am +++ b/src/libhydra/plugins/attr/Makefile.am @@ -1,6 +1,5 @@ -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in index 71402fc7f..72182e57f 100644 --- a/src/libhydra/plugins/attr/Makefile.in +++ b/src/libhydra/plugins/attr/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -195,14 +198,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -242,7 +255,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -254,9 +270,7 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon - +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr.la diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am index a3dac863f..7491debcd 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.am +++ b/src/libhydra/plugins/attr_sql/Makefile.am @@ -3,7 +3,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra AM_CFLAGS = \ -rdynamic \ - -DPLUGINS=\""${libstrongswan_plugins}\"" + -DPLUGINS=\""${pool_plugins}\"" if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-attr-sql.la diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in index edf51059b..dfb41cc02 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.in +++ b/src/libhydra/plugins/attr_sql/Makefile.in @@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -177,6 +178,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -208,14 +211,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -230,24 +236,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -255,7 +268,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -270,7 +286,7 @@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra AM_CFLAGS = \ -rdynamic \ - -DPLUGINS=\""${libstrongswan_plugins}\"" + -DPLUGINS=\""${pool_plugins}\"" @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr-sql.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr-sql.la diff --git a/src/libcharon/plugins/kernel_klips/Makefile.am b/src/libhydra/plugins/kernel_klips/Makefile.am index 540bbe106..df639b255 100644 --- a/src/libcharon/plugins/kernel_klips/Makefile.am +++ b/src/libhydra/plugins/kernel_klips/Makefile.am @@ -1,6 +1,5 @@ -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic diff --git a/src/libcharon/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in index 9cac89ec3..a451bd6f5 100644 --- a/src/libcharon/plugins/kernel_klips/Makefile.in +++ b/src/libhydra/plugins/kernel_klips/Makefile.in @@ -34,7 +34,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -subdir = src/libcharon/plugins/kernel_klips +subdir = src/libhydra/plugins/kernel_klips DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -258,9 +274,7 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon - +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-klips.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-klips.la @@ -282,9 +296,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_klips/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_klips/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_klips/Makefile + $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_klips/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c index 6b5aeb342..0ccb2ac5f 100644 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c @@ -28,14 +28,12 @@ #include "kernel_klips_ipsec.h" -#include <daemon.h> +#include <hydra.h> +#include <debug.h> +#include <utils/linked_list.h> #include <threading/thread.h> #include <threading/mutex.h> #include <processing/jobs/callback_job.h> -#include <processing/jobs/acquire_job.h> -#include <processing/jobs/rekey_child_sa_job.h> -#include <processing/jobs/delete_child_sa_job.h> -#include <processing/jobs/update_sa_job.h> /** default timeout for generated SPIs (in seconds) */ #define SPI_TIMEOUT 30 @@ -318,7 +316,8 @@ static status_t attach_ipsec_dev(char* name, char *phys_name) } mtu = lib->settings->get_int(lib->settings, - "charon.plugins.kernel-klips.ipsec_dev_mtu", 0); + "%s.plugins.kernel-klips.ipsec_dev_mtu", 0, + hydra->daemon); if (mtu <= 0) { /* guess MTU as physical MTU - ESP overhead [- NAT-T overhead] @@ -587,7 +586,7 @@ typedef struct sa_entry_t sa_entry_t; struct sa_entry_t { /** protocol of this SA */ - protocol_id_t protocol; + u_int8_t protocol; /** reqid of this SA */ u_int32_t reqid; @@ -611,7 +610,7 @@ struct sa_entry_t { /** * create an sa_entry_t object */ -static sa_entry_t *create_sa_entry(protocol_id_t protocol, u_int32_t spi, +static sa_entry_t *create_sa_entry(u_int8_t protocol, u_int32_t spi, u_int32_t reqid, host_t *src, host_t *dst, bool encap, bool inbound) { @@ -649,7 +648,7 @@ static inline bool sa_entry_match_encapbysrc(sa_entry_t *current, u_int32_t *spi /** * match an sa_entry_t by protocol, spi and dst address (as the kernel does it) */ -static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *protocol, +static inline bool sa_entry_match_bydst(sa_entry_t *current, u_int8_t *protocol, u_int32_t *spi, host_t *dst) { return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst); @@ -658,7 +657,7 @@ static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *prot /** * match an sa_entry_t by protocol, reqid and spi */ -static inline bool sa_entry_match_byid(sa_entry_t *current, protocol_id_t *protocol, +static inline bool sa_entry_match_byid(sa_entry_t *current, u_int8_t *protocol, u_int32_t *spi, u_int32_t *reqid) { return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid; @@ -716,15 +715,15 @@ struct pfkey_msg_t }; /** - * convert a IKEv2 specific protocol identifier to the PF_KEY sa type + * convert a protocol identifier to the PF_KEY sa type */ -static u_int8_t proto_ike2satype(protocol_id_t proto) +static u_int8_t proto2satype(u_int8_t proto) { switch (proto) { - case PROTO_ESP: + case IPPROTO_ESP: return SADB_SATYPE_ESP; - case PROTO_AH: + case IPPROTO_AH: return SADB_SATYPE_AH; case IPPROTO_COMP: return SADB_X_SATYPE_COMP; @@ -734,20 +733,20 @@ static u_int8_t proto_ike2satype(protocol_id_t proto) } /** - * convert a PF_KEY sa type to a IKEv2 specific protocol identifier + * convert a PF_KEY sa type to a protocol identifier */ -static protocol_id_t proto_satype2ike(u_int8_t proto) +static u_int8_t satype2proto(u_int8_t satype) { - switch (proto) + switch (satype) { case SADB_SATYPE_ESP: - return PROTO_ESP; + return IPPROTO_ESP; case SADB_SATYPE_AH: - return PROTO_AH; + return IPPROTO_AH; case SADB_X_SATYPE_COMP: return IPPROTO_COMP; default: - return proto; + return satype; } } @@ -1236,7 +1235,6 @@ static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg* u_int32_t reqid; u_int8_t proto; policy_entry_t *policy; - job_t *job; switch (msg->sadb_msg_satype) { @@ -1297,10 +1295,8 @@ static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg* this->mutex->unlock(this->mutex); - DBG2(DBG_KNL, "received an SADB_ACQUIRE"); - DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid); - job = (job_t*)acquire_job_create(reqid, NULL, NULL); - charon->processor->queue_job(charon->processor, job); + hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, NULL, + NULL); } /** @@ -1311,7 +1307,6 @@ static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* pfkey_msg_t response; u_int32_t spi, reqid; host_t *old_src, *new_src; - job_t *job; DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING"); @@ -1323,7 +1318,7 @@ static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* spi = response.sa->sadb_sa_spi; - if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP) + if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP) { sa_entry_t *sa; sockaddr_t *addr = (sockaddr_t*)(response.src + 1); @@ -1360,10 +1355,8 @@ static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* new_src = host_create_from_sockaddr(addr); if (new_src) { - DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and" - " reqid {%d} changed, queuing update job", ntohl(spi), reqid); - job = (job_t*)update_sa_job_create(reqid, new_src); - charon->processor->queue_job(charon->processor, job); + hydra->kernel_interface->mapping(hydra->kernel_interface, reqid, + spi, new_src); } } } @@ -1421,12 +1414,14 @@ static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this) process_acquire(this, msg); break; case SADB_EXPIRE: - /* SADB_EXPIRE events in KLIPS are only triggered by traffic (even for - * the time based limits). So if there is no traffic for a longer - * period than configured as hard limit, we wouldn't be able to rekey - * the SA and just receive the hard expire and thus delete the SA. - * To avoid this behavior and to make charon behave as with the other - * kernel plugins, we implement the expiration of SAs ourselves. */ + /* SADB_EXPIRE events in KLIPS are only triggered by traffic (even + * for the time based limits). So if there is no traffic for a + * longer period than configured as hard limit, we wouldn't be able + * to rekey the SA and just receive the hard expire and thus delete + * the SA. + * To avoid this behavior and to make the daemon behave as with the + * other kernel plugins, we implement the expiration of SAs + * ourselves. */ break; case SADB_X_NAT_T_NEW_MAPPING: process_mapping(this, msg); @@ -1455,7 +1450,7 @@ struct sa_expire_t { /** the SPI of the expiring SA */ u_int32_t spi; /** the protocol of the expiring SA */ - protocol_id_t protocol; + u_int8_t protocol; /** the reqid of the expiring SA*/ u_int32_t reqid; /** what type of expire this is */ @@ -1468,12 +1463,11 @@ struct sa_expire_t { static job_requeue_t sa_expires(sa_expire_t *expire) { private_kernel_klips_ipsec_t *this = expire->this; - protocol_id_t protocol = expire->protocol; + u_int8_t protocol = expire->protocol; u_int32_t spi = expire->spi, reqid = expire->reqid; bool hard = expire->type != EXPIRE_TYPE_SOFT; sa_entry_t *cached_sa; linked_list_t *list; - job_t *job; /* for an expired SPI we first check whether the CHILD_SA got installed * in the meantime, for expired SAs we check whether they are still installed */ @@ -1496,21 +1490,8 @@ static job_requeue_t sa_expires(sa_expire_t *expire) } this->mutex->unlock(this->mutex); - DBG2(DBG_KNL, "%N CHILD_SA with SPI %.8x and reqid {%d} expired", - protocol_id_names, protocol, ntohl(spi), reqid); - - DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}", - hard ? "delete" : "rekey", protocol_id_names, - protocol, ntohl(spi), reqid); - if (hard) - { - job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi); - } - else - { - job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi); - } - charon->processor->queue_job(charon->processor, job); + hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol, + spi, hard); return JOB_REQUEUE_NONE; } @@ -1518,7 +1499,7 @@ static job_requeue_t sa_expires(sa_expire_t *expire) * Schedule an expire job for an SA. Time is in seconds. */ static void schedule_expire(private_kernel_klips_ipsec_t *this, - protocol_id_t protocol, u_int32_t spi, + u_int8_t protocol, u_int32_t spi, u_int32_t reqid, expire_type_t type, u_int32_t time) { callback_job_t *job; @@ -1529,12 +1510,12 @@ static void schedule_expire(private_kernel_klips_ipsec_t *this, expire->reqid = reqid; expire->type = type; job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL); - charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time); + lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, time); } METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { /* we cannot use SADB_GETSPI because KLIPS does not allow us to set the * NAT-T type in an SADB_UPDATE which we would have to use to update the @@ -1552,12 +1533,9 @@ METHOD(kernel_ipsec_t, get_spi, status_t, rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen); rng->destroy(rng); - /* charon's SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */ + /* allocated SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */ spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF); - DBG2(DBG_KNL, "allocated SPI %.8x for %N SA between %#H..%#H", - spi_gen, protocol_id_names, protocol, src, dst); - *spi = htonl(spi_gen); this->mutex->lock(this->mutex); @@ -1629,7 +1607,7 @@ static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this, */ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid) + u_int8_t protocol, u_int32_t reqid) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1659,7 +1637,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg); satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2; satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype)); - satype->sadb_x_satype_satype = proto_ike2satype(protocol); + satype->sadb_x_satype_satype = proto2satype(protocol); PFKEY_EXT_ADD(msg, satype); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1690,7 +1668,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, @@ -1731,7 +1709,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_ADD; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1848,7 +1826,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } METHOD(kernel_ipsec_t, update_sa, status_t, - private_kernel_klips_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + private_kernel_klips_ipsec_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark) { @@ -1885,7 +1863,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_UPDATE; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1921,14 +1899,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { return NOT_SUPPORTED; /* TODO */ } METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1957,7 +1935,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_DELETE; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1992,13 +1970,13 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed) + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, + mark_t mark, bool routed) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; policy_entry_t *policy, *found = NULL; + u_int32_t spi; u_int8_t satype; size_t len; @@ -2009,8 +1987,10 @@ METHOD(kernel_ipsec_t, add_policy, status_t, } /* tunnel mode policies direct the packets into the pseudo IPIP SA */ - satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP : - proto_ike2satype(protocol); + satype = (sa->mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP + : proto2satype(sa->esp.use ? IPPROTO_ESP + : IPPROTO_AH); + spi = sa->esp.use ? sa->esp.spi : sa->ah.spi; /* create a policy */ policy = create_policy_entry(src_ts, dst_ts, direction); @@ -2042,7 +2022,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, /* the reqid is always set to the latest child SA that trapped this * policy. we will need this reqid upon receiving an acquire. */ - policy->reqid = reqid; + policy->reqid = sa->reqid; /* increase the trap counter */ policy->trapcount++; @@ -2120,11 +2100,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t, route_entry_t *route = malloc_thing(route_entry_t); route->src_ip = NULL; - if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 && + if (sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 && this->install_routes) { - charon->kernel_interface->get_address_by_ts(charon->kernel_interface, - src_ts, &route->src_ip); + hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface, + src_ts, &route->src_ip); } if (!route->src_ip) @@ -2133,8 +2113,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, } /* find the virtual interface */ - iface = charon->kernel_interface->get_interface(charon->kernel_interface, - src); + iface = hydra->kernel_interface->get_interface(hydra->kernel_interface, + src); if (find_ipsec_dev(this, iface, &dev) == SUCCESS) { /* above, we got either the name of a virtual or a physical @@ -2180,12 +2160,12 @@ METHOD(kernel_ipsec_t, add_policy, status_t, route->if_name = strdup(dev->name); /* get the nexthop to dst */ - route->gateway = charon->kernel_interface->get_nexthop( - charon->kernel_interface, dst); + route->gateway = hydra->kernel_interface->get_nexthop( + hydra->kernel_interface, dst); route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net)); route->prefixlen = policy->dst.mask; - switch (charon->kernel_interface->add_route(charon->kernel_interface, + switch (hydra->kernel_interface->add_route(hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, route->src_ip, route->if_name)) { @@ -2467,7 +2447,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, { ipsec_dev_t *dev; - if (charon->kernel_interface->del_route(charon->kernel_interface, + if (hydra->kernel_interface->del_route(hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, route->src_ip, route->if_name) != SUCCESS) { @@ -2509,8 +2489,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t, static void init_ipsec_devices(private_kernel_klips_ipsec_t *this) { int i, count = lib->settings->get_int(lib->settings, - "charon.plugins.kernel-klips.ipsec_dev_count", - DEFAULT_IPSEC_DEV_COUNT); + "%s.plugins.kernel-klips.ipsec_dev_count", + DEFAULT_IPSEC_DEV_COUNT, hydra->daemon); for (i = 0; i < count; ++i) { @@ -2598,18 +2578,20 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() private_kernel_klips_ipsec_t *this; INIT(this, - .public.interface = { - .get_spi = _get_spi, - .get_cpi = _get_cpi, - .add_sa = _add_sa, - .update_sa = _update_sa, - .query_sa = _query_sa, - .del_sa = _del_sa, - .add_policy = _add_policy, - .query_policy = _query_policy, - .del_policy = _del_policy, - .bypass_socket = _bypass_socket, - .destroy = _destroy, + .public = { + .interface = { + .get_spi = _get_spi, + .get_cpi = _get_cpi, + .add_sa = _add_sa, + .update_sa = _update_sa, + .query_sa = _query_sa, + .del_sa = _del_sa, + .add_policy = _add_policy, + .query_policy = _query_policy, + .del_policy = _del_policy, + .bypass_socket = _bypass_socket, + .destroy = _destroy, + }, }, .policies = linked_list_create(), .allocated_spis = linked_list_create(), @@ -2618,7 +2600,8 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT), .install_routes = lib->settings->get_bool(lib->settings, - "charon.install_routes", TRUE), + "%s.install_routes", TRUE, + hydra->daemon), ); /* initialize ipsec devices */ @@ -2653,7 +2636,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() this->job = callback_job_create((callback_job_cb_t)receive_events, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.h index 306ec0ada..306ec0ada 100644 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.h diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c index fa5e9eb29..1a22835c0 100644 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c @@ -18,7 +18,7 @@ #include "kernel_klips_ipsec.h" -#include <daemon.h> +#include <hydra.h> typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t; @@ -37,7 +37,8 @@ struct private_kernel_klips_plugin_t { */ static void destroy(private_kernel_klips_plugin_t *this) { - charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); + hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, + (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); free(this); } @@ -50,7 +51,8 @@ plugin_t *kernel_klips_plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); + hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, + (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); return &this->public.plugin; } diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.h index 6086217ad..8dd386a66 100644 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.h @@ -15,7 +15,7 @@ /** * @defgroup kernel_klips kernel_klips - * @ingroup cplugins + * @ingroup hplugins * * @defgroup kernel_klips_plugin kernel_klips_plugin * @{ @ingroup kernel_klips diff --git a/src/libcharon/plugins/kernel_klips/pfkeyv2.h b/src/libhydra/plugins/kernel_klips/pfkeyv2.h index 20d1c298d..20d1c298d 100644 --- a/src/libcharon/plugins/kernel_klips/pfkeyv2.h +++ b/src/libhydra/plugins/kernel_klips/pfkeyv2.h diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.am b/src/libhydra/plugins/kernel_netlink/Makefile.am index 2bb00ec0d..1ad379421 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.am +++ b/src/libhydra/plugins/kernel_netlink/Makefile.am @@ -1,6 +1,6 @@ INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon + -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic \ -DROUTING_TABLE=${routing_table} \ @@ -14,7 +14,8 @@ endif libstrongswan_kernel_netlink_la_SOURCES = \ kernel_netlink_plugin.h kernel_netlink_plugin.c \ - kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ + kernel_netlink_ipsec.h kernel_netlink_ipsec.c \ + kernel_netlink_net.h kernel_netlink_net.c \ kernel_netlink_shared.h kernel_netlink_shared.c libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in index 49cc895bc..d41ee1456 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.in +++ b/src/libhydra/plugins/kernel_netlink/Makefile.in @@ -34,7 +34,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -subdir = src/libcharon/plugins/kernel_netlink +subdir = src/libhydra/plugins/kernel_netlink DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -200,14 +203,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -247,7 +260,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -260,7 +276,7 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon + -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic \ -DROUTING_TABLE=${routing_table} \ @@ -270,7 +286,8 @@ AM_CFLAGS = -rdynamic \ @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la libstrongswan_kernel_netlink_la_SOURCES = \ kernel_netlink_plugin.h kernel_netlink_plugin.c \ - kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ + kernel_netlink_ipsec.h kernel_netlink_ipsec.c \ + kernel_netlink_net.h kernel_netlink_net.c \ kernel_netlink_shared.h kernel_netlink_shared.c libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version @@ -287,9 +304,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_netlink/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile + $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_netlink/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 019ec93f8..8cc9a6283 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2008 Andreas Steffen * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser @@ -35,16 +35,12 @@ #include "kernel_netlink_ipsec.h" #include "kernel_netlink_shared.h" -#include <daemon.h> +#include <hydra.h> +#include <debug.h> #include <threading/thread.h> #include <threading/mutex.h> #include <utils/hashtable.h> #include <processing/jobs/callback_job.h> -#include <processing/jobs/acquire_job.h> -#include <processing/jobs/migrate_job.h> -#include <processing/jobs/rekey_child_sa_job.h> -#include <processing/jobs/delete_child_sa_job.h> -#include <processing/jobs/update_sa_job.h> /** required for Linux 2.6.26 kernel and later */ #ifndef XFRM_STATE_AF_UNSPEC @@ -187,6 +183,8 @@ static kernel_algorithm_t encryption_algs[] = { /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */ /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */ /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */ + {ENCR_SERPENT_CBC, "serpent" }, + {ENCR_TWOFISH_CBC, "twofish" }, {END_OF_LIST, NULL } }; @@ -296,7 +294,7 @@ struct policy_entry_t { static u_int policy_hash(policy_entry_t *key) { chunk_t chunk = chunk_create((void*)&key->sel, - sizeof(struct xfrm_selector) + sizeof(u_int32_t)); + sizeof(struct xfrm_selector) + sizeof(u_int32_t)); return chunk_hash(chunk); } @@ -305,7 +303,7 @@ static u_int policy_hash(policy_entry_t *key) */ static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key) { - return memeq(&key->sel, &other_key->sel, + return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector) + sizeof(u_int32_t)) && key->direction == other_key->direction; } @@ -353,38 +351,6 @@ struct private_kernel_netlink_ipsec_t { }; /** - * convert a IKEv2 specific protocol identifier to the kernel one - */ -static u_int8_t proto_ike2kernel(protocol_id_t proto) -{ - switch (proto) - { - case PROTO_ESP: - return IPPROTO_ESP; - case PROTO_AH: - return IPPROTO_AH; - default: - return proto; - } -} - -/** - * reverse of ike2kernel - */ -static protocol_id_t proto_kernel2ike(u_int8_t proto) -{ - switch (proto) - { - case IPPROTO_ESP: - return PROTO_ESP; - case IPPROTO_AH: - return PROTO_AH; - default: - return proto; - } -} - -/** * convert the general ipsec mode to the one defined in xfrm.h */ static u_int8_t mode2kernel(ipsec_mode_t mode) @@ -556,7 +522,6 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd struct xfrm_user_acquire *acquire; struct rtattr *rta; size_t rtasize; - job_t *job; acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr); rta = XFRM_RTA(hdr, struct xfrm_user_acquire); @@ -590,10 +555,9 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd } src_ts = selector2ts(&acquire->sel, TRUE); dst_ts = selector2ts(&acquire->sel, FALSE); - DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}", - src_ts, dst_ts, reqid); - job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts); - charon->processor->queue_job(charon->processor, job); + + hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts, + dst_ts); } /** @@ -601,37 +565,26 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd */ static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr) { - job_t *job; - protocol_id_t protocol; + u_int8_t protocol; u_int32_t spi, reqid; struct xfrm_user_expire *expire; expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr); - protocol = proto_kernel2ike(expire->state.id.proto); + protocol = expire->state.id.proto; spi = expire->state.id.spi; reqid = expire->state.reqid; DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE"); - if (protocol != PROTO_ESP && protocol != PROTO_AH) + if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH) { - DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} " - "which is not a CHILD_SA", ntohl(spi), reqid); + DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and " + "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid); return; } - DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}", - expire->hard ? "delete" : "rekey", protocol_id_names, - protocol, ntohl(spi), reqid); - if (expire->hard) - { - job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi); - } - else - { - job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi); - } - charon->processor->queue_job(charon->processor, job); + hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol, + spi, expire->hard != 0); } /** @@ -648,7 +601,6 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd size_t rtasize; u_int32_t reqid = 0; policy_dir_t dir; - job_t *job; policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id); @@ -677,18 +629,15 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd else if (rta->rta_type == XFRMA_MIGRATE) { struct xfrm_user_migrate *migrate; - protocol_id_t proto; migrate = (struct xfrm_user_migrate*)RTA_DATA(rta); old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0); old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0); new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0); new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0); - proto = proto_kernel2ike(migrate->proto); reqid = migrate->reqid; - DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}", - protocol_id_names, proto, old_src, old_dst, - new_src, new_dst, reqid); + DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}", + old_src, old_dst, new_src, new_dst, reqid); DESTROY_IF(old_src); DESTROY_IF(old_dst); DESTROY_IF(new_src); @@ -699,11 +648,8 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd if (src_ts && dst_ts && local && remote) { - DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}", - src_ts, dst_ts, policy_dir_names, dir, reqid, local); - job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir, - local, remote); - charon->processor->queue_job(charon->processor, job); + hydra->kernel_interface->migrate(hydra->kernel_interface, reqid, + src_ts, dst_ts, dir, local, remote); } else { @@ -720,7 +666,6 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd static void process_mapping(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr) { - job_t *job; u_int32_t spi, reqid; struct xfrm_user_mapping *mapping; host_t *host; @@ -731,16 +676,14 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING"); - if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP) + if (mapping->id.proto == IPPROTO_ESP) { host = xfrm2host(mapping->id.family, &mapping->new_saddr, mapping->new_sport); if (host) { - DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and " - "reqid {%u} changed, queuing update job", ntohl(spi), reqid); - job = (job_t*)update_sa_job_create(reqid, host); - charon->processor->queue_job(charon->processor, job); + hydra->kernel_interface->mapping(hydra->kernel_interface, reqid, + spi, host); } } } @@ -882,11 +825,11 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid); - if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol), + if (get_spi_internal(this, src, dst, protocol, 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS) { DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid); @@ -922,9 +865,9 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t* src_ts, traffic_selector_t* dst_ts) { @@ -968,7 +911,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, host2xfrm(src, &sa->saddr); host2xfrm(dst, &sa->id.daddr); sa->id.spi = spi; - sa->id.proto = proto_ike2kernel(protocol); + sa->id.proto = protocol; sa->family = src->get_family(src); sa->mode = mode2kernel(mode); switch (mode) @@ -1080,7 +1023,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } } - if (int_alg != AUTH_UNDEFINED) + if (int_alg != AUTH_UNDEFINED) { alg_name = lookup_algorithm(integrity_algs, int_alg); if (alg_name == NULL) @@ -1230,7 +1173,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, * Get the replay state (i.e. sequence numbers) of an SA. */ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, - u_int32_t spi, protocol_id_t protocol, host_t *dst, + u_int32_t spi, u_int8_t protocol, host_t *dst, struct xfrm_replay_state *replay) { netlink_buf_t request; @@ -1254,7 +1197,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, host2xfrm(dst, &aevent_id->sa_id.daddr); aevent_id->sa_id.spi = spi; - aevent_id->sa_id.proto = proto_ike2kernel(protocol); + aevent_id->sa_id.proto = protocol; aevent_id->sa_id.family = dst->get_family(dst); if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) @@ -1316,7 +1259,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { netlink_buf_t request; struct nlmsghdr *out = NULL, *hdr; @@ -1343,7 +1286,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); host2xfrm(dst, &sa_id->daddr); sa_id->spi = spi; - sa_id->proto = proto_ike2kernel(protocol); + sa_id->proto = protocol; sa_id->family = dst->get_family(dst); if (mark.value) @@ -1379,7 +1322,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, case NLMSG_ERROR: { struct nlmsgerr *err = NLMSG_DATA(hdr); - + if (mark.value) { DBG1(DBG_KNL, "querying SAD entry with SPI %.8x " @@ -1419,7 +1362,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { netlink_buf_t request; struct nlmsghdr *hdr; @@ -1450,7 +1393,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); host2xfrm(dst, &sa_id->daddr); sa_id->spi = spi; - sa_id->proto = proto_ike2kernel(protocol); + sa_id->proto = protocol; sa_id->family = dst->get_family(dst); if (mark.value) @@ -1497,7 +1440,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, } METHOD(kernel_ipsec_t, update_sa, status_t, - private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + private_kernel_netlink_ipsec_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool old_encap, bool new_encap, mark_t mark) { @@ -1533,7 +1476,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); host2xfrm(dst, &sa_id->daddr); sa_id->spi = spi; - sa_id->proto = proto_ike2kernel(protocol); + sa_id->proto = protocol; sa_id->family = dst->get_family(dst); if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) @@ -1676,15 +1619,15 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed) + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, + mark_t mark, bool routed) { policy_entry_t *current, *policy; bool found = FALSE; netlink_buf_t request; struct xfrm_userpolicy_info *policy_info; struct nlmsghdr *hdr; + int i; /* create a policy */ policy = malloc_thing(policy_entry_t); @@ -1705,7 +1648,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, DBG2(DBG_KNL, "policy %R === %R %N (mark %u/0x%8x) " "already exists, increasing refcount", src_ts, dst_ts, policy_dir_names, direction, - mark.value, mark.mask); + mark.value, mark.mask); } else { @@ -1749,7 +1692,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy_info->priority -= policy->sel.prefixlen_s * 10; policy_info->priority -= policy->sel.proto ? 2 : 0; policy_info->priority -= policy->sel.sport_mask ? 1 : 0; - policy_info->action = XFRM_POLICY_ALLOW; + policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW + : XFRM_POLICY_BLOCK; policy_info->share = XFRM_SHARE_ANY; this->mutex->unlock(this->mutex); @@ -1764,55 +1708,59 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy_info->lft.hard_use_expires_seconds = 0; struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info); - rthdr->rta_type = XFRMA_TMPL; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) + if (type == POLICY_IPSEC) { - return FAILED; - } + struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr); + struct { + u_int8_t proto; + bool use; + } protos[] = { + { IPPROTO_COMP, sa->ipcomp.transform != IPCOMP_NONE }, + { IPPROTO_ESP, sa->esp.use }, + { IPPROTO_AH, sa->ah.use }, + }; + ipsec_mode_t proto_mode = sa->mode; - struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr); + rthdr->rta_type = XFRMA_TMPL; + rthdr->rta_len = 0; /* actual length is set below */ - if (ipcomp != IPCOMP_NONE) - { - tmpl->reqid = reqid; - tmpl->id.proto = IPPROTO_COMP; - tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode2kernel(mode); - tmpl->optional = direction != POLICY_OUT; - tmpl->family = src->get_family(src); + for (i = 0; i < countof(protos); i++) + { + if (!protos[i].use) + { + continue; + } - host2xfrm(src, &tmpl->saddr); - host2xfrm(dst, &tmpl->id.daddr); + rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); + hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } - /* add an additional xfrm_user_tmpl */ - rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); - hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } + tmpl->reqid = sa->reqid; + tmpl->id.proto = protos[i].proto; + tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; + tmpl->mode = mode2kernel(proto_mode); + tmpl->optional = protos[i].proto == IPPROTO_COMP && + direction != POLICY_OUT; + tmpl->family = src->get_family(src); + + if (proto_mode == MODE_TUNNEL) + { /* only for tunnel mode */ + host2xfrm(src, &tmpl->saddr); + host2xfrm(dst, &tmpl->id.daddr); + } - tmpl++; + tmpl++; - /* use transport mode for ESP if we have a tunnel mode IPcomp SA */ - mode = MODE_TRANSPORT; - } - else - { - /* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */ - host2xfrm(src, &tmpl->saddr); - host2xfrm(dst, &tmpl->id.daddr); - } + /* use transport mode for other SAs */ + proto_mode = MODE_TRANSPORT; + } - tmpl->reqid = reqid; - tmpl->id.proto = proto_ike2kernel(protocol); - tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode2kernel(mode); - tmpl->family = src->get_family(src); - rthdr = XFRM_RTA_NEXT(rthdr); + rthdr = XFRM_RTA_NEXT(rthdr); + } if (mark.value) { @@ -1846,27 +1794,27 @@ METHOD(kernel_ipsec_t, add_policy, status_t, * - routing is not disabled via strongswan.conf */ if (policy->route == NULL && direction == POLICY_FWD && - mode != MODE_TRANSPORT && this->install_routes) + sa->mode != MODE_TRANSPORT && this->install_routes) { route_entry_t *route = malloc_thing(route_entry_t); - if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface, + if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface, dst_ts, &route->src_ip) == SUCCESS) { /* get the nexthop to src (src as we are in POLICY_FWD).*/ - route->gateway = charon->kernel_interface->get_nexthop( - charon->kernel_interface, src); + route->gateway = hydra->kernel_interface->get_nexthop( + hydra->kernel_interface, src); /* install route via outgoing interface */ - route->if_name = charon->kernel_interface->get_interface( - charon->kernel_interface, dst); + route->if_name = hydra->kernel_interface->get_interface( + hydra->kernel_interface, dst); route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16); memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len); route->prefixlen = policy->sel.prefixlen_s; if (route->if_name) { - switch (charon->kernel_interface->add_route( - charon->kernel_interface, route->dst_net, + switch (hydra->kernel_interface->add_route( + hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, route->src_ip, route->if_name)) { @@ -2002,7 +1950,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t, METHOD(kernel_ipsec_t, del_policy, status_t, private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, bool unrouted) { policy_entry_t *current, policy, *to_delete = NULL; @@ -2112,7 +2060,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, if (route) { - if (charon->kernel_interface->del_route(charon->kernel_interface, + if (hydra->kernel_interface->del_route(hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, route->src_ip, route->if_name) != SUCCESS) { @@ -2202,26 +2150,34 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() int fd; INIT(this, - .public.interface = { - .get_spi = _get_spi, - .get_cpi = _get_cpi, - .add_sa = _add_sa, - .update_sa = _update_sa, - .query_sa = _query_sa, - .del_sa = _del_sa, - .add_policy = _add_policy, - .query_policy = _query_policy, - .del_policy = _del_policy, - .bypass_socket = _bypass_socket, - .destroy = _destroy, + .public = { + .interface = { + .get_spi = _get_spi, + .get_cpi = _get_cpi, + .add_sa = _add_sa, + .update_sa = _update_sa, + .query_sa = _query_sa, + .del_sa = _del_sa, + .add_policy = _add_policy, + .query_policy = _query_policy, + .del_policy = _del_policy, + .bypass_socket = _bypass_socket, + .destroy = _destroy, + }, }, .policies = hashtable_create((hashtable_hash_t)policy_hash, (hashtable_equals_t)policy_equals, 32), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .install_routes = lib->settings->get_bool(lib->settings, - "charon.install_routes", TRUE), + "%s.install_routes", TRUE, + hydra->daemon), ); + if (streq(hydra->daemon, "pluto")) + { /* no routes for pluto, they are installed via updown script */ + this->install_routes = FALSE; + } + /* disable lifetimes for allocated SPIs in kernel */ fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY); if (fd) @@ -2258,7 +2214,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() } this->job = callback_job_create((callback_job_cb_t)receive_events, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h index 3a45cce06..3a45cce06 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c index 6750458cf..314c1acc1 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c @@ -47,15 +47,15 @@ #include "kernel_netlink_net.h" #include "kernel_netlink_shared.h" -#include <daemon.h> +#include <hydra.h> +#include <debug.h> #include <threading/thread.h> #include <threading/condvar.h> #include <threading/mutex.h> #include <utils/linked_list.h> #include <processing/jobs/callback_job.h> -#include <processing/jobs/roam_job.h> -/** delay before firing roam jobs (ms) */ +/** delay before firing roam events (ms) */ #define ROAM_DELAY 100 typedef struct addr_entry_t addr_entry_t; @@ -158,7 +158,7 @@ struct private_kernel_netlink_net_t { int socket_events; /** - * time of the last roam_job + * time of the last roam event */ timeval_t last_roam; @@ -223,12 +223,58 @@ static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip) } /** - * start a roaming job. We delay it for a second and fire only one job - * for multiple events. Otherwise we would create two many jobs. + * get the first non-virtual ip address on the given interface. + * returned host is a clone, has to be freed by caller. */ -static void fire_roam_job(private_kernel_netlink_net_t *this, bool address) +static host_t *get_interface_address(private_kernel_netlink_net_t *this, + int ifindex, int family) +{ + enumerator_t *ifaces, *addrs; + iface_entry_t *iface; + addr_entry_t *addr; + host_t *ip = NULL; + + this->mutex->lock(this->mutex); + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, &iface)) + { + if (iface->ifindex == ifindex) + { + addrs = iface->addrs->create_enumerator(iface->addrs); + while (addrs->enumerate(addrs, &addr)) + { + if (!addr->virtual && addr->ip->get_family(addr->ip) == family) + { + ip = addr->ip->clone(addr->ip); + break; + } + } + addrs->destroy(addrs); + break; + } + } + ifaces->destroy(ifaces); + this->mutex->unlock(this->mutex); + return ip; +} + +/** + * callback function that raises the delayed roam event + */ +static job_requeue_t roam_event(uintptr_t address) +{ + hydra->kernel_interface->roam(hydra->kernel_interface, address != 0); + return JOB_REQUEUE_NONE; +} + +/** + * fire a roaming event. we delay it for a bit and fire only one event + * for multiple calls. otherwise we would create too many events. + */ +static void fire_roam_event(private_kernel_netlink_net_t *this, bool address) { timeval_t now; + job_t *job; time_monotonic(&now); if (timercmp(&now, &this->last_roam, >)) @@ -240,8 +286,11 @@ static void fire_roam_job(private_kernel_netlink_net_t *this, bool address) now.tv_usec -= 1000000; } this->last_roam = now; - charon->scheduler->schedule_job_ms(charon->scheduler, - (job_t*)roam_job_create(address), ROAM_DELAY); + + job = (job_t*)callback_job_create((callback_job_cb_t)roam_event, + (void*)(uintptr_t)(address ? 1 : 0), + NULL, NULL); + lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY); } } @@ -341,7 +390,7 @@ static void process_link(private_kernel_netlink_net_t *this, /* send an update to all IKE_SAs */ if (update && event) { - fire_roam_job(this, TRUE); + fire_roam_event(this, TRUE); } } @@ -458,7 +507,7 @@ static void process_addr(private_kernel_netlink_net_t *this, /* send an update to all IKE_SAs */ if (update && event && changed) { - fire_roam_job(this, TRUE); + fire_roam_event(this, TRUE); } } @@ -470,10 +519,12 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr)); struct rtattr *rta = RTM_RTA(msg); size_t rtasize = RTM_PAYLOAD(hdr); + u_int32_t rta_oif = 0; host_t *host = NULL; - /* ignore routes added by us */ - if (msg->rtm_table && msg->rtm_table == this->routing_table) + /* ignore routes added by us or in the local routing table (local addrs) */ + if (msg->rtm_table && (msg->rtm_table == this->routing_table || + msg->rtm_table == RT_TABLE_LOCAL)) { return; } @@ -486,15 +537,25 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h host = host_create_from_chunk(msg->rtm_family, chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0); break; + case RTA_OIF: + if (RTA_PAYLOAD(rta) == sizeof(rta_oif)) + { + rta_oif = *(u_int32_t*)RTA_DATA(rta); + } + break; } rta = RTA_NEXT(rta, rtasize); } + if (!host && rta_oif) + { + host = get_interface_address(this, rta_oif, msg->rtm_family); + } if (host) { this->mutex->lock(this->mutex); if (!get_vip_refcount(this, host)) { /* ignore routes added for virtual IPs */ - fire_roam_job(this, FALSE); + fire_roam_event(this, FALSE); } this->mutex->unlock(this->mutex); host->destroy(host); @@ -912,8 +973,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, continue; } if (rta_src.ptr) - { - /* got a source address */ + { /* got a source address */ new_src = host_create_from_chunk(msg->rtm_family, rta_src, 0); if (new_src) { @@ -930,6 +990,18 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, } continue; } + if (rta_oif) + { /* no src or gtw, but an interface. Get address from it. */ + new_src = get_interface_address(this, rta_oif, + msg->rtm_family); + if (new_src) + { + DESTROY_IF(src); + src = new_src; + best = msg->rtm_dst_len; + } + continue; + } if (rta_gtw.ptr) { /* no source, but a gateway. Lookup source to reach gtw. */ new_gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0); @@ -1424,17 +1496,17 @@ kernel_netlink_net_t *kernel_netlink_net_create() this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); timerclear(&this->last_roam); this->routing_table = lib->settings->get_int(lib->settings, - "charon.routing_table", ROUTING_TABLE); + "%s.routing_table", ROUTING_TABLE, hydra->daemon); this->routing_table_prio = lib->settings->get_int(lib->settings, - "charon.routing_table_prio", ROUTING_TABLE_PRIO); + "%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon); this->process_route = lib->settings->get_bool(lib->settings, - "charon.process_route", TRUE); + "%s.process_route", TRUE, hydra->daemon); this->install_virtual_ip = lib->settings->get_bool(lib->settings, - "charon.install_virtual_ip", TRUE); + "%s.install_virtual_ip", TRUE, hydra->daemon); this->rt_exclude = linked_list_create(); exclude = lib->settings->get_str(lib->settings, - "charon.ignore_routing_tables", NULL); + "%s.ignore_routing_tables", NULL, hydra->daemon); if (exclude) { char *token; @@ -1479,7 +1551,7 @@ kernel_netlink_net_t *kernel_netlink_net_create() this->job = callback_job_create((callback_job_cb_t)receive_events, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); if (init_address_list(this) != SUCCESS) { diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h index ff9831d3c..ff9831d3c 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c index 4c61265aa..212675d1a 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c @@ -19,7 +19,7 @@ #include "kernel_netlink_ipsec.h" #include "kernel_netlink_net.h" -#include <daemon.h> +#include <hydra.h> typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t; @@ -38,8 +38,10 @@ struct private_kernel_netlink_plugin_t { */ static void destroy(private_kernel_netlink_plugin_t *this) { - charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); - charon->kernel_interface->remove_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create); + hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, + (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); + hydra->kernel_interface->remove_net_interface(hydra->kernel_interface, + (kernel_net_constructor_t)kernel_netlink_net_create); free(this); } @@ -52,8 +54,10 @@ plugin_t *kernel_netlink_plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); - charon->kernel_interface->add_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create); + hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, + (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); + hydra->kernel_interface->add_net_interface(hydra->kernel_interface, + (kernel_net_constructor_t)kernel_netlink_net_create); return &this->public.plugin; } diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h index 74c9ae24f..a795486ca 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h @@ -15,7 +15,7 @@ /** * @defgroup kernel_netlink kernel_netlink - * @ingroup cplugins + * @ingroup hplugins * * @defgroup kernel_netlink_plugin kernel_netlink_plugin * @{ @ingroup kernel_netlink diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c index 5ed568150..c26fd2e51 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c @@ -21,7 +21,7 @@ #include "kernel_netlink_shared.h" -#include <daemon.h> +#include <debug.h> #include <threading/mutex.h> typedef struct private_netlink_socket_t private_netlink_socket_t; diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h index dfd27a21a..dfd27a21a 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.am b/src/libhydra/plugins/kernel_pfkey/Makefile.am index 778a7f9a9..1d1488a6b 100644 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.am +++ b/src/libhydra/plugins/kernel_pfkey/Makefile.am @@ -1,6 +1,6 @@ INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon + -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in index 1dda6827b..a98ae42d1 100644 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.in +++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in @@ -34,7 +34,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -subdir = src/libcharon/plugins/kernel_pfkey +subdir = src/libhydra/plugins/kernel_pfkey DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -259,7 +275,7 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon + -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la @@ -282,9 +298,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile + $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index a64c27f6f..f5786447b 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -54,16 +54,13 @@ #include "kernel_pfkey_ipsec.h" -#include <daemon.h> +#include <hydra.h> +#include <debug.h> #include <utils/host.h> +#include <utils/linked_list.h> #include <threading/thread.h> #include <threading/mutex.h> #include <processing/jobs/callback_job.h> -#include <processing/jobs/acquire_job.h> -#include <processing/jobs/migrate_job.h> -#include <processing/jobs/rekey_child_sa_job.h> -#include <processing/jobs/delete_child_sa_job.h> -#include <processing/jobs/update_sa_job.h> /** non linux specific */ #ifndef IPPROTO_COMP @@ -398,15 +395,15 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX, ); /** - * convert a IKEv2 specific protocol identifier to the PF_KEY sa type + * convert a protocol identifier to the PF_KEY sa type */ -static u_int8_t proto_ike2satype(protocol_id_t proto) +static u_int8_t proto2satype(u_int8_t proto) { switch (proto) { - case PROTO_ESP: + case IPPROTO_ESP: return SADB_SATYPE_ESP; - case PROTO_AH: + case IPPROTO_AH: return SADB_SATYPE_AH; case IPPROTO_COMP: return SADB_X_SATYPE_IPCOMP; @@ -416,36 +413,20 @@ static u_int8_t proto_ike2satype(protocol_id_t proto) } /** - * convert a PF_KEY sa type to a IKEv2 specific protocol identifier + * convert a PF_KEY sa type to a protocol identifier */ -static protocol_id_t proto_satype2ike(u_int8_t proto) +static u_int8_t satype2proto(u_int8_t satype) { - switch (proto) + switch (satype) { case SADB_SATYPE_ESP: - return PROTO_ESP; + return IPPROTO_ESP; case SADB_SATYPE_AH: - return PROTO_AH; + return IPPROTO_AH; case SADB_X_SATYPE_IPCOMP: return IPPROTO_COMP; default: - return proto; - } -} - -/** - * convert a IKEv2 specific protocol identifier to the IP protocol identifier - */ -static u_int8_t proto_ike2ip(protocol_id_t proto) -{ - switch (proto) - { - case PROTO_ESP: - return IPPROTO_ESP; - case PROTO_AH: - return IPPROTO_AH; - default: - return proto; + return satype; } } @@ -901,7 +882,6 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* u_int32_t index, reqid = 0; traffic_selector_t *src_ts, *dst_ts; policy_entry_t *policy; - job_t *job; switch (msg->sadb_msg_satype) { @@ -930,17 +910,15 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* } else { - DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found", - index); + DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no" + " matching policy found", index); } src_ts = sadb_address2ts(response.src); dst_ts = sadb_address2ts(response.dst); this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}", - src_ts, dst_ts, reqid); - job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts); - charon->processor->queue_job(charon->processor, job); + hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts, + dst_ts); } /** @@ -949,10 +927,9 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg) { pfkey_msg_t response; - protocol_id_t protocol; + u_int8_t protocol; u_int32_t spi, reqid; bool hard; - job_t *job; DBG2(DBG_KNL, "received an SADB_EXPIRE"); @@ -962,30 +939,20 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* return; } - protocol = proto_satype2ike(msg->sadb_msg_satype); + protocol = satype2proto(msg->sadb_msg_satype); spi = response.sa->sadb_sa_spi; reqid = response.x_sa2->sadb_x_sa2_reqid; hard = response.lft_hard != NULL; - if (protocol != PROTO_ESP && protocol != PROTO_AH) + if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH) { DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} " "which is not a CHILD_SA", ntohl(spi), reqid); return; } - DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}", - hard ? "delete" : "rekey", protocol_id_names, - protocol, ntohl(spi), reqid); - if (hard) - { - job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi); - } - else - { - job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi); - } - charon->processor->queue_job(charon->processor, job); + hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol, + spi, hard); } #ifdef SADB_X_MIGRATE @@ -999,7 +966,6 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* policy_dir_t dir; u_int32_t reqid = 0; host_t *local = NULL, *remote = NULL; - job_t *job; DBG2(DBG_KNL, "received an SADB_X_MIGRATE"); @@ -1031,11 +997,8 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* if (src_ts && dst_ts && local && remote) { - DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}", - src_ts, dst_ts, policy_dir_names, dir, reqid, local); - job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir, - local, remote); - charon->processor->queue_job(charon->processor, job); + hydra->kernel_interface->migrate(hydra->kernel_interface, reqid, + src_ts, dst_ts, dir, local, remote); } else { @@ -1056,7 +1019,6 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* pfkey_msg_t response; u_int32_t spi, reqid; host_t *host; - job_t *job; DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING"); @@ -1068,14 +1030,15 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* if (!response.x_sa2) { - DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information"); + DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required " + "information"); return; } spi = response.sa->sadb_sa_spi; reqid = response.x_sa2->sadb_x_sa2_reqid; - if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP) + if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP) { sockaddr_t *sa = (sockaddr_t*)(response.dst + 1); switch (sa->sa_family) @@ -1096,10 +1059,8 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* host = host_create_from_sockaddr(sa); if (host) { - DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and " - "reqid {%u} changed, queuing update job", ntohl(spi), reqid); - job = (job_t*)update_sa_job_create(reqid, host); - charon->processor->queue_job(charon->processor, job); + hydra->kernel_interface->mapping(hydra->kernel_interface, reqid, + spi, host); } } } @@ -1179,7 +1140,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1194,7 +1155,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_GETSPI; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg); @@ -1245,7 +1206,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, @@ -1266,7 +1227,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); #ifdef __APPLE__ @@ -1391,7 +1352,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } METHOD(kernel_ipsec_t, update_sa, status_t, - private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark) { @@ -1419,7 +1380,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_GET; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1462,7 +1423,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_UPDATE; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); #ifdef __APPLE__ @@ -1526,7 +1487,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1541,7 +1502,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_GET; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1582,7 +1543,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1596,7 +1557,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_DELETE; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1632,9 +1593,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed) + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, + mark_t mark, bool routed) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1651,7 +1611,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, } /* create a policy */ - policy = create_policy_entry(src_ts, dst_ts, direction, reqid); + policy = create_policy_entry(src_ts, dst_ts, direction, sa->reqid); /* find a matching policy */ this->mutex->lock(this->mutex); @@ -1700,13 +1660,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t, /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ req = (struct sadb_x_ipsecrequest*)(pol + 1); - req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol); + req->sadb_x_ipsecrequest_proto = sa->esp.use ? IPPROTO_ESP : IPPROTO_AH; /* !!! the length of this struct MUST be in octets instead of 64 bit words */ req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest); - req->sadb_x_ipsecrequest_mode = mode2kernel(mode); - req->sadb_x_ipsecrequest_reqid = reqid; + req->sadb_x_ipsecrequest_mode = mode2kernel(sa->mode); + req->sadb_x_ipsecrequest_reqid = sa->reqid; req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE; - if (mode == MODE_TUNNEL) + if (sa->mode == MODE_TUNNEL) { len = hostcpy(req + 1, src); req->sadb_x_ipsecrequest_len += len; @@ -1780,26 +1740,26 @@ METHOD(kernel_ipsec_t, add_policy, status_t, * - routing is not disabled via strongswan.conf */ if (policy->route == NULL && direction == POLICY_FWD && - mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 && + sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 && this->install_routes) { route_entry_t *route = malloc_thing(route_entry_t); - if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface, + if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface, dst_ts, &route->src_ip) == SUCCESS) { /* get the nexthop to src (src as we are in POLICY_FWD).*/ - route->gateway = charon->kernel_interface->get_nexthop( - charon->kernel_interface, src); - route->if_name = charon->kernel_interface->get_interface( - charon->kernel_interface, dst); + route->gateway = hydra->kernel_interface->get_nexthop( + hydra->kernel_interface, src); + route->if_name = hydra->kernel_interface->get_interface( + hydra->kernel_interface, dst); route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)); route->prefixlen = policy->src.mask; if (route->if_name) { - switch (charon->kernel_interface->add_route( - charon->kernel_interface, route->dst_net, + switch (hydra->kernel_interface->add_route( + hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, route->src_ip, route->if_name)) { @@ -2031,7 +1991,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, if (route) { - if (charon->kernel_interface->del_route(charon->kernel_interface, + if (hydra->kernel_interface->del_route(hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, route->src_ip, route->if_name) != SUCCESS) { @@ -2154,26 +2114,34 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() private_kernel_pfkey_ipsec_t *this; INIT(this, - .public.interface = { - .get_spi = _get_spi, - .get_cpi = _get_cpi, - .add_sa = _add_sa, - .update_sa = _update_sa, - .query_sa = _query_sa, - .del_sa = _del_sa, - .add_policy = _add_policy, - .query_policy = _query_policy, - .del_policy = _del_policy, - .bypass_socket = _bypass_socket, - .destroy = _destroy, + .public = { + .interface = { + .get_spi = _get_spi, + .get_cpi = _get_cpi, + .add_sa = _add_sa, + .update_sa = _update_sa, + .query_sa = _query_sa, + .del_sa = _del_sa, + .add_policy = _add_policy, + .query_policy = _query_policy, + .del_policy = _del_policy, + .bypass_socket = _bypass_socket, + .destroy = _destroy, + }, }, .policies = linked_list_create(), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT), .install_routes = lib->settings->get_bool(lib->settings, - "charon.install_routes", TRUE), + "%s.install_routes", TRUE, + hydra->daemon), ); + if (streq(hydra->daemon, "pluto")) + { /* no routes for pluto, they are installed via updown script */ + this->install_routes = FALSE; + } + /* create a PF_KEY socket to communicate with the kernel */ this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); if (this->socket <= 0) @@ -2203,7 +2171,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() this->job = callback_job_create((callback_job_cb_t)receive_events, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h index 649f93733..649f93733 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c index b84ccf150..781ba5008 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c @@ -18,7 +18,7 @@ #include "kernel_pfkey_ipsec.h" -#include <daemon.h> +#include <hydra.h> typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t; @@ -37,7 +37,8 @@ struct private_kernel_pfkey_plugin_t { */ static void destroy(private_kernel_pfkey_plugin_t *this) { - charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); + hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, + (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); free(this); } @@ -50,7 +51,8 @@ plugin_t *kernel_pfkey_plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); + hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, + (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); return &this->public.plugin; } diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h index ecccc6303..51db4d8d3 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h @@ -15,7 +15,7 @@ /** * @defgroup kernel_pfkey kernel_pfkey - * @ingroup cplugins + * @ingroup hplugins * * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin * @{ @ingroup kernel_pfkey diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.am b/src/libhydra/plugins/kernel_pfroute/Makefile.am index 83db48160..df3109eb8 100644 --- a/src/libcharon/plugins/kernel_pfroute/Makefile.am +++ b/src/libhydra/plugins/kernel_pfroute/Makefile.am @@ -1,6 +1,6 @@ INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon + -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in index f78a97013..b0bc00c70 100644 --- a/src/libcharon/plugins/kernel_pfroute/Makefile.in +++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in @@ -34,7 +34,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -subdir = src/libcharon/plugins/kernel_pfroute +subdir = src/libhydra/plugins/kernel_pfroute DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -259,7 +275,7 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon + -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la @@ -282,9 +298,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfroute/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile + $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfroute/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c index 97c019b58..59fc915fd 100644 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -23,19 +23,19 @@ #include "kernel_pfroute_net.h" -#include <daemon.h> +#include <hydra.h> +#include <debug.h> #include <utils/host.h> #include <threading/thread.h> #include <threading/mutex.h> #include <utils/linked_list.h> #include <processing/jobs/callback_job.h> -#include <processing/jobs/roam_job.h> #ifndef HAVE_STRUCT_SOCKADDR_SA_LEN #error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member. #endif -/** delay before firing roam jobs (ms) */ +/** delay before firing roam events (ms) */ #define ROAM_DELAY 100 /** buffer size for PF_ROUTE messages */ @@ -145,18 +145,28 @@ struct private_kernel_pfroute_net_t int seq; /** - * time of last roam job + * time of last roam event */ timeval_t last_roam; }; /** - * Start a roaming job. We delay it a bit and fire only one job - * for multiple events. Otherwise we would create too many jobs. + * callback function that raises the delayed roam event */ -static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address) +static job_requeue_t roam_event(uintptr_t address) +{ + hydra->kernel_interface->roam(hydra->kernel_interface, address != 0); + return JOB_REQUEUE_NONE; +} + +/** + * fire a roaming event. we delay it for a bit and fire only one event + * for multiple calls. otherwise we would create too many events. + */ +static void fire_roam_event(private_kernel_pfroute_net_t *this, bool address) { timeval_t now; + job_t *job; time_monotonic(&now); if (timercmp(&now, &this->last_roam, >)) @@ -168,8 +178,11 @@ static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address) now.tv_usec -= 1000000; } this->last_roam = now; - charon->scheduler->schedule_job_ms(charon->scheduler, - (job_t*)roam_job_create(address), ROAM_DELAY); + + job = (job_t*)callback_job_create((callback_job_cb_t)roam_event, + (void*)(uintptr_t)(address ? 1 : 0), + NULL, NULL); + lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY); } } @@ -261,7 +274,7 @@ static void process_addr(private_kernel_pfroute_net_t *this, if (roam) { - fire_roam_job(this, TRUE); + fire_roam_event(this, TRUE); } } @@ -306,7 +319,7 @@ static void process_link(private_kernel_pfroute_net_t *this, if (roam) { - fire_roam_job(this, TRUE); + fire_roam_event(this, TRUE); } } @@ -716,7 +729,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create() this->job = callback_job_create((callback_job_cb_t)receive_events, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); if (init_address_list(this) != SUCCESS) { diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h index 10c3c9eb7..10c3c9eb7 100644 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c index 97139fb56..5f351bd72 100644 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c @@ -18,7 +18,7 @@ #include "kernel_pfroute_net.h" -#include <daemon.h> +#include <hydra.h> typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t; @@ -37,7 +37,7 @@ struct private_kernel_pfroute_plugin_t { */ static void destroy(private_kernel_pfroute_plugin_t *this) { - charon->kernel_interface->remove_net_interface(charon->kernel_interface, + hydra->kernel_interface->remove_net_interface(hydra->kernel_interface, (kernel_net_constructor_t)kernel_pfroute_net_create); free(this); } @@ -51,7 +51,7 @@ plugin_t *kernel_pfroute_plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - charon->kernel_interface->add_net_interface(charon->kernel_interface, + hydra->kernel_interface->add_net_interface(hydra->kernel_interface, (kernel_net_constructor_t)kernel_pfroute_net_create); return &this->public.plugin; diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h index 50642a572..b8ee31a1d 100644 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h @@ -15,7 +15,7 @@ /** * @defgroup kernel_pfroute kernel_pfroute - * @ingroup cplugins + * @ingroup hplugins * * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin * @{ @ingroup kernel_pfroute diff --git a/src/libhydra/plugins/resolve/Makefile.am b/src/libhydra/plugins/resolve/Makefile.am index f8830d42e..a05c84061 100644 --- a/src/libhydra/plugins/resolve/Makefile.am +++ b/src/libhydra/plugins/resolve/Makefile.am @@ -1,6 +1,5 @@ -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic \ -DRESOLV_CONF=\"${resolv_conf}\" diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in index e16c66923..aedc8fdb7 100644 --- a/src/libhydra/plugins/resolve/Makefile.in +++ b/src/libhydra/plugins/resolve/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -257,9 +273,7 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon - +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra AM_CFLAGS = -rdynamic \ -DRESOLV_CONF=\"${resolv_conf}\" diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index d53df9bb2..0aa509acc 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -137,6 +138,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -168,14 +171,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -190,24 +196,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -215,7 +228,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c index e0319e918..3a8f4beaf 100644 --- a/src/libsimaka/simaka_message.c +++ b/src/libsimaka/simaka_message.c @@ -741,6 +741,7 @@ static eap_payload_t* generate(private_simaka_message_t *this, chunk_t sigdata) crypter = this->crypto->get_crypter(this->crypto); bs = crypter->get_block_size(crypter); + iv.len = crypter->get_iv_size(crypter); /* add AT_PADDING attribute */ padding = bs - ((sizeof(encr_buf) - encr.len) % bs); @@ -757,15 +758,15 @@ static eap_payload_t* generate(private_simaka_message_t *this, chunk_t sigdata) /* add IV attribute */ hdr = (attr_hdr_t*)out.ptr; hdr->type = AT_IV; - hdr->length = bs / 4 + 1; + hdr->length = iv.len / 4 + 1; memset(out.ptr + 2, 0, 2); out = chunk_skip(out, 4); rng = this->crypto->get_rng(this->crypto); - rng->get_bytes(rng, bs, out.ptr); + rng->get_bytes(rng, iv.len, out.ptr); - iv = chunk_clonea(chunk_create(out.ptr, bs)); - out = chunk_skip(out, bs); + iv = chunk_clonea(chunk_create(out.ptr, iv.len)); + out = chunk_skip(out, iv.len); /* inline encryption */ crypter->encrypt(crypter, encr, iv, NULL); diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index 1931dfa45..431543151 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -23,6 +23,7 @@ crypto/signers/signer.c crypto/signers/signer.h \ crypto/crypto_factory.c crypto/crypto_factory.h \ crypto/crypto_tester.c crypto/crypto_tester.h \ crypto/diffie_hellman.c crypto/diffie_hellman.h \ +crypto/aead.c crypto/aead.h \ crypto/transform.c crypto/transform.h \ credentials/credential_factory.c credentials/credential_factory.h \ credentials/builder.c credentials/builder.h \ @@ -43,10 +44,18 @@ credentials/credential_manager.c credentials/credential_manager.h \ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ +credentials/sets/mem_cred.c credentials/sets/mem_cred.h \ +credentials/sets/callback_cred.c credentials/sets/callback_cred.h \ credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \ credentials/cert_validator.h \ database/database.h database/database_factory.h database/database_factory.c \ fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ +eap/eap.h eap/eap.c \ +plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h \ +processing/jobs/job.h \ +processing/jobs/callback_job.c processing/jobs/callback_job.h \ +processing/processor.c processing/processor.h \ +processing/scheduler.c processing/scheduler.h \ selectors/traffic_selector.c selectors/traffic_selector.h \ threading/thread.h threading/thread.c \ threading/thread_value.h threading/thread_value.c \ @@ -62,8 +71,7 @@ utils/linked_list.c utils/linked_list.h \ utils/hashtable.c utils/hashtable.h \ utils/enumerator.c utils/enumerator.h \ utils/optionsfrom.c utils/optionsfrom.h \ -utils/backtrace.c utils/backtrace.h \ -plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h +utils/backtrace.c utils/backtrace.h # adding the plugin source files diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 3678abd5d..2ab8aa636 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -21,6 +21,7 @@ crypto/signers/signer.c crypto/signers/signer.h \ crypto/crypto_factory.c crypto/crypto_factory.h \ crypto/crypto_tester.c crypto/crypto_tester.h \ crypto/diffie_hellman.c crypto/diffie_hellman.h \ +crypto/aead.c crypto/aead.h \ crypto/transform.c crypto/transform.h \ credentials/credential_factory.c credentials/credential_factory.h \ credentials/builder.c credentials/builder.h \ @@ -41,10 +42,18 @@ credentials/credential_manager.c credentials/credential_manager.h \ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ +credentials/sets/mem_cred.c credentials/sets/mem_cred.h \ +credentials/sets/callback_cred.c credentials/sets/callback_cred.h \ credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \ credentials/cert_validator.h \ database/database.h database/database_factory.h database/database_factory.c \ fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ +eap/eap.h eap/eap.c \ +plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h \ +processing/jobs/job.h \ +processing/jobs/callback_job.c processing/jobs/callback_job.h \ +processing/processor.c processing/processor.h \ +processing/scheduler.c processing/scheduler.h \ selectors/traffic_selector.c selectors/traffic_selector.h \ threading/thread.h threading/thread.c \ threading/thread_value.h threading/thread_value.c \ @@ -60,8 +69,10 @@ utils/linked_list.c utils/linked_list.h \ utils/hashtable.c utils/hashtable.h \ utils/enumerator.c utils/enumerator.h \ utils/optionsfrom.c utils/optionsfrom.h \ -utils/backtrace.c utils/backtrace.h \ -plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h +utils/backtrace.c utils/backtrace.h + + +library.lo : $(top_builddir)/config.status libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) @@ -314,6 +325,34 @@ if MONOLITHIC endif endif +if USE_PKCS11 + SUBDIRS += plugins/pkcs11 +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/pkcs11/libstrongswan-pkcs11.la +endif +endif + +if USE_CTR + SUBDIRS += plugins/ctr +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/ctr/libstrongswan-ctr.la +endif +endif + +if USE_CCM + SUBDIRS += plugins/ccm +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/ccm/libstrongswan-ccm.la +endif +endif + +if USE_GCM + SUBDIRS += plugins/gcm +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/gcm/libstrongswan-gcm.la +endif +endif + if USE_TEST_VECTORS SUBDIRS += plugins/test_vectors if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index b6dcf6be5..8be6dd9b8 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -98,8 +98,16 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_58 = plugins/fips_prf/libstrongswan-fips-prf.la @USE_AGENT_TRUE@am__append_59 = plugins/agent @MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_60 = plugins/agent/libstrongswan-agent.la -@USE_TEST_VECTORS_TRUE@am__append_61 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_62 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_PKCS11_TRUE@am__append_61 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_62 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CTR_TRUE@am__append_63 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_64 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_65 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_66 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_67 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_68 = plugins/gcm/libstrongswan-gcm.la +@USE_TEST_VECTORS_TRUE@am__append_69 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_70 = plugins/test_vectors/libstrongswan-test-vectors.la subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -110,6 +118,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -152,7 +161,8 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_42) $(am__append_44) $(am__append_46) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ - $(am__append_60) $(am__append_62) + $(am__append_60) $(am__append_62) $(am__append_64) \ + $(am__append_66) $(am__append_68) $(am__append_70) am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \ printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \ @@ -166,7 +176,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ crypto/signers/signer.h crypto/crypto_factory.c \ crypto/crypto_factory.h crypto/crypto_tester.c \ crypto/crypto_tester.h crypto/diffie_hellman.c \ - crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \ + crypto/diffie_hellman.h crypto/aead.c crypto/aead.h \ + crypto/transform.c crypto/transform.h \ credentials/credential_factory.c \ credentials/credential_factory.h credentials/builder.c \ credentials/builder.h credentials/cred_encoding.c \ @@ -193,11 +204,19 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ credentials/sets/ocsp_response_wrapper.c \ credentials/sets/ocsp_response_wrapper.h \ credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ - credentials/auth_cfg.c credentials/auth_cfg.h \ - credentials/credential_set.h credentials/cert_validator.h \ - database/database.h database/database_factory.h \ - database/database_factory.c fetcher/fetcher.h \ - fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ + credentials/sets/mem_cred.c credentials/sets/mem_cred.h \ + credentials/sets/callback_cred.c \ + credentials/sets/callback_cred.h credentials/auth_cfg.c \ + credentials/auth_cfg.h credentials/credential_set.h \ + credentials/cert_validator.h database/database.h \ + database/database_factory.h database/database_factory.c \ + fetcher/fetcher.h fetcher/fetcher_manager.h \ + fetcher/fetcher_manager.c eap/eap.h eap/eap.c \ + plugins/plugin_loader.c plugins/plugin_loader.h \ + plugins/plugin.h processing/jobs/job.h \ + processing/jobs/callback_job.c processing/jobs/callback_job.h \ + processing/processor.c processing/processor.h \ + processing/scheduler.c processing/scheduler.h \ selectors/traffic_selector.c selectors/traffic_selector.h \ threading/thread.h threading/thread.c threading/thread_value.h \ threading/thread_value.c threading/mutex.h threading/mutex.c \ @@ -208,27 +227,27 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ utils/linked_list.c utils/linked_list.h utils/hashtable.c \ utils/hashtable.h utils/enumerator.c utils/enumerator.h \ utils/optionsfrom.c utils/optionsfrom.h utils/backtrace.c \ - utils/backtrace.h plugins/plugin_loader.c \ - plugins/plugin_loader.h plugins/plugin.h \ - utils/leak_detective.c utils/leak_detective.h \ - integrity_checker.c integrity_checker.h + utils/backtrace.h utils/leak_detective.c \ + utils/leak_detective.h integrity_checker.c integrity_checker.h @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo @USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \ crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo prf.lo \ rng.lo prf_plus.lo signer.lo crypto_factory.lo \ - crypto_tester.lo diffie_hellman.lo transform.lo \ + crypto_tester.lo diffie_hellman.lo aead.lo transform.lo \ credential_factory.lo builder.lo cred_encoding.lo \ private_key.lo public_key.lo shared_key.lo certificate.lo \ x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \ credential_manager.lo auth_cfg_wrapper.lo \ - ocsp_response_wrapper.lo cert_cache.lo auth_cfg.lo \ - database_factory.lo fetcher_manager.lo traffic_selector.lo \ - thread.lo thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \ + ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \ + callback_cred.lo auth_cfg.lo database_factory.lo \ + fetcher_manager.lo eap.lo plugin_loader.lo callback_job.lo \ + processor.lo scheduler.lo traffic_selector.lo thread.lo \ + thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \ identification.lo lexparser.lo linked_list.lo hashtable.lo \ - enumerator.lo optionsfrom.lo backtrace.lo plugin_loader.lo \ - $(am__objects_1) $(am__objects_2) + enumerator.lo optionsfrom.lo backtrace.lo $(am__objects_1) \ + $(am__objects_2) libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -265,8 +284,8 @@ DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \ plugins/revocation plugins/pubkey plugins/pkcs1 plugins/pgp \ plugins/dnskey plugins/pem plugins/curl plugins/ldap \ plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \ - plugins/gcrypt plugins/fips_prf plugins/agent \ - plugins/test_vectors + plugins/gcrypt plugins/fips_prf plugins/agent plugins/pkcs11 \ + plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -358,6 +377,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -389,14 +410,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -411,24 +435,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -436,7 +467,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -462,7 +496,8 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ crypto/signers/signer.h crypto/crypto_factory.c \ crypto/crypto_factory.h crypto/crypto_tester.c \ crypto/crypto_tester.h crypto/diffie_hellman.c \ - crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \ + crypto/diffie_hellman.h crypto/aead.c crypto/aead.h \ + crypto/transform.c crypto/transform.h \ credentials/credential_factory.c \ credentials/credential_factory.h credentials/builder.c \ credentials/builder.h credentials/cred_encoding.c \ @@ -489,11 +524,19 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ credentials/sets/ocsp_response_wrapper.c \ credentials/sets/ocsp_response_wrapper.h \ credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ - credentials/auth_cfg.c credentials/auth_cfg.h \ - credentials/credential_set.h credentials/cert_validator.h \ - database/database.h database/database_factory.h \ - database/database_factory.c fetcher/fetcher.h \ - fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ + credentials/sets/mem_cred.c credentials/sets/mem_cred.h \ + credentials/sets/callback_cred.c \ + credentials/sets/callback_cred.h credentials/auth_cfg.c \ + credentials/auth_cfg.h credentials/credential_set.h \ + credentials/cert_validator.h database/database.h \ + database/database_factory.h database/database_factory.c \ + fetcher/fetcher.h fetcher/fetcher_manager.h \ + fetcher/fetcher_manager.c eap/eap.h eap/eap.c \ + plugins/plugin_loader.c plugins/plugin_loader.h \ + plugins/plugin.h processing/jobs/job.h \ + processing/jobs/callback_job.c processing/jobs/callback_job.h \ + processing/processor.c processing/processor.h \ + processing/scheduler.c processing/scheduler.h \ selectors/traffic_selector.c selectors/traffic_selector.h \ threading/thread.h threading/thread.c threading/thread_value.h \ threading/thread_value.c threading/mutex.h threading/mutex.c \ @@ -504,9 +547,7 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ utils/linked_list.c utils/linked_list.h utils/hashtable.c \ utils/hashtable.h utils/enumerator.c utils/enumerator.h \ utils/optionsfrom.c utils/optionsfrom.h utils/backtrace.c \ - utils/backtrace.h plugins/plugin_loader.c \ - plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \ - $(am__append_5) + utils/backtrace.h $(am__append_2) $(am__append_5) libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \ $(RTLIB) $(am__append_6) $(am__append_8) $(am__append_10) \ $(am__append_12) $(am__append_14) $(am__append_16) \ @@ -517,7 +558,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \ $(am__append_42) $(am__append_44) $(am__append_46) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ - $(am__append_60) $(am__append_62) + $(am__append_60) $(am__append_62) $(am__append_64) \ + $(am__append_66) $(am__append_68) $(am__append_70) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \ @@ -548,7 +590,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_FALSE@ $(am__append_47) $(am__append_49) \ @MONOLITHIC_FALSE@ $(am__append_51) $(am__append_53) \ @MONOLITHIC_FALSE@ $(am__append_55) $(am__append_57) \ -@MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) +@MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) \ +@MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \ +@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) # build plugins with their own Makefile ####################################### @@ -565,7 +609,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_TRUE@ $(am__append_47) $(am__append_49) \ @MONOLITHIC_TRUE@ $(am__append_51) $(am__append_53) \ @MONOLITHIC_TRUE@ $(am__append_55) $(am__append_57) \ -@MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) +@MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) \ +@MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \ +@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -641,12 +687,15 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aead.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backtrace.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_cred.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@ @@ -660,6 +709,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/database_factory.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/debug.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/diffie_hellman.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher_manager.Plo@am__quote@ @@ -673,6 +723,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/linked_list.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem_cred.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mutex.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@ @@ -684,10 +735,12 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf_plus.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/printf_hook.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/private_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/processor.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_keywords.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/public_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rng.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rwlock.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/settings.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shared_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signer.Plo@am__quote@ @@ -817,6 +870,13 @@ diffie_hellman.lo: crypto/diffie_hellman.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c +aead.lo: crypto/aead.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aead.lo -MD -MP -MF $(DEPDIR)/aead.Tpo -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/aead.Tpo $(DEPDIR)/aead.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/aead.c' object='aead.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c + transform.lo: crypto/transform.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform.lo -MD -MP -MF $(DEPDIR)/transform.Tpo -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/transform.Tpo $(DEPDIR)/transform.Plo @@ -929,6 +989,20 @@ cert_cache.lo: credentials/sets/cert_cache.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c +mem_cred.lo: credentials/sets/mem_cred.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_cred.lo -MD -MP -MF $(DEPDIR)/mem_cred.Tpo -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/mem_cred.Tpo $(DEPDIR)/mem_cred.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/mem_cred.c' object='mem_cred.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c + +callback_cred.lo: credentials/sets/callback_cred.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_cred.lo -MD -MP -MF $(DEPDIR)/callback_cred.Tpo -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/callback_cred.Tpo $(DEPDIR)/callback_cred.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/callback_cred.c' object='callback_cred.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c + auth_cfg.lo: credentials/auth_cfg.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo @@ -950,6 +1024,41 @@ fetcher_manager.lo: fetcher/fetcher_manager.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c +eap.lo: eap/eap.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap.lo -MD -MP -MF $(DEPDIR)/eap.Tpo -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/eap.Tpo $(DEPDIR)/eap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='eap/eap.c' object='eap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c + +plugin_loader.lo: plugins/plugin_loader.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c + +callback_job.lo: processing/jobs/callback_job.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c + +processor.lo: processing/processor.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c + +scheduler.lo: processing/scheduler.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c + traffic_selector.lo: selectors/traffic_selector.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.lo -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Plo @@ -1041,13 +1150,6 @@ backtrace.lo: utils/backtrace.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c -plugin_loader.lo: plugins/plugin_loader.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c - leak_detective.lo: utils/leak_detective.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo @@ -1383,6 +1485,8 @@ uninstall-am: uninstall-libLTLIBRARIES uninstall-libLTLIBRARIES +library.lo : $(top_builddir)/config.status + $(srcdir)/asn1/oid.c : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt (cd $(srcdir)/asn1/ && $(PERL) oid.pl) diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 8f91a2e2b..1e5dec8a5 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -171,12 +171,12 @@ const oid_t oid_names[] = { { 0x02, 159, 0, 7, "ecdsa-with-SHA256" }, /* 158 */ { 0x03, 160, 0, 7, "ecdsa-with-SHA384" }, /* 159 */ { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 160 */ - {0x2B, 307, 1, 0, "" }, /* 161 */ - { 0x06, 221, 1, 1, "dod" }, /* 162 */ + {0x2B, 309, 1, 0, "" }, /* 161 */ + { 0x06, 223, 1, 1, "dod" }, /* 162 */ { 0x01, 0, 1, 2, "internet" }, /* 163 */ - { 0x04, 182, 1, 3, "private" }, /* 164 */ + { 0x04, 183, 1, 3, "private" }, /* 164 */ { 0x01, 0, 1, 4, "enterprise" }, /* 165 */ - { 0x82, 175, 1, 5, "" }, /* 166 */ + { 0x82, 176, 1, 5, "" }, /* 166 */ { 0x37, 0, 1, 6, "Microsoft" }, /* 167 */ { 0x0A, 172, 1, 7, "" }, /* 168 */ { 0x03, 0, 1, 8, "" }, /* 169 */ @@ -184,184 +184,186 @@ const oid_t oid_names[] = { { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 171 */ { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 172 */ { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 173 */ - { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 174 */ - { 0x89, 0, 1, 5, "" }, /* 175 */ - { 0x31, 0, 1, 6, "" }, /* 176 */ - { 0x01, 0, 1, 7, "" }, /* 177 */ - { 0x01, 0, 1, 8, "" }, /* 178 */ - { 0x02, 0, 1, 9, "" }, /* 179 */ - { 0x02, 181, 0, 10, "" }, /* 180 */ - { 0x4B, 0, 0, 10, "TCGID" }, /* 181 */ - { 0x05, 0, 1, 3, "security" }, /* 182 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 183 */ - { 0x07, 0, 1, 5, "id-pkix" }, /* 184 */ - { 0x01, 188, 1, 6, "id-pe" }, /* 185 */ - { 0x01, 187, 0, 7, "authorityInfoAccess" }, /* 186 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 187 */ - { 0x02, 191, 1, 6, "id-qt" }, /* 188 */ - { 0x01, 190, 0, 7, "cps" }, /* 189 */ - { 0x02, 0, 0, 7, "unotice" }, /* 190 */ - { 0x03, 201, 1, 6, "id-kp" }, /* 191 */ - { 0x01, 193, 0, 7, "serverAuth" }, /* 192 */ - { 0x02, 194, 0, 7, "clientAuth" }, /* 193 */ - { 0x03, 195, 0, 7, "codeSigning" }, /* 194 */ - { 0x04, 196, 0, 7, "emailProtection" }, /* 195 */ - { 0x05, 197, 0, 7, "ipsecEndSystem" }, /* 196 */ - { 0x06, 198, 0, 7, "ipsecTunnel" }, /* 197 */ - { 0x07, 199, 0, 7, "ipsecUser" }, /* 198 */ - { 0x08, 200, 0, 7, "timeStamping" }, /* 199 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 200 */ - { 0x08, 203, 1, 6, "id-otherNames" }, /* 201 */ - { 0x05, 0, 0, 7, "xmppAddr" }, /* 202 */ - { 0x0A, 208, 1, 6, "id-aca" }, /* 203 */ - { 0x01, 205, 0, 7, "authenticationInfo" }, /* 204 */ - { 0x02, 206, 0, 7, "accessIdentity" }, /* 205 */ - { 0x03, 207, 0, 7, "chargingIdentity" }, /* 206 */ - { 0x04, 0, 0, 7, "group" }, /* 207 */ - { 0x0B, 209, 0, 6, "subjectInfoAccess" }, /* 208 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 209 */ - { 0x01, 218, 1, 7, "ocsp" }, /* 210 */ - { 0x01, 212, 0, 8, "basic" }, /* 211 */ - { 0x02, 213, 0, 8, "nonce" }, /* 212 */ - { 0x03, 214, 0, 8, "crl" }, /* 213 */ - { 0x04, 215, 0, 8, "response" }, /* 214 */ - { 0x05, 216, 0, 8, "noCheck" }, /* 215 */ - { 0x06, 217, 0, 8, "archiveCutoff" }, /* 216 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 217 */ - { 0x02, 219, 0, 7, "caIssuers" }, /* 218 */ - { 0x03, 220, 0, 7, "timeStamping" }, /* 219 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 220 */ - { 0x0E, 227, 1, 1, "oiw" }, /* 221 */ - { 0x03, 0, 1, 2, "secsig" }, /* 222 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 223 */ - { 0x07, 225, 0, 4, "des-cbc" }, /* 224 */ - { 0x1A, 226, 0, 4, "sha-1" }, /* 225 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 226 */ - { 0x24, 273, 1, 1, "TeleTrusT" }, /* 227 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 228 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 229 */ - { 0x01, 234, 1, 4, "rsaSignature" }, /* 230 */ - { 0x02, 232, 0, 5, "rsaSigWithripemd160" }, /* 231 */ - { 0x03, 233, 0, 5, "rsaSigWithripemd128" }, /* 232 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 233 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 234 */ - { 0x01, 236, 0, 5, "ecSignWithsha1" }, /* 235 */ - { 0x02, 237, 0, 5, "ecSignWithripemd160" }, /* 236 */ - { 0x03, 238, 0, 5, "ecSignWithmd2" }, /* 237 */ - { 0x04, 239, 0, 5, "ecSignWithmd5" }, /* 238 */ - { 0x05, 256, 1, 5, "ttt-ecg" }, /* 239 */ - { 0x01, 244, 1, 6, "fieldType" }, /* 240 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 241 */ - { 0x01, 0, 1, 8, "basisType" }, /* 242 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 243 */ - { 0x02, 246, 1, 6, "keyType" }, /* 244 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 245 */ - { 0x03, 247, 0, 6, "curve" }, /* 246 */ - { 0x04, 254, 1, 6, "signatures" }, /* 247 */ - { 0x01, 249, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 248 */ - { 0x02, 250, 0, 7, "ecgdsa-with-SHA1" }, /* 249 */ - { 0x03, 251, 0, 7, "ecgdsa-with-SHA224" }, /* 250 */ - { 0x04, 252, 0, 7, "ecgdsa-with-SHA256" }, /* 251 */ - { 0x05, 253, 0, 7, "ecgdsa-with-SHA384" }, /* 252 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 253 */ - { 0x05, 0, 1, 6, "module" }, /* 254 */ - { 0x01, 0, 0, 7, "1" }, /* 255 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 256 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 257 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 258 */ - { 0x01, 260, 0, 8, "brainpoolP160r1" }, /* 259 */ - { 0x02, 261, 0, 8, "brainpoolP160t1" }, /* 260 */ - { 0x03, 262, 0, 8, "brainpoolP192r1" }, /* 261 */ - { 0x04, 263, 0, 8, "brainpoolP192t1" }, /* 262 */ - { 0x05, 264, 0, 8, "brainpoolP224r1" }, /* 263 */ - { 0x06, 265, 0, 8, "brainpoolP224t1" }, /* 264 */ - { 0x07, 266, 0, 8, "brainpoolP256r1" }, /* 265 */ - { 0x08, 267, 0, 8, "brainpoolP256t1" }, /* 266 */ - { 0x09, 268, 0, 8, "brainpoolP320r1" }, /* 267 */ - { 0x0A, 269, 0, 8, "brainpoolP320t1" }, /* 268 */ - { 0x0B, 270, 0, 8, "brainpoolP384r1" }, /* 269 */ - { 0x0C, 271, 0, 8, "brainpoolP384t1" }, /* 270 */ - { 0x0D, 272, 0, 8, "brainpoolP512r1" }, /* 271 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 272 */ - { 0x81, 0, 1, 1, "" }, /* 273 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 274 */ - { 0x00, 0, 1, 3, "curve" }, /* 275 */ - { 0x01, 277, 0, 4, "sect163k1" }, /* 276 */ - { 0x02, 278, 0, 4, "sect163r1" }, /* 277 */ - { 0x03, 279, 0, 4, "sect239k1" }, /* 278 */ - { 0x04, 280, 0, 4, "sect113r1" }, /* 279 */ - { 0x05, 281, 0, 4, "sect113r2" }, /* 280 */ - { 0x06, 282, 0, 4, "secp112r1" }, /* 281 */ - { 0x07, 283, 0, 4, "secp112r2" }, /* 282 */ - { 0x08, 284, 0, 4, "secp160r1" }, /* 283 */ - { 0x09, 285, 0, 4, "secp160k1" }, /* 284 */ - { 0x0A, 286, 0, 4, "secp256k1" }, /* 285 */ - { 0x0F, 287, 0, 4, "sect163r2" }, /* 286 */ - { 0x10, 288, 0, 4, "sect283k1" }, /* 287 */ - { 0x11, 289, 0, 4, "sect283r1" }, /* 288 */ - { 0x16, 290, 0, 4, "sect131r1" }, /* 289 */ - { 0x17, 291, 0, 4, "sect131r2" }, /* 290 */ - { 0x18, 292, 0, 4, "sect193r1" }, /* 291 */ - { 0x19, 293, 0, 4, "sect193r2" }, /* 292 */ - { 0x1A, 294, 0, 4, "sect233k1" }, /* 293 */ - { 0x1B, 295, 0, 4, "sect233r1" }, /* 294 */ - { 0x1C, 296, 0, 4, "secp128r1" }, /* 295 */ - { 0x1D, 297, 0, 4, "secp128r2" }, /* 296 */ - { 0x1E, 298, 0, 4, "secp160r2" }, /* 297 */ - { 0x1F, 299, 0, 4, "secp192k1" }, /* 298 */ - { 0x20, 300, 0, 4, "secp224k1" }, /* 299 */ - { 0x21, 301, 0, 4, "secp224r1" }, /* 300 */ - { 0x22, 302, 0, 4, "secp384r1" }, /* 301 */ - { 0x23, 303, 0, 4, "secp521r1" }, /* 302 */ - { 0x24, 304, 0, 4, "sect409k1" }, /* 303 */ - { 0x25, 305, 0, 4, "sect409r1" }, /* 304 */ - { 0x26, 306, 0, 4, "sect571k1" }, /* 305 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 306 */ - {0x60, 0, 1, 0, "" }, /* 307 */ - { 0x86, 0, 1, 1, "" }, /* 308 */ - { 0x48, 0, 1, 2, "" }, /* 309 */ - { 0x01, 0, 1, 3, "organization" }, /* 310 */ - { 0x65, 329, 1, 4, "gov" }, /* 311 */ - { 0x03, 0, 1, 5, "csor" }, /* 312 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 313 */ - { 0x01, 324, 1, 7, "aes" }, /* 314 */ - { 0x02, 316, 0, 8, "id-aes128-CBC" }, /* 315 */ - { 0x06, 317, 0, 8, "id-aes128-GCM" }, /* 316 */ - { 0x07, 318, 0, 8, "id-aes128-CCM" }, /* 317 */ - { 0x16, 319, 0, 8, "id-aes192-CBC" }, /* 318 */ - { 0x1A, 320, 0, 8, "id-aes192-GCM" }, /* 319 */ - { 0x1B, 321, 0, 8, "id-aes192-CCM" }, /* 320 */ - { 0x2A, 322, 0, 8, "id-aes256-CBC" }, /* 321 */ - { 0x2E, 323, 0, 8, "id-aes256-GCM" }, /* 322 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 323 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 324 */ - { 0x01, 326, 0, 8, "id-SHA-256" }, /* 325 */ - { 0x02, 327, 0, 8, "id-SHA-384" }, /* 326 */ - { 0x03, 328, 0, 8, "id-SHA-512" }, /* 327 */ - { 0x04, 0, 0, 8, "id-SHA-224" }, /* 328 */ - { 0x86, 0, 1, 4, "" }, /* 329 */ - { 0xf8, 0, 1, 5, "" }, /* 330 */ - { 0x42, 343, 1, 6, "netscape" }, /* 331 */ - { 0x01, 338, 1, 7, "" }, /* 332 */ - { 0x01, 334, 0, 8, "nsCertType" }, /* 333 */ - { 0x03, 335, 0, 8, "nsRevocationUrl" }, /* 334 */ - { 0x04, 336, 0, 8, "nsCaRevocationUrl" }, /* 335 */ - { 0x08, 337, 0, 8, "nsCaPolicyUrl" }, /* 336 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 337 */ - { 0x03, 341, 1, 7, "directory" }, /* 338 */ - { 0x01, 0, 1, 8, "" }, /* 339 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 340 */ - { 0x04, 0, 1, 7, "policy" }, /* 341 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 342 */ - { 0x45, 0, 1, 6, "verisign" }, /* 343 */ - { 0x01, 0, 1, 7, "pki" }, /* 344 */ - { 0x09, 0, 1, 8, "attributes" }, /* 345 */ - { 0x02, 347, 0, 9, "messageType" }, /* 346 */ - { 0x03, 348, 0, 9, "pkiStatus" }, /* 347 */ - { 0x04, 349, 0, 9, "failInfo" }, /* 348 */ - { 0x05, 350, 0, 9, "senderNonce" }, /* 349 */ - { 0x06, 351, 0, 9, "recipientNonce" }, /* 350 */ - { 0x07, 352, 0, 9, "transID" }, /* 351 */ - { 0x08, 353, 0, 9, "extensionReq" }, /* 352 */ - { 0x08, 0, 0, 9, "extensionReq" } /* 353 */ + { 0x02, 175, 0, 9, "msSmartcardLogon" }, /* 174 */ + { 0x03, 0, 0, 9, "msUPN" }, /* 175 */ + { 0x89, 0, 1, 5, "" }, /* 176 */ + { 0x31, 0, 1, 6, "" }, /* 177 */ + { 0x01, 0, 1, 7, "" }, /* 178 */ + { 0x01, 0, 1, 8, "" }, /* 179 */ + { 0x02, 0, 1, 9, "" }, /* 180 */ + { 0x02, 182, 0, 10, "" }, /* 181 */ + { 0x4B, 0, 0, 10, "TCGID" }, /* 182 */ + { 0x05, 0, 1, 3, "security" }, /* 183 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 184 */ + { 0x07, 0, 1, 5, "id-pkix" }, /* 185 */ + { 0x01, 190, 1, 6, "id-pe" }, /* 186 */ + { 0x01, 188, 0, 7, "authorityInfoAccess" }, /* 187 */ + { 0x03, 189, 0, 7, "qcStatements" }, /* 188 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 189 */ + { 0x02, 193, 1, 6, "id-qt" }, /* 190 */ + { 0x01, 192, 0, 7, "cps" }, /* 191 */ + { 0x02, 0, 0, 7, "unotice" }, /* 192 */ + { 0x03, 203, 1, 6, "id-kp" }, /* 193 */ + { 0x01, 195, 0, 7, "serverAuth" }, /* 194 */ + { 0x02, 196, 0, 7, "clientAuth" }, /* 195 */ + { 0x03, 197, 0, 7, "codeSigning" }, /* 196 */ + { 0x04, 198, 0, 7, "emailProtection" }, /* 197 */ + { 0x05, 199, 0, 7, "ipsecEndSystem" }, /* 198 */ + { 0x06, 200, 0, 7, "ipsecTunnel" }, /* 199 */ + { 0x07, 201, 0, 7, "ipsecUser" }, /* 200 */ + { 0x08, 202, 0, 7, "timeStamping" }, /* 201 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 202 */ + { 0x08, 205, 1, 6, "id-otherNames" }, /* 203 */ + { 0x05, 0, 0, 7, "xmppAddr" }, /* 204 */ + { 0x0A, 210, 1, 6, "id-aca" }, /* 205 */ + { 0x01, 207, 0, 7, "authenticationInfo" }, /* 206 */ + { 0x02, 208, 0, 7, "accessIdentity" }, /* 207 */ + { 0x03, 209, 0, 7, "chargingIdentity" }, /* 208 */ + { 0x04, 0, 0, 7, "group" }, /* 209 */ + { 0x0B, 211, 0, 6, "subjectInfoAccess" }, /* 210 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 211 */ + { 0x01, 220, 1, 7, "ocsp" }, /* 212 */ + { 0x01, 214, 0, 8, "basic" }, /* 213 */ + { 0x02, 215, 0, 8, "nonce" }, /* 214 */ + { 0x03, 216, 0, 8, "crl" }, /* 215 */ + { 0x04, 217, 0, 8, "response" }, /* 216 */ + { 0x05, 218, 0, 8, "noCheck" }, /* 217 */ + { 0x06, 219, 0, 8, "archiveCutoff" }, /* 218 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 219 */ + { 0x02, 221, 0, 7, "caIssuers" }, /* 220 */ + { 0x03, 222, 0, 7, "timeStamping" }, /* 221 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 222 */ + { 0x0E, 229, 1, 1, "oiw" }, /* 223 */ + { 0x03, 0, 1, 2, "secsig" }, /* 224 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 225 */ + { 0x07, 227, 0, 4, "des-cbc" }, /* 226 */ + { 0x1A, 228, 0, 4, "sha-1" }, /* 227 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 228 */ + { 0x24, 275, 1, 1, "TeleTrusT" }, /* 229 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 230 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 231 */ + { 0x01, 236, 1, 4, "rsaSignature" }, /* 232 */ + { 0x02, 234, 0, 5, "rsaSigWithripemd160" }, /* 233 */ + { 0x03, 235, 0, 5, "rsaSigWithripemd128" }, /* 234 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 235 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 236 */ + { 0x01, 238, 0, 5, "ecSignWithsha1" }, /* 237 */ + { 0x02, 239, 0, 5, "ecSignWithripemd160" }, /* 238 */ + { 0x03, 240, 0, 5, "ecSignWithmd2" }, /* 239 */ + { 0x04, 241, 0, 5, "ecSignWithmd5" }, /* 240 */ + { 0x05, 258, 1, 5, "ttt-ecg" }, /* 241 */ + { 0x01, 246, 1, 6, "fieldType" }, /* 242 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 243 */ + { 0x01, 0, 1, 8, "basisType" }, /* 244 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 245 */ + { 0x02, 248, 1, 6, "keyType" }, /* 246 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 247 */ + { 0x03, 249, 0, 6, "curve" }, /* 248 */ + { 0x04, 256, 1, 6, "signatures" }, /* 249 */ + { 0x01, 251, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 250 */ + { 0x02, 252, 0, 7, "ecgdsa-with-SHA1" }, /* 251 */ + { 0x03, 253, 0, 7, "ecgdsa-with-SHA224" }, /* 252 */ + { 0x04, 254, 0, 7, "ecgdsa-with-SHA256" }, /* 253 */ + { 0x05, 255, 0, 7, "ecgdsa-with-SHA384" }, /* 254 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 255 */ + { 0x05, 0, 1, 6, "module" }, /* 256 */ + { 0x01, 0, 0, 7, "1" }, /* 257 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 258 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 259 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 260 */ + { 0x01, 262, 0, 8, "brainpoolP160r1" }, /* 261 */ + { 0x02, 263, 0, 8, "brainpoolP160t1" }, /* 262 */ + { 0x03, 264, 0, 8, "brainpoolP192r1" }, /* 263 */ + { 0x04, 265, 0, 8, "brainpoolP192t1" }, /* 264 */ + { 0x05, 266, 0, 8, "brainpoolP224r1" }, /* 265 */ + { 0x06, 267, 0, 8, "brainpoolP224t1" }, /* 266 */ + { 0x07, 268, 0, 8, "brainpoolP256r1" }, /* 267 */ + { 0x08, 269, 0, 8, "brainpoolP256t1" }, /* 268 */ + { 0x09, 270, 0, 8, "brainpoolP320r1" }, /* 269 */ + { 0x0A, 271, 0, 8, "brainpoolP320t1" }, /* 270 */ + { 0x0B, 272, 0, 8, "brainpoolP384r1" }, /* 271 */ + { 0x0C, 273, 0, 8, "brainpoolP384t1" }, /* 272 */ + { 0x0D, 274, 0, 8, "brainpoolP512r1" }, /* 273 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 274 */ + { 0x81, 0, 1, 1, "" }, /* 275 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 276 */ + { 0x00, 0, 1, 3, "curve" }, /* 277 */ + { 0x01, 279, 0, 4, "sect163k1" }, /* 278 */ + { 0x02, 280, 0, 4, "sect163r1" }, /* 279 */ + { 0x03, 281, 0, 4, "sect239k1" }, /* 280 */ + { 0x04, 282, 0, 4, "sect113r1" }, /* 281 */ + { 0x05, 283, 0, 4, "sect113r2" }, /* 282 */ + { 0x06, 284, 0, 4, "secp112r1" }, /* 283 */ + { 0x07, 285, 0, 4, "secp112r2" }, /* 284 */ + { 0x08, 286, 0, 4, "secp160r1" }, /* 285 */ + { 0x09, 287, 0, 4, "secp160k1" }, /* 286 */ + { 0x0A, 288, 0, 4, "secp256k1" }, /* 287 */ + { 0x0F, 289, 0, 4, "sect163r2" }, /* 288 */ + { 0x10, 290, 0, 4, "sect283k1" }, /* 289 */ + { 0x11, 291, 0, 4, "sect283r1" }, /* 290 */ + { 0x16, 292, 0, 4, "sect131r1" }, /* 291 */ + { 0x17, 293, 0, 4, "sect131r2" }, /* 292 */ + { 0x18, 294, 0, 4, "sect193r1" }, /* 293 */ + { 0x19, 295, 0, 4, "sect193r2" }, /* 294 */ + { 0x1A, 296, 0, 4, "sect233k1" }, /* 295 */ + { 0x1B, 297, 0, 4, "sect233r1" }, /* 296 */ + { 0x1C, 298, 0, 4, "secp128r1" }, /* 297 */ + { 0x1D, 299, 0, 4, "secp128r2" }, /* 298 */ + { 0x1E, 300, 0, 4, "secp160r2" }, /* 299 */ + { 0x1F, 301, 0, 4, "secp192k1" }, /* 300 */ + { 0x20, 302, 0, 4, "secp224k1" }, /* 301 */ + { 0x21, 303, 0, 4, "secp224r1" }, /* 302 */ + { 0x22, 304, 0, 4, "secp384r1" }, /* 303 */ + { 0x23, 305, 0, 4, "secp521r1" }, /* 304 */ + { 0x24, 306, 0, 4, "sect409k1" }, /* 305 */ + { 0x25, 307, 0, 4, "sect409r1" }, /* 306 */ + { 0x26, 308, 0, 4, "sect571k1" }, /* 307 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 308 */ + {0x60, 0, 1, 0, "" }, /* 309 */ + { 0x86, 0, 1, 1, "" }, /* 310 */ + { 0x48, 0, 1, 2, "" }, /* 311 */ + { 0x01, 0, 1, 3, "organization" }, /* 312 */ + { 0x65, 331, 1, 4, "gov" }, /* 313 */ + { 0x03, 0, 1, 5, "csor" }, /* 314 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 315 */ + { 0x01, 326, 1, 7, "aes" }, /* 316 */ + { 0x02, 318, 0, 8, "id-aes128-CBC" }, /* 317 */ + { 0x06, 319, 0, 8, "id-aes128-GCM" }, /* 318 */ + { 0x07, 320, 0, 8, "id-aes128-CCM" }, /* 319 */ + { 0x16, 321, 0, 8, "id-aes192-CBC" }, /* 320 */ + { 0x1A, 322, 0, 8, "id-aes192-GCM" }, /* 321 */ + { 0x1B, 323, 0, 8, "id-aes192-CCM" }, /* 322 */ + { 0x2A, 324, 0, 8, "id-aes256-CBC" }, /* 323 */ + { 0x2E, 325, 0, 8, "id-aes256-GCM" }, /* 324 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 325 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 326 */ + { 0x01, 328, 0, 8, "id-SHA-256" }, /* 327 */ + { 0x02, 329, 0, 8, "id-SHA-384" }, /* 328 */ + { 0x03, 330, 0, 8, "id-SHA-512" }, /* 329 */ + { 0x04, 0, 0, 8, "id-SHA-224" }, /* 330 */ + { 0x86, 0, 1, 4, "" }, /* 331 */ + { 0xf8, 0, 1, 5, "" }, /* 332 */ + { 0x42, 345, 1, 6, "netscape" }, /* 333 */ + { 0x01, 340, 1, 7, "" }, /* 334 */ + { 0x01, 336, 0, 8, "nsCertType" }, /* 335 */ + { 0x03, 337, 0, 8, "nsRevocationUrl" }, /* 336 */ + { 0x04, 338, 0, 8, "nsCaRevocationUrl" }, /* 337 */ + { 0x08, 339, 0, 8, "nsCaPolicyUrl" }, /* 338 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 339 */ + { 0x03, 343, 1, 7, "directory" }, /* 340 */ + { 0x01, 0, 1, 8, "" }, /* 341 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 342 */ + { 0x04, 0, 1, 7, "policy" }, /* 343 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 344 */ + { 0x45, 0, 1, 6, "verisign" }, /* 345 */ + { 0x01, 0, 1, 7, "pki" }, /* 346 */ + { 0x09, 0, 1, 8, "attributes" }, /* 347 */ + { 0x02, 349, 0, 9, "messageType" }, /* 348 */ + { 0x03, 350, 0, 9, "pkiStatus" }, /* 349 */ + { 0x04, 351, 0, 9, "failInfo" }, /* 350 */ + { 0x05, 352, 0, 9, "senderNonce" }, /* 351 */ + { 0x06, 353, 0, 9, "recipientNonce" }, /* 352 */ + { 0x07, 354, 0, 9, "transID" }, /* 353 */ + { 0x08, 355, 0, 9, "extensionReq" }, /* 354 */ + { 0x08, 0, 0, 9, "extensionReq" } /* 355 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index aa1fd31b0..16c9e854b 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -116,92 +116,93 @@ extern const oid_t oid_names[]; #define OID_ECDSA_WITH_SHA256 158 #define OID_ECDSA_WITH_SHA384 159 #define OID_ECDSA_WITH_SHA512 160 -#define OID_TCGID 181 -#define OID_AUTHORITY_INFO_ACCESS 186 -#define OID_IP_ADDR_BLOCKS 187 -#define OID_SERVER_AUTH 192 -#define OID_CLIENT_AUTH 193 -#define OID_OCSP_SIGNING 200 -#define OID_XMPP_ADDR 202 -#define OID_AUTHENTICATION_INFO 204 -#define OID_ACCESS_IDENTITY 205 -#define OID_CHARGING_IDENTITY 206 -#define OID_GROUP 207 -#define OID_OCSP 210 -#define OID_BASIC 211 -#define OID_NONCE 212 -#define OID_CRL 213 -#define OID_RESPONSE 214 -#define OID_NO_CHECK 215 -#define OID_ARCHIVE_CUTOFF 216 -#define OID_SERVICE_LOCATOR 217 -#define OID_CA_ISSUERS 218 -#define OID_DES_CBC 224 -#define OID_SHA1 225 -#define OID_SHA1_WITH_RSA_OIW 226 -#define OID_ECGDSA_PUBKEY 245 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 248 -#define OID_ECGDSA_SIG_WITH_SHA1 249 -#define OID_ECGDSA_SIG_WITH_SHA224 250 -#define OID_ECGDSA_SIG_WITH_SHA256 251 -#define OID_ECGDSA_SIG_WITH_SHA384 252 -#define OID_ECGDSA_SIG_WITH_SHA512 253 -#define OID_SECT163K1 276 -#define OID_SECT163R1 277 -#define OID_SECT239K1 278 -#define OID_SECT113R1 279 -#define OID_SECT113R2 280 -#define OID_SECT112R1 281 -#define OID_SECT112R2 282 -#define OID_SECT160R1 283 -#define OID_SECT160K1 284 -#define OID_SECT256K1 285 -#define OID_SECT163R2 286 -#define OID_SECT283K1 287 -#define OID_SECT283R1 288 -#define OID_SECT131R1 289 -#define OID_SECT131R2 290 -#define OID_SECT193R1 291 -#define OID_SECT193R2 292 -#define OID_SECT233K1 293 -#define OID_SECT233R1 294 -#define OID_SECT128R1 295 -#define OID_SECT128R2 296 -#define OID_SECT160R2 297 -#define OID_SECT192K1 298 -#define OID_SECT224K1 299 -#define OID_SECT224R1 300 -#define OID_SECT384R1 301 -#define OID_SECT521R1 302 -#define OID_SECT409K1 303 -#define OID_SECT409R1 304 -#define OID_SECT571K1 305 -#define OID_SECT571R1 306 -#define OID_AES128_CBC 315 -#define OID_AES128_GCM 316 -#define OID_AES128_CCM 317 -#define OID_AES192_CBC 318 -#define OID_AES192_GCM 319 -#define OID_AES192_CCM 320 -#define OID_AES256_CBC 321 -#define OID_AES256_GCM 322 -#define OID_AES256_CCM 323 -#define OID_SHA256 325 -#define OID_SHA384 326 -#define OID_SHA512 327 -#define OID_SHA224 328 -#define OID_NS_REVOCATION_URL 334 -#define OID_NS_CA_REVOCATION_URL 335 -#define OID_NS_CA_POLICY_URL 336 -#define OID_NS_COMMENT 337 -#define OID_EMPLOYEE_NUMBER 340 -#define OID_PKI_MESSAGE_TYPE 346 -#define OID_PKI_STATUS 347 -#define OID_PKI_FAIL_INFO 348 -#define OID_PKI_SENDER_NONCE 349 -#define OID_PKI_RECIPIENT_NONCE 350 -#define OID_PKI_TRANS_ID 351 +#define OID_USER_PRINCIPAL_NAME 175 +#define OID_TCGID 182 +#define OID_AUTHORITY_INFO_ACCESS 187 +#define OID_IP_ADDR_BLOCKS 189 +#define OID_SERVER_AUTH 194 +#define OID_CLIENT_AUTH 195 +#define OID_OCSP_SIGNING 202 +#define OID_XMPP_ADDR 204 +#define OID_AUTHENTICATION_INFO 206 +#define OID_ACCESS_IDENTITY 207 +#define OID_CHARGING_IDENTITY 208 +#define OID_GROUP 209 +#define OID_OCSP 212 +#define OID_BASIC 213 +#define OID_NONCE 214 +#define OID_CRL 215 +#define OID_RESPONSE 216 +#define OID_NO_CHECK 217 +#define OID_ARCHIVE_CUTOFF 218 +#define OID_SERVICE_LOCATOR 219 +#define OID_CA_ISSUERS 220 +#define OID_DES_CBC 226 +#define OID_SHA1 227 +#define OID_SHA1_WITH_RSA_OIW 228 +#define OID_ECGDSA_PUBKEY 247 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 250 +#define OID_ECGDSA_SIG_WITH_SHA1 251 +#define OID_ECGDSA_SIG_WITH_SHA224 252 +#define OID_ECGDSA_SIG_WITH_SHA256 253 +#define OID_ECGDSA_SIG_WITH_SHA384 254 +#define OID_ECGDSA_SIG_WITH_SHA512 255 +#define OID_SECT163K1 278 +#define OID_SECT163R1 279 +#define OID_SECT239K1 280 +#define OID_SECT113R1 281 +#define OID_SECT113R2 282 +#define OID_SECT112R1 283 +#define OID_SECT112R2 284 +#define OID_SECT160R1 285 +#define OID_SECT160K1 286 +#define OID_SECT256K1 287 +#define OID_SECT163R2 288 +#define OID_SECT283K1 289 +#define OID_SECT283R1 290 +#define OID_SECT131R1 291 +#define OID_SECT131R2 292 +#define OID_SECT193R1 293 +#define OID_SECT193R2 294 +#define OID_SECT233K1 295 +#define OID_SECT233R1 296 +#define OID_SECT128R1 297 +#define OID_SECT128R2 298 +#define OID_SECT160R2 299 +#define OID_SECT192K1 300 +#define OID_SECT224K1 301 +#define OID_SECT224R1 302 +#define OID_SECT384R1 303 +#define OID_SECT521R1 304 +#define OID_SECT409K1 305 +#define OID_SECT409R1 306 +#define OID_SECT571K1 307 +#define OID_SECT571R1 308 +#define OID_AES128_CBC 317 +#define OID_AES128_GCM 318 +#define OID_AES128_CCM 319 +#define OID_AES192_CBC 320 +#define OID_AES192_GCM 321 +#define OID_AES192_CCM 322 +#define OID_AES256_CBC 323 +#define OID_AES256_GCM 324 +#define OID_AES256_CCM 325 +#define OID_SHA256 327 +#define OID_SHA384 328 +#define OID_SHA512 329 +#define OID_SHA224 330 +#define OID_NS_REVOCATION_URL 336 +#define OID_NS_CA_REVOCATION_URL 337 +#define OID_NS_CA_POLICY_URL 338 +#define OID_NS_COMMENT 339 +#define OID_EMPLOYEE_NUMBER 342 +#define OID_PKI_MESSAGE_TYPE 348 +#define OID_PKI_STATUS 349 +#define OID_PKI_FAIL_INFO 350 +#define OID_PKI_SENDER_NONCE 351 +#define OID_PKI_RECIPIENT_NONCE 352 +#define OID_PKI_TRANS_ID 353 -#define OID_MAX 354 +#define OID_MAX 356 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 5d729c2eb..36db0299c 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -173,6 +173,7 @@ 0x14 "msEnrollmentInfrastructure" 0x02 "msCertificateTypeExtension" 0x02 "msSmartcardLogon" + 0x03 "msUPN" OID_USER_PRINCIPAL_NAME 0x89 "" 0x31 "" 0x01 "" @@ -185,6 +186,7 @@ 0x07 "id-pkix" 0x01 "id-pe" 0x01 "authorityInfoAccess" OID_AUTHORITY_INFO_ACCESS + 0x03 "qcStatements" 0x07 "ipAddrBlocks" OID_IP_ADDR_BLOCKS 0x02 "id-qt" 0x01 "cps" diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c index 4d115a816..9a4152145 100644 --- a/src/libstrongswan/chunk.c +++ b/src/libstrongswan/chunk.c @@ -307,24 +307,46 @@ static char hex2bin(char hex) chunk_t chunk_from_hex(chunk_t hex, char *buf) { int i, len; + u_char *ptr; bool odd = FALSE; - len = (hex.len / 2); - if (hex.len % 2) + /* subtract the number of optional ':' separation characters */ + len = hex.len; + ptr = hex.ptr; + for (i = 0; i < hex.len; i++) + { + if (*ptr++ == ':') + { + len--; + } + } + + /* compute the number of binary bytes */ + if (len % 2) { odd = TRUE; len++; } + len /= 2; + + /* allocate buffer memory unless provided by caller */ if (!buf) { buf = malloc(len); } + /* buffer is filled from the right */ memset(buf, 0, len); hex.ptr += hex.len; + for (i = len - 1; i >= 0; i--) { - buf[i] = hex2bin(*(--hex.ptr)); + /* skip separation characters */ + if (*(--hex.ptr) == ':') + { + --hex.ptr; + } + buf[i] = hex2bin(*hex.ptr); if (i > 0 || !odd) { buf[i] |= hex2bin(*(--hex.ptr)) << 4; diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h index 5441ccf3c..f94bdfbf2 100644 --- a/src/libstrongswan/chunk.h +++ b/src/libstrongswan/chunk.h @@ -193,12 +193,12 @@ static inline void chunk_clear(chunk_t *chunk) /** * Allocate a chunk on the heap */ -#define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(malloc(x), x);}) +#define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(x ? malloc(x) : NULL, x);}) /** * Allocate a chunk on the stack */ -#define chunk_alloca(bytes) ({size_t x = (bytes); chunk_create(alloca(x), x);}) +#define chunk_alloca(bytes) ({size_t x = (bytes); chunk_create(x ? alloca(x) : NULL, x);}) /** * Clone a chunk on heap @@ -208,7 +208,7 @@ static inline void chunk_clear(chunk_t *chunk) /** * Clone a chunk on stack */ -#define chunk_clonea(chunk) ({chunk_t x = (chunk); chunk_create_clone(alloca(x.len), x);}) +#define chunk_clonea(chunk) ({chunk_t x = (chunk); chunk_create_clone(x.len ? alloca(x.len) : NULL, x);}) /** * Concatenate chunks into a chunk on heap diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 2573d0327..ce718b9cb 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -20,6 +20,7 @@ #include <debug.h> #include <utils/linked_list.h> #include <utils/identification.h> +#include <eap/eap.h> #include <credentials/certificates/certificate.h> ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP, @@ -29,62 +30,6 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP, "EAP", ); -ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC, - "EAP_IDENTITY", - "EAP_NOTIFICATION", - "EAP_NAK", - "EAP_MD5", - "EAP_OTP", - "EAP_GTC"); -ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC, - "EAP_SIM"); -ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM, - "EAP_AKA"); -ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, - "EAP_MSCHAPV2"); -ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, - "EAP_RADIUS", - "EAP_EXPANDED", - "EAP_EXPERIMENTAL"); -ENUM_END(eap_type_names, EAP_EXPERIMENTAL); - -ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC, - "ID", - "NTF", - "NAK", - "MD5", - "OTP", - "GTC"); -ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC, - "SIM"); -ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM, - "AKA"); -ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, - "MSCHAPV2"); -ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, - "RAD", - "EXP", - "XP"); -ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL); - -ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL, - "RULE_IDENTITY", - "RULE_AUTH_CLASS", - "RULE_EAP_IDENTITY", - "RULE_EAP_TYPE", - "RULE_EAP_VENDOR", - "RULE_CA_CERT", - "RULE_IM_CERT", - "RULE_SUBJECT_CERT", - "RULE_CRL_VALIDATION", - "RULE_OCSP_VALIDATION", - "RULE_GROUP", - "HELPER_IM_CERT", - "HELPER_SUBJECT_CERT", - "HELPER_IM_HASH_URL", - "HELPER_SUBJECT_HASH_URL", -); - typedef struct private_auth_cfg_t private_auth_cfg_t; /** @@ -174,6 +119,7 @@ static void destroy_entry_value(entry_t *entry) { case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: case AUTH_RULE_GROUP: { identification_t *id = (identification_t*)entry->value; @@ -231,6 +177,7 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, break; case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: case AUTH_RULE_GROUP: case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: @@ -296,6 +243,7 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) return (void*)VALIDATION_FAILED; case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: case AUTH_RULE_GROUP: case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: @@ -331,6 +279,7 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) break; case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: case AUTH_RULE_GROUP: case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: @@ -445,6 +394,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, } case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: { identification_t *id1, *id2; @@ -590,6 +540,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy } case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: case AUTH_RULE_GROUP: { identification_t *id = (identification_t*)value; @@ -677,6 +628,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) } case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: case AUTH_RULE_GROUP: { identification_t *id1, *id2; @@ -761,6 +713,7 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) { case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: case AUTH_RULE_GROUP: { identification_t *id = (identification_t*)entry->value; diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 713e16372..19624a2fe 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -27,7 +27,6 @@ typedef struct auth_cfg_t auth_cfg_t; typedef enum auth_rule_t auth_rule_t; typedef enum auth_class_t auth_class_t; -typedef enum eap_type_t eap_type_t; /** * Class of authentication to use. This is different to auth_method_t in that @@ -51,35 +50,6 @@ enum auth_class_t { extern enum_name_t *auth_class_names; /** - * EAP types, defines the EAP method implementation - */ -enum eap_type_t { - EAP_IDENTITY = 1, - EAP_NOTIFICATION = 2, - EAP_NAK = 3, - EAP_MD5 = 4, - EAP_OTP = 5, - EAP_GTC = 6, - EAP_SIM = 18, - EAP_AKA = 23, - EAP_MSCHAPV2 = 26, - /** not a method, but an implementation providing different methods */ - EAP_RADIUS = 253, - EAP_EXPANDED = 254, - EAP_EXPERIMENTAL = 255, -}; - -/** - * enum names for eap_type_t. - */ -extern enum_name_t *eap_type_names; - -/** - * short string enum names for eap_type_t. - */ -extern enum_name_t *eap_type_short_names; - -/** * Authentication config to use during authentication process. * * Each authentication config contains a set of rules. These rule-sets are used @@ -98,6 +68,8 @@ enum auth_rule_t { AUTH_RULE_IDENTITY, /** authentication class, auth_class_t */ AUTH_RULE_AUTH_CLASS, + /** AAA-backend identity for EAP methods supporting it, identification_t* */ + AUTH_RULE_AAA_IDENTITY, /** EAP identity to use within EAP-Identity exchange, identification_t* */ AUTH_RULE_EAP_IDENTITY, /** EAP type to propose for peer authentication, eap_type_t */ diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index cfb708e33..c43e5fd5d 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -45,8 +45,10 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_PATHLEN", "BUILD_X509_FLAG", "BUILD_REVOKED_ENUMERATOR", - "BUILD_SMARTCARD_KEYID", - "BUILD_SMARTCARD_PIN", + "BUILD_CHALLENGE_PWD", + "BUILD_PKCS11_MODULE", + "BUILD_PKCS11_SLOT", + "BUILD_PKCS11_KEYID", "BUILD_RSA_MODULUS", "BUILD_RSA_PUB_EXP", "BUILD_RSA_PRIV_EXP", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index ffb09f72a..dc87da2a4 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -57,12 +57,6 @@ enum builder_part_t { BUILD_BLOB_PGP, /** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */ BUILD_BLOB_DNSKEY, - /** passphrase for e.g. PEM decryption, chunk_t */ - BUILD_PASSPHRASE, - /** passphrase callback, chunk_t(*fn)(void *user, int try), void *user. - * The callback is invoked until the returned passphrase is accepted, or - * a zero-length passphrase is returned. Try starts at 1. */ - BUILD_PASSPHRASE_CALLBACK, /** key size in bits, as used for key generation, u_int */ BUILD_KEY_SIZE, /** private key to use for signing, private_key_t* */ @@ -103,10 +97,14 @@ enum builder_part_t { BUILD_X509_FLAG, /** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */ BUILD_REVOKED_ENUMERATOR, - /** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */ - BUILD_SMARTCARD_KEYID, - /** pin to access a key on a smartcard, null terminated char* */ - BUILD_SMARTCARD_PIN, + /** PKCS#10 challenge password */ + BUILD_CHALLENGE_PWD, + /** friendly name of a PKCS#11 module, null terminated char* */ + BUILD_PKCS11_MODULE, + /** slot specifier for a token in a PKCS#11 module, int */ + BUILD_PKCS11_SLOT, + /** key ID of a key on a token, chunk_t */ + BUILD_PKCS11_KEYID, /** modulus (n) of a RSA key, chunk_t */ BUILD_RSA_MODULUS, /** public exponent (e) of a RSA key, chunk_t */ diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c index 7cc7dbe0e..ff621012f 100644 --- a/src/libstrongswan/credentials/credential_factory.c +++ b/src/libstrongswan/credentials/credential_factory.c @@ -64,32 +64,29 @@ struct entry_t { credential_type_t type; /** subtype of credential, e.g. certificate_type_t */ int subtype; + /** registered with final flag? */ + bool final; /** builder function */ builder_function_t constructor; }; -/** - * Implementation of credential_factory_t.add_builder_constructor. - */ -static void add_builder(private_credential_factory_t *this, - credential_type_t type, int subtype, - builder_function_t constructor) +METHOD(credential_factory_t, add_builder, void, + private_credential_factory_t *this, credential_type_t type, int subtype, + bool final, builder_function_t constructor) { entry_t *entry = malloc_thing(entry_t); entry->type = type; entry->subtype = subtype; + entry->final = final; entry->constructor = constructor; this->lock->write_lock(this->lock); this->constructors->insert_last(this->constructors, entry); this->lock->unlock(this->lock); } -/** - * Implementation of credential_factory_t.remove_builder. - */ -static void remove_builder(private_credential_factory_t *this, - builder_function_t constructor) +METHOD(credential_factory_t, remove_builder, void, + private_credential_factory_t *this, builder_function_t constructor) { enumerator_t *enumerator; entry_t *entry; @@ -108,11 +105,8 @@ static void remove_builder(private_credential_factory_t *this, this->lock->unlock(this->lock); } -/** - * Implementation of credential_factory_t.create. - */ -static void* create(private_credential_factory_t *this, credential_type_t type, - int subtype, ...) +METHOD(credential_factory_t, create, void*, + private_credential_factory_t *this, credential_type_t type, int subtype, ...) { enumerator_t *enumerator; entry_t *entry; @@ -159,9 +153,31 @@ static void* create(private_credential_factory_t *this, credential_type_t type, } /** - * Implementation of credential_factory_t.destroy + * Filter function for builder enumerator */ -static void destroy(private_credential_factory_t *this) +static bool builder_filter(void *null, entry_t **entry, credential_type_t *type, + void *dummy1, int *subtype) +{ + if ((*entry)->final) + { + *type = (*entry)->type; + *subtype = (*entry)->subtype; + return TRUE; + } + return FALSE; +} + +METHOD(credential_factory_t, create_builder_enumerator, enumerator_t*, + private_credential_factory_t *this) +{ + this->lock->read_lock(this->lock); + return enumerator_create_filter( + this->constructors->create_enumerator(this->constructors), + (void*)builder_filter, this->lock, (void*)this->lock->unlock); +} + +METHOD(credential_factory_t, destroy, void, + private_credential_factory_t *this) { this->constructors->destroy_function(this->constructors, free); this->recursive->destroy(this->recursive); @@ -174,16 +190,20 @@ static void destroy(private_credential_factory_t *this) */ credential_factory_t *credential_factory_create() { - private_credential_factory_t *this = malloc_thing(private_credential_factory_t); - - this->public.create = (void*(*)(credential_factory_t*, credential_type_t type, int subtype, ...))create; - this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_function_t constructor))add_builder; - this->public.remove_builder = (void(*)(credential_factory_t*,builder_function_t constructor))remove_builder; - this->public.destroy = (void(*)(credential_factory_t*))destroy; - - this->constructors = linked_list_create(); - this->recursive = thread_value_create(NULL); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + private_credential_factory_t *this; + + INIT(this, + .public = { + .create = _create, + .create_builder_enumerator = _create_builder_enumerator, + .add_builder = _add_builder, + .remove_builder = _remove_builder, + .destroy = _destroy, + }, + .constructors = linked_list_create(), + .recursive = thread_value_create(NULL), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); return &this->public; } diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h index e8ffb6b9d..709dc916a 100644 --- a/src/libstrongswan/credentials/credential_factory.h +++ b/src/libstrongswan/credentials/credential_factory.h @@ -68,11 +68,17 @@ struct credential_factory_t { /** * Register a credential builder function. * + * The final flag indicates if the registered builder can build such + * a credential itself the most common encoding, without the need + * for an additional builder. + * * @param type type of credential the builder creates + * @param subtype subtype of the credential, type specific + * @param final TRUE if this build does not invoke other builders * @param constructor builder constructor function to register */ void (*add_builder)(credential_factory_t *this, - credential_type_t type, int subtype, + credential_type_t type, int subtype, bool final, builder_function_t constructor); /** * Unregister a credential builder function. @@ -83,6 +89,16 @@ struct credential_factory_t { builder_function_t constructor); /** + * Create an enumerator over registered builder types. + * + * The enumerator returns only builder types registered with the final + * flag set. + * + * @return enumerator (credential_type_t, int subtype) + */ + enumerator_t* (*create_builder_enumerator)(credential_factory_t *this); + + /** * Destroy a credential_factory instance. */ void (*destroy)(credential_factory_t *this); diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 46c36c941..97e8d8887 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -157,8 +157,10 @@ static enumerator_t *create_sets_enumerator(private_credential_manager_t *this) linked_list_t *local; INIT(enumerator, - .public.enumerate = (void*)_sets_enumerate, - .public.destroy = _sets_destroy, + .public = { + .enumerate = (void*)_sets_enumerate, + .destroy = _sets_destroy, + }, .global = this->sets->create_enumerator(this->sets), ); local = this->local_sets->get(this->local_sets); @@ -822,7 +824,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*, } /** - * Check if a certificate's keyid is contained in the auth helper + * Check if an helper contains a certificate as trust anchor */ static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert) { @@ -854,17 +856,10 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this, certificate_t *issuer, *current; auth_cfg_t *trustchain; int pathlen = 0; + bool has_anchor; trustchain = auth_cfg_create(); - - current = auth->get(auth, AUTH_RULE_CA_CERT); - if (!current) - { - /* no trust anchor specified, return this cert only */ - trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, - subject->get_ref(subject)); - return trustchain; - } + has_anchor = auth->get(auth, AUTH_RULE_CA_CERT) != NULL; current = subject->get_ref(subject); while (TRUE) { @@ -879,17 +874,33 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this, } else { + if (!has_anchor && + this->cache->issued_by(this->cache, current, current)) + { /* If no trust anchor specified, accept any CA */ + trustchain->add(trustchain, AUTH_RULE_CA_CERT, current); + return trustchain; + } trustchain->add(trustchain, AUTH_RULE_IM_CERT, current); } + if (pathlen++ > MAX_TRUST_PATH_LEN) + { + break; + } issuer = get_issuer_cert(this, current, FALSE); - if (!issuer || issuer->equals(issuer, current) || - pathlen > MAX_TRUST_PATH_LEN) + if (!issuer) { - DESTROY_IF(issuer); + if (!has_anchor) + { /* If no trust anchor specified, accept incomplete chains */ + return trustchain; + } + break; + } + if (has_anchor && issuer->equals(issuer, current)) + { + issuer->destroy(issuer); break; } current = issuer; - pathlen++; } trustchain->destroy(trustchain); return NULL; diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h index 27f4ab098..e57d3f5a5 100644 --- a/src/libstrongswan/credentials/keys/private_key.h +++ b/src/libstrongswan/credentials/keys/private_key.h @@ -51,18 +51,20 @@ struct private_key_t { /** * Decrypt a chunk of data. * + * @param scheme expected encryption scheme used * @param crypto chunk containing encrypted data * @param plain where to allocate decrypted data * @return TRUE if data decrypted and plaintext allocated */ - bool (*decrypt)(private_key_t *this, chunk_t crypto, chunk_t *plain); + bool (*decrypt)(private_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain); /** - * Get the strength of the key in bytes. + * Get the strength of the key in bits. * - * @return strength of the key in bytes + * @return strength of the key in bits */ - size_t (*get_keysize) (private_key_t *this); + int (*get_keysize) (private_key_t *this); /** * Get the public part from the private key. diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index ce342de33..22df5dd1b 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -42,6 +42,16 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521, "ECDSA-521", ); +ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512, + "ENCRYPT_UNKNOWN", + "ENCRYPT_RSA_PKCS1", + "ENCRYPT_RSA_OAEP_SHA1", + "ENCRYPT_RSA_OAEP_SHA224", + "ENCRYPT_RSA_OAEP_SHA256", + "ENCRYPT_RSA_OAEP_SHA384", + "ENCRYPT_RSA_OAEP_SHA512", +); + /** * See header. */ diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index ff827a189..d20d2736b 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -24,6 +24,7 @@ typedef struct public_key_t public_key_t; typedef enum key_type_t key_type_t; typedef enum signature_scheme_t signature_scheme_t; +typedef enum encryption_scheme_t encryption_scheme_t; #include <library.h> #include <utils/identification.h> @@ -97,6 +98,31 @@ enum signature_scheme_t { extern enum_name_t *signature_scheme_names; /** + * Encryption scheme for public key data encryption. + */ +enum encryption_scheme_t { + /** Unknown encryption scheme */ + ENCRYPT_UNKNOWN, + /** RSAES-PKCS1-v1_5 as in PKCS#1 */ + ENCRYPT_RSA_PKCS1, + /** RSAES-OAEP as in PKCS#1, using SHA1 as hash, no label */ + ENCRYPT_RSA_OAEP_SHA1, + /** RSAES-OAEP as in PKCS#1, using SHA-224 as hash, no label */ + ENCRYPT_RSA_OAEP_SHA224, + /** RSAES-OAEP as in PKCS#1, using SHA-256 as hash, no label */ + ENCRYPT_RSA_OAEP_SHA256, + /** RSAES-OAEP as in PKCS#1, using SHA-384 as hash, no label */ + ENCRYPT_RSA_OAEP_SHA384, + /** RSAES-OAEP as in PKCS#1, using SHA-512 as hash, no label */ + ENCRYPT_RSA_OAEP_SHA512, +}; + +/** + * Enum names for encryption_scheme_t + */ +extern enum_name_t *encryption_scheme_names; + +/** * Abstract interface of a public key. */ struct public_key_t { @@ -122,11 +148,13 @@ struct public_key_t { /** * Encrypt a chunk of data. * + * @param scheme encryption scheme to use * @param plain chunk containing plaintext data * @param crypto where to allocate encrypted data * @return TRUE if data successfully encrypted */ - bool (*encrypt)(public_key_t *this, chunk_t plain, chunk_t *crypto); + bool (*encrypt)(public_key_t *this, encryption_scheme_t scheme, + chunk_t plain, chunk_t *crypto); /** * Check if two public keys are equal. @@ -137,11 +165,11 @@ struct public_key_t { bool (*equals)(public_key_t *this, public_key_t *other); /** - * Get the strength of the key in bytes. + * Get the strength of the key in bits. * - * @return strength of the key in bytes + * @return strength of the key in bits */ - size_t (*get_keysize) (public_key_t *this); + int (*get_keysize) (public_key_t *this); /** * Get the fingerprint of the key. diff --git a/src/libstrongswan/credentials/sets/callback_cred.c b/src/libstrongswan/credentials/sets/callback_cred.c new file mode 100644 index 000000000..bff33f029 --- /dev/null +++ b/src/libstrongswan/credentials/sets/callback_cred.c @@ -0,0 +1,144 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "callback_cred.h" + +typedef struct private_callback_cred_t private_callback_cred_t; + +/** + * Private data of an callback_cred_t object. + */ +struct private_callback_cred_t { + + /** + * Public callback_cred_t interface. + */ + callback_cred_t public; + + /** + * Callback of this set, for all types, and generic + */ + union { + void *generic; + callback_cred_shared_cb_t shared; + } cb; + + /** + * Data to pass to callback + */ + void *data; +}; + +/** + * Shared key enumerator on callbacks + */ +typedef struct { + /* implements enumerator_t */ + enumerator_t public; + /* backref to this */ + private_callback_cred_t *this; + /* type if requested key */ + shared_key_type_t type; + /* own identity to match */ + identification_t *me; + /* other identity to match */ + identification_t *other; + /* current shared key */ + shared_key_t *current; +} shared_enumerator_t; + +METHOD(enumerator_t, shared_enumerate, bool, + shared_enumerator_t *this, shared_key_t **out, + id_match_t *match_me, id_match_t *match_other) +{ + DESTROY_IF(this->current); + this->current = this->this->cb.shared(this->this->data, this->type, + this->me, this->other, match_me, match_other); + if (this->current) + { + *out = this->current; + return TRUE; + } + return FALSE; +} + +METHOD(enumerator_t, shared_destroy, void, + shared_enumerator_t *this) +{ + DESTROY_IF(this->current); + free(this); +} + +METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, + private_callback_cred_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) +{ + shared_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_shared_enumerate, + .destroy = _shared_destroy, + }, + .this = this, + .type = type, + .me = me, + .other = other, + ); + return &enumerator->public; +} + +METHOD(callback_cred_t, destroy, void, + private_callback_cred_t *this) +{ + free(this); +} + +/** + * Create a generic callback credential set + */ +static private_callback_cred_t* create_generic(void *cb, void *data) +{ + private_callback_cred_t *this; + + INIT(this, + .public = { + .set = { + .create_shared_enumerator = (void*)return_null, + .create_private_enumerator = (void*)return_null, + .create_cert_enumerator = (void*)return_null, + .create_cdp_enumerator = (void*)return_null, + .cache_cert = (void*)nop, + }, + .destroy = _destroy, + }, + .cb.generic = cb, + .data = data, + ); + return this; +} + +/** + * See header + */ +callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb, + void *data) +{ + private_callback_cred_t *this = create_generic(cb, data); + + this->public.set.create_shared_enumerator = _create_shared_enumerator; + + return &this->public; +} diff --git a/src/libstrongswan/credentials/sets/callback_cred.h b/src/libstrongswan/credentials/sets/callback_cred.h new file mode 100644 index 000000000..efc4c7fa5 --- /dev/null +++ b/src/libstrongswan/credentials/sets/callback_cred.h @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup callback_cred callback_cred + * @{ @ingroup sets + */ + +#ifndef CALLBACK_CRED_H_ +#define CALLBACK_CRED_H_ + +typedef struct callback_cred_t callback_cred_t; + +#include <credentials/credential_set.h> + +/** + * Callback function to get shared keys. + * + * @param type type of requested shared key + * @param me own identity + * @param other other identity + * @param match_me match result of own identity + * @param match_other match result of other identity + */ +typedef shared_key_t* (*callback_cred_shared_cb_t)( + void *data, shared_key_type_t type, + identification_t *me, identification_t *other, + id_match_t *match_me, id_match_t *match_other); + +/** + * Generic callbcack using user specified callback functions. + */ +struct callback_cred_t { + + /** + * Implements credential_set_t. + */ + credential_set_t set; + + /** + * Destroy a callback_cred_t. + */ + void (*destroy)(callback_cred_t *this); +}; + +/** + * Create a callback_cred instance, for a shared key. + * + * @param cb callback function + * @param data data to pass to callback + */ +callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb, + void *data); + +#endif /** CALLBACK_CRED_H_ @}*/ diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c new file mode 100644 index 000000000..c29a99f1f --- /dev/null +++ b/src/libstrongswan/credentials/sets/mem_cred.c @@ -0,0 +1,433 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "mem_cred.h" + +#include <threading/rwlock.h> +#include <utils/linked_list.h> + +typedef struct private_mem_cred_t private_mem_cred_t; + +/** + * Private data of an mem_cred_t object. + */ +struct private_mem_cred_t { + + /** + * Public mem_cred_t interface. + */ + mem_cred_t public; + + /** + * Lock for this set + */ + rwlock_t *lock; + + /** + * List of trusted certificates, certificate_t + */ + linked_list_t *trusted; + + /** + * List of trusted and untrusted certificates, certificate_t + */ + linked_list_t *untrusted; + + /** + * List of private keys, private_key_t + */ + linked_list_t *keys; + + /** + * List of shared keys, as shared_entry_t + */ + linked_list_t *shared; +}; + +/** + * Data for the certificate enumerator + */ +typedef struct { + rwlock_t *lock; + certificate_type_t cert; + key_type_t key; + identification_t *id; +} cert_data_t; + +/** + * destroy cert_data + */ +static void cert_data_destroy(cert_data_t *data) +{ + data->lock->unlock(data->lock); + free(data); +} + +/** + * filter function for certs enumerator + */ +static bool certs_filter(cert_data_t *data, certificate_t **in, certificate_t **out) +{ + public_key_t *public; + certificate_t *cert = *in; + + if (data->cert == CERT_ANY || data->cert == cert->get_type(cert)) + { + public = cert->get_public_key(cert); + if (public) + { + if (data->key == KEY_ANY || data->key == public->get_type(public)) + { + if (data->id && public->has_fingerprint(public, + data->id->get_encoding(data->id))) + { + public->destroy(public); + *out = *in; + return TRUE; + } + } + public->destroy(public); + } + else if (data->key != KEY_ANY) + { + return FALSE; + } + if (data->id == NULL || cert->has_subject(cert, data->id)) + { + *out = *in; + return TRUE; + } + } + return FALSE; +} + +METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, + private_mem_cred_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + cert_data_t *data; + enumerator_t *enumerator; + + INIT(data, + .lock = this->lock, + .cert = cert, + .key = key, + .id = id, + ); + this->lock->read_lock(this->lock); + if (trusted) + { + enumerator = this->trusted->create_enumerator(this->trusted); + } + else + { + enumerator = this->untrusted->create_enumerator(this->untrusted); + } + return enumerator_create_filter(enumerator, (void*)certs_filter, data, + (void*)cert_data_destroy); +} + +static bool certificate_equals(certificate_t *item, certificate_t *cert) +{ + return item->equals(item, cert); +} + +METHOD(mem_cred_t, add_cert, void, + private_mem_cred_t *this, bool trusted, certificate_t *cert) +{ + this->lock->write_lock(this->lock); + if (this->untrusted->find_last(this->untrusted, + (linked_list_match_t)certificate_equals, NULL, cert) != SUCCESS) + { + if (trusted) + { + this->trusted->insert_last(this->trusted, cert->get_ref(cert)); + } + this->untrusted->insert_last(this->untrusted, cert->get_ref(cert)); + } + cert->destroy(cert); + this->lock->unlock(this->lock); +} + +/** + * Data for key enumerator + */ +typedef struct { + rwlock_t *lock; + key_type_t type; + identification_t *id; +} key_data_t; + +/** + * Destroy key enumerator data + */ +static void key_data_destroy(key_data_t *data) +{ + data->lock->unlock(data->lock); + free(data); +} + +/** + * filter function for private key enumerator + */ +static bool key_filter(key_data_t *data, private_key_t **in, private_key_t **out) +{ + private_key_t *key; + + key = *in; + if (data->type == KEY_ANY || data->type == key->get_type(key)) + { + if (data->id == NULL || + key->has_fingerprint(key, data->id->get_encoding(data->id))) + { + *out = key; + return TRUE; + } + } + return FALSE; +} + +METHOD(credential_set_t, create_private_enumerator, enumerator_t*, + private_mem_cred_t *this, key_type_t type, identification_t *id) +{ + key_data_t *data; + + INIT(data, + .lock = this->lock, + .type = type, + .id = id, + ); + this->lock->read_lock(this->lock); + return enumerator_create_filter(this->keys->create_enumerator(this->keys), + (void*)key_filter, data, (void*)key_data_destroy); +} + +METHOD(mem_cred_t, add_key, void, + private_mem_cred_t *this, private_key_t *key) +{ + this->lock->write_lock(this->lock); + this->keys->insert_last(this->keys, key); + this->lock->unlock(this->lock); +} + +/** + * Shared key entry + */ +typedef struct { + /* shared key */ + shared_key_t *shared; + /* list of owners, identification_t */ + linked_list_t *owners; +} shared_entry_t; + +/** + * Clean up a shared entry + */ +static void shared_entry_destroy(shared_entry_t *entry) +{ + entry->owners->destroy_offset(entry->owners, + offsetof(identification_t, destroy)); + entry->shared->destroy(entry->shared); + free(entry); +} + +/** + * Data for the shared_key enumerator + */ +typedef struct { + rwlock_t *lock; + identification_t *me; + identification_t *other; + shared_key_type_t type; +} shared_data_t; + +/** + * free shared key enumerator data and unlock list + */ +static void shared_data_destroy(shared_data_t *data) +{ + data->lock->unlock(data->lock); + free(data); +} + +/** + * Get the best match of an owner in an entry. + */ +static id_match_t has_owner(shared_entry_t *entry, identification_t *owner) +{ + enumerator_t *enumerator; + id_match_t match, best = ID_MATCH_NONE; + identification_t *current; + + enumerator = entry->owners->create_enumerator(entry->owners); + while (enumerator->enumerate(enumerator, ¤t)) + { + match = owner->matches(owner, current); + if (match > best) + { + best = match; + } + } + enumerator->destroy(enumerator); + return best; +} + +/** + * enumerator filter function for shared entries + */ +static bool shared_filter(shared_data_t *data, + shared_entry_t **in, shared_key_t **out, + void **unused1, id_match_t *me, + void **unused2, id_match_t *other) +{ + id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE; + shared_entry_t *entry = *in; + + if (data->type != SHARED_ANY && + entry->shared->get_type(entry->shared) != data->type) + { + return FALSE; + } + if (data->me) + { + my_match = has_owner(entry, data->me); + } + if (data->other) + { + other_match = has_owner(entry, data->other); + } + if ((data->me || data->other) && (!my_match && !other_match)) + { + return FALSE; + } + *out = entry->shared; + if (me) + { + *me = my_match; + } + if (other) + { + *other = other_match; + } + return TRUE; +} + +METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, + private_mem_cred_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) +{ + shared_data_t *data; + + INIT(data, + .lock = this->lock, + .me = me, + .other = other, + .type = type, + ); + data->lock->read_lock(data->lock); + return enumerator_create_filter( + this->shared->create_enumerator(this->shared), + (void*)shared_filter, data, (void*)shared_data_destroy); +} + +METHOD(mem_cred_t, add_shared, void, + private_mem_cred_t *this, shared_key_t *shared, ...) +{ + shared_entry_t *entry; + identification_t *id; + va_list args; + + INIT(entry, + .shared = shared, + .owners = linked_list_create(), + ); + + va_start(args, shared); + do + { + id = va_arg(args, identification_t*); + if (id) + { + entry->owners->insert_last(entry->owners, id); + } + } + while (id); + va_end(args); + + this->lock->write_lock(this->lock); + this->shared->insert_last(this->shared, entry); + this->lock->unlock(this->lock); +} + +METHOD(mem_cred_t, clear_, void, + private_mem_cred_t *this) +{ + this->lock->write_lock(this->lock); + this->trusted->destroy_offset(this->trusted, + offsetof(certificate_t, destroy)); + this->untrusted->destroy_offset(this->untrusted, + offsetof(certificate_t, destroy)); + this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy)); + this->shared->destroy_function(this->shared, (void*)shared_entry_destroy); + this->trusted = linked_list_create(); + this->untrusted = linked_list_create(); + this->keys = linked_list_create(); + this->shared = linked_list_create(); + this->lock->unlock(this->lock); +} + +METHOD(mem_cred_t, destroy, void, + private_mem_cred_t *this) +{ + clear_(this); + this->trusted->destroy(this->trusted); + this->untrusted->destroy(this->untrusted); + this->keys->destroy(this->keys); + this->shared->destroy(this->shared); + this->lock->destroy(this->lock); + free(this); +} + +/** + * See header + */ +mem_cred_t *mem_cred_create() +{ + private_mem_cred_t *this; + + INIT(this, + .public = { + .set = { + .create_shared_enumerator = _create_shared_enumerator, + .create_private_enumerator = _create_private_enumerator, + .create_cert_enumerator = _create_cert_enumerator, + .create_cdp_enumerator = (void*)return_null, + .cache_cert = (void*)nop, + }, + .add_cert = _add_cert, + .add_key = _add_key, + .add_shared = _add_shared, + .clear = _clear_, + .destroy = _destroy, + }, + .trusted = linked_list_create(), + .untrusted = linked_list_create(), + .keys = linked_list_create(), + .shared = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + return &this->public; +} diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h new file mode 100644 index 000000000..b26e43d6c --- /dev/null +++ b/src/libstrongswan/credentials/sets/mem_cred.h @@ -0,0 +1,77 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup mem_cred mem_cred + * @{ @ingroup sets + */ + +#ifndef MEM_CRED_H_ +#define MEM_CRED_H_ + +typedef struct mem_cred_t mem_cred_t; + +#include <credentials/credential_set.h> + +/** + * Generic in-memory credential set. + */ +struct mem_cred_t { + + /** + * Implements credential_set_t. + */ + credential_set_t set; + + /** + * Add a certificate to the credential set. + * + * @param trusted TRUE to serve certificate as trusted + * @param cert certificate, reference gets owned by set + */ + void (*add_cert)(mem_cred_t *this, bool trusted, certificate_t *cert); + + /** + * Add a private key to the credential set. + * + * @param key key, reference gets owned by set + */ + void (*add_key)(mem_cred_t *this, private_key_t *key); + + /** + * Add a shared key to the credential set. + * + * @param shared shared key to add, gets owned by set + * @param ... NULL terminated list of owners identification_t* + */ + void (*add_shared)(mem_cred_t *this, shared_key_t *shared, ...); + + /** + * Clear all credentials from the credential set. + */ + void (*clear)(mem_cred_t *this); + + /** + * Destroy a mem_cred_t. + */ + void (*destroy)(mem_cred_t *this); +}; + +/** + * Create a mem_cred instance. + */ +mem_cred_t *mem_cred_create(); + +#endif /** MEM_CRED_H_ @}*/ diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c new file mode 100644 index 000000000..51cb05909 --- /dev/null +++ b/src/libstrongswan/crypto/aead.c @@ -0,0 +1,162 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aead.h" + +#include <debug.h> + +typedef struct private_aead_t private_aead_t; + +/** + * Private data of an aead_t object. + */ +struct private_aead_t { + + /** + * Public aead_t interface. + */ + aead_t public; + + /** + * traditional crypter + */ + crypter_t *crypter; + + /** + * draditional signer + */ + signer_t *signer; +}; + +METHOD(aead_t, encrypt, void, + private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, + chunk_t *encrypted) +{ + chunk_t encr, sig; + + this->signer->get_signature(this->signer, assoc, NULL); + this->signer->get_signature(this->signer, iv, NULL); + + if (encrypted) + { + this->crypter->encrypt(this->crypter, plain, iv, &encr); + this->signer->allocate_signature(this->signer, encr, &sig); + *encrypted = chunk_cat("cmm", iv, encr, sig); + } + else + { + this->crypter->encrypt(this->crypter, plain, iv, NULL); + this->signer->get_signature(this->signer, plain, plain.ptr + plain.len); + } +} + +METHOD(aead_t, decrypt, bool, + private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv, + chunk_t *plain) +{ + chunk_t sig; + size_t bs; + + bs = this->crypter->get_block_size(this->crypter); + sig.len = this->signer->get_block_size(this->signer); + if (sig.len > encrypted.len || (encrypted.len - sig.len) % bs) + { + DBG1(DBG_LIB, "invalid encrypted data length %d with block size %d", + encrypted.len - sig.len, bs); + return FALSE; + } + chunk_split(encrypted, "mm", encrypted.len - sig.len, + &encrypted, sig.len, &sig); + + this->signer->get_signature(this->signer, assoc, NULL); + this->signer->get_signature(this->signer, iv, NULL); + if (!this->signer->verify_signature(this->signer, encrypted, sig)) + { + DBG1(DBG_LIB, "MAC verification failed"); + return FALSE; + } + this->crypter->decrypt(this->crypter, encrypted, iv, plain); + return TRUE; +} + +METHOD(aead_t, get_block_size, size_t, + private_aead_t *this) +{ + return this->crypter->get_block_size(this->crypter); +} + +METHOD(aead_t, get_icv_size, size_t, + private_aead_t *this) +{ + return this->signer->get_block_size(this->signer); +} + +METHOD(aead_t, get_iv_size, size_t, + private_aead_t *this) +{ + return this->crypter->get_iv_size(this->crypter); +} + +METHOD(aead_t, get_key_size, size_t, + private_aead_t *this) +{ + return this->crypter->get_key_size(this->crypter) + + this->signer->get_key_size(this->signer); +} + +METHOD(aead_t, set_key, void, + private_aead_t *this, chunk_t key) +{ + chunk_t sig, enc; + + chunk_split(key, "mm", this->signer->get_key_size(this->signer), &sig, + this->crypter->get_key_size(this->crypter), &enc); + + this->signer->set_key(this->signer, sig); + this->crypter->set_key(this->crypter, enc); +} + +METHOD(aead_t, destroy, void, + private_aead_t *this) +{ + this->crypter->destroy(this->crypter); + this->signer->destroy(this->signer); + free(this); +} + +/** + * See header + */ +aead_t *aead_create(crypter_t *crypter, signer_t *signer) +{ + private_aead_t *this; + + INIT(this, + .public = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_icv_size = _get_icv_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + .crypter = crypter, + .signer = signer, + ); + + return &this->public; +} diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h new file mode 100644 index 000000000..d560381d9 --- /dev/null +++ b/src/libstrongswan/crypto/aead.h @@ -0,0 +1,119 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup aead aead + * @{ @ingroup crypto + */ + +#ifndef AEAD_H_ +#define AEAD_H_ + +typedef struct aead_t aead_t; + +#include <library.h> +#include <crypto/crypters/crypter.h> +#include <crypto/signers/signer.h> + +/** + * Authenticated encryption / authentication decryption interface. + */ +struct aead_t { + + /** + * Encrypt and sign data, sign associated data. + * + * The plain data must be a multiple of get_block_size(), the IV must + * have a length of get_iv_size(). + * If encrypted is NULL, the encryption is done inline. The buffer must + * have space for additional get_icv_size() data, the ICV value is + * appended silently to the plain chunk. + * + * @param plain data to encrypt and sign + * @param assoc associated data to sign + * @param iv initialization vector + * @param encrypted allocated encryption result + */ + void (*encrypt)(aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, + chunk_t *encrypted); + + /** + * Decrypt and verify data, verify associated data. + * + * The IV must have a length of get_iv_size(). + * If plain is NULL, the decryption is done inline. The decrypted data + * is returned in the encrypted chunk, the last get_icv_size() bytes + * contain the verified ICV. + * + * @param encrypted data to encrypt and verify + * @param assoc associated data to verify + * @param iv initialization vector + * @param plain allocated result, if successful + * @return TRUE if MAC verification successful + */ + bool (*decrypt)(aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv, + chunk_t *plain); + + /** + * Get the block size for encryption. + * + * @return block size in bytes + */ + size_t (*get_block_size)(aead_t *this); + + /** + * Get the integrity check value size of the algorithm. + * + * @return ICV size in bytes + */ + size_t (*get_icv_size)(aead_t *this); + + /** + * Get the size of the initialization vector. + * + * @return IV size in bytes + */ + size_t (*get_iv_size)(aead_t *this); + + /** + * Get the size of the key material (for encryption and authentication). + * + * @return key size in bytes + */ + size_t (*get_key_size)(aead_t *this); + + /** + * Set the key for encryption and authentication. + * + * @param key encryption and authentication key + */ + void (*set_key)(aead_t *this, chunk_t key); + + /** + * Destroy a aead_t. + */ + void (*destroy)(aead_t *this); +}; + +/** + * Create a aead instance using traditional transforms. + * + * @param crypter encryption transform for this aead + * @param signer integrity tranform for this aead + * @return aead transform + */ +aead_t *aead_create(crypter_t *crypter, signer_t *signer); + +#endif /** AEAD_H_ @}*/ diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c index ebd35a8a0..0730c707c 100644 --- a/src/libstrongswan/crypto/crypters/crypter.c +++ b/src/libstrongswan/crypto/crypters/crypter.c @@ -159,4 +159,25 @@ int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size) return oid; } - +/* + * Described in header. + */ +bool encryption_algorithm_is_aead(encryption_algorithm_t alg) +{ + switch (alg) + { + case ENCR_AES_CCM_ICV8: + case ENCR_AES_CCM_ICV12: + case ENCR_AES_CCM_ICV16: + case ENCR_AES_GCM_ICV8: + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV16: + case ENCR_NULL_AUTH_AES_GMAC: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: + return TRUE; + default: + return FALSE; + } +} diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h index f052a181d..3bf039681 100644 --- a/src/libstrongswan/crypto/crypters/crypter.h +++ b/src/libstrongswan/crypto/crypters/crypter.h @@ -42,6 +42,7 @@ enum encryption_algorithm_t { ENCR_DES_IV32 = 9, ENCR_NULL = 11, ENCR_AES_CBC = 12, + /** CTR as specified for IPsec (RFC5930/RFC3686), nonce appended to key */ ENCR_AES_CTR = 13, ENCR_AES_CCM_ICV8 = 14, ENCR_AES_CCM_ICV12 = 15, @@ -51,6 +52,7 @@ enum encryption_algorithm_t { ENCR_AES_GCM_ICV16 = 20, ENCR_NULL_AUTH_AES_GMAC = 21, ENCR_CAMELLIA_CBC = 23, + /* CTR as specified for IPsec (RFC5529), nonce appended to key */ ENCR_CAMELLIA_CTR = 24, ENCR_CAMELLIA_CCM_ICV8 = 25, ENCR_CAMELLIA_CCM_ICV12 = 26, @@ -81,8 +83,8 @@ struct crypter_t { /** * Encrypt a chunk of data and allocate space for the encrypted value. * - * The length of the iv must equal to get_block_size(), while the length - * of data must be a multiple it. + * The length of the iv must equal to get_iv_size(), while the length + * of data must be a multiple of get_block_size(). * If encrypted is NULL, the encryption is done in-place (overwriting data). * * @param data data to encrypt @@ -95,8 +97,8 @@ struct crypter_t { /** * Decrypt a chunk of data and allocate space for the decrypted value. * - * The length of the iv must equal to get_block_size(), while the length - * of data must be a multiple it. + * The length of the iv must equal to get_iv_size(), while the length + * of data must be a multiple of get_block_size(). * If decrpyted is NULL, the encryption is done in-place (overwriting data). * * @param data data to decrypt @@ -109,14 +111,29 @@ struct crypter_t { /** * Get the block size of the crypto algorithm. * - * @return block size in bytes + * get_block_size() returns the smallest block the crypter can handle, + * not the block size of the underlying crypto algorithm. For counter mode, + * it is usually 1. + * + * @return block size in bytes */ size_t (*get_block_size) (crypter_t *this); /** + * Get the IV size of the crypto algorithm. + * + * @return initialization vector size in bytes + */ + size_t (*get_iv_size)(crypter_t *this); + + /** * Get the key size of the crypto algorithm. * - * @return key size in bytes + * get_key_size() might return a key length different from the key + * size passed to the factory constructor. For Counter Mode, the nonce + * is handled as a part of the key material and is passed to set_key(). + * + * @return key size in bytes */ size_t (*get_key_size) (crypter_t *this); @@ -125,7 +142,7 @@ struct crypter_t { * * The length of the key must match get_key_size(). * - * @param key key to set + * @param key key to set */ void (*set_key) (crypter_t *this, chunk_t key); @@ -153,4 +170,12 @@ encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size); */ int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size); +/** + * Check if an encryption algorithm identifier is an AEAD algorithm. + * + * @param alg algorithm identifier + * @return TRUE if it is an AEAD algorithm + */ +bool encryption_algorithm_is_aead(encryption_algorithm_t alg); + #endif /** CRYPTER_H_ @}*/ diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index fee71953d..f2f01987d 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -22,16 +22,20 @@ typedef struct entry_t entry_t; struct entry_t { - /** algorithm */ + /* algorithm */ u_int algo; + /* benchmarked speed */ + u_int speed; /* constructor */ union { crypter_constructor_t create_crypter; + aead_constructor_t create_aead; signer_constructor_t create_signer; hasher_constructor_t create_hasher; prf_constructor_t create_prf; rng_constructor_t create_rng; dh_constructor_t create_dh; + void *create; }; }; @@ -53,6 +57,11 @@ struct private_crypto_factory_t { linked_list_t *crypters; /** + * registered aead transforms, as entry_t + */ + linked_list_t *aeads; + + /** * registered signers, as entry_t */ linked_list_t *signers; @@ -93,16 +102,19 @@ struct private_crypto_factory_t { bool test_on_create; /** + * run algorithm benchmark during registration + */ + bool bench; + + /** * rwlock to lock access to modules */ rwlock_t *lock; }; -/** - * Implementation of crypto_factory_t.create_crypter. - */ -static crypter_t* create_crypter(private_crypto_factory_t *this, - encryption_algorithm_t algo, size_t key_size) +METHOD(crypto_factory_t, create_crypter, crypter_t*, + private_crypto_factory_t *this, encryption_algorithm_t algo, + size_t key_size) { enumerator_t *enumerator; entry_t *entry; @@ -116,7 +128,7 @@ static crypter_t* create_crypter(private_crypto_factory_t *this, { if (this->test_on_create && !this->tester->test_crypter(this->tester, algo, key_size, - entry->create_crypter)) + entry->create_crypter, NULL)) { continue; } @@ -132,11 +144,40 @@ static crypter_t* create_crypter(private_crypto_factory_t *this, return crypter; } -/** - * Implementation of crypto_factory_t.create_signer. - */ -static signer_t* create_signer(private_crypto_factory_t *this, - integrity_algorithm_t algo) +METHOD(crypto_factory_t, create_aead, aead_t*, + private_crypto_factory_t *this, encryption_algorithm_t algo, + size_t key_size) +{ + enumerator_t *enumerator; + entry_t *entry; + aead_t *aead = NULL; + + this->lock->read_lock(this->lock); + enumerator = this->aeads->create_enumerator(this->aeads); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->algo == algo) + { + if (this->test_on_create && + !this->tester->test_aead(this->tester, algo, key_size, + entry->create_aead, NULL)) + { + continue; + } + aead = entry->create_aead(algo, key_size); + if (aead) + { + break; + } + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + return aead; +} + +METHOD(crypto_factory_t, create_signer, signer_t*, + private_crypto_factory_t *this, integrity_algorithm_t algo) { enumerator_t *enumerator; entry_t *entry; @@ -150,7 +191,7 @@ static signer_t* create_signer(private_crypto_factory_t *this, { if (this->test_on_create && !this->tester->test_signer(this->tester, algo, - entry->create_signer)) + entry->create_signer, NULL)) { continue; } @@ -167,11 +208,8 @@ static signer_t* create_signer(private_crypto_factory_t *this, return signer; } -/** - * Implementation of crypto_factory_t.create_hasher. - */ -static hasher_t* create_hasher(private_crypto_factory_t *this, - hash_algorithm_t algo) +METHOD(crypto_factory_t, create_hasher, hasher_t*, + private_crypto_factory_t *this, hash_algorithm_t algo) { enumerator_t *enumerator; entry_t *entry; @@ -185,7 +223,7 @@ static hasher_t* create_hasher(private_crypto_factory_t *this, { if (this->test_on_create && algo != HASH_PREFERRED && !this->tester->test_hasher(this->tester, algo, - entry->create_hasher)) + entry->create_hasher, NULL)) { continue; } @@ -201,11 +239,8 @@ static hasher_t* create_hasher(private_crypto_factory_t *this, return hasher; } -/** - * Implementation of crypto_factory_t.create_prf. - */ -static prf_t* create_prf(private_crypto_factory_t *this, - pseudo_random_function_t algo) +METHOD(crypto_factory_t, create_prf, prf_t*, + private_crypto_factory_t *this, pseudo_random_function_t algo) { enumerator_t *enumerator; entry_t *entry; @@ -218,7 +253,8 @@ static prf_t* create_prf(private_crypto_factory_t *this, if (entry->algo == algo) { if (this->test_on_create && - !this->tester->test_prf(this->tester, algo, entry->create_prf)) + !this->tester->test_prf(this->tester, algo, + entry->create_prf, NULL)) { continue; } @@ -234,10 +270,8 @@ static prf_t* create_prf(private_crypto_factory_t *this, return prf; } -/** - * Implementation of crypto_factory_t.create_rng. - */ -static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality) +METHOD(crypto_factory_t, create_rng, rng_t*, + private_crypto_factory_t *this, rng_quality_t quality) { enumerator_t *enumerator; entry_t *entry; @@ -251,7 +285,8 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality) if (entry->algo >= quality && diff > entry->algo - quality) { if (this->test_on_create && - !this->tester->test_rng(this->tester, quality, entry->create_rng)) + !this->tester->test_rng(this->tester, quality, + entry->create_rng, NULL)) { continue; } @@ -272,11 +307,8 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality) return NULL; } -/** - * Implementation of crypto_factory_t.create_dh. - */ -static diffie_hellman_t* create_dh(private_crypto_factory_t *this, - diffie_hellman_group_t group) +METHOD(crypto_factory_t, create_dh, diffie_hellman_t*, + private_crypto_factory_t *this, diffie_hellman_group_t group, ...) { enumerator_t *enumerator; entry_t *entry; @@ -288,7 +320,21 @@ static diffie_hellman_t* create_dh(private_crypto_factory_t *this, { if (entry->algo == group) { - diffie_hellman = entry->create_dh(group); + if (group == MODP_CUSTOM) + { + va_list args; + chunk_t g, p; + + va_start(args, group); + g = va_arg(args, chunk_t); + p = va_arg(args, chunk_t); + va_end(args); + diffie_hellman = entry->create_dh(MODP_CUSTOM, g, p); + } + else + { + diffie_hellman = entry->create_dh(group); + } if (diffie_hellman) { break; @@ -301,30 +347,65 @@ static diffie_hellman_t* create_dh(private_crypto_factory_t *this, } /** - * Implementation of crypto_factory_t.add_crypter. + * Insert an algorithm entry to a list */ -static void add_crypter(private_crypto_factory_t *this, - encryption_algorithm_t algo, - crypter_constructor_t create) +static void add_entry(private_crypto_factory_t *this, linked_list_t *list, + int algo, u_int speed, void *create) { - if (!this->test_on_add || - this->tester->test_crypter(this->tester, algo, 0, create)) + entry_t *entry, *current; + linked_list_t *tmp; + bool inserted = FALSE; + + INIT(entry, + .algo = algo, + .speed = speed, + ); + entry->create = create; + + this->lock->write_lock(this->lock); + if (speed) + { /* insert sorted by speed using a temporary list */ + tmp = linked_list_create(); + while (list->remove_first(list, (void**)¤t) == SUCCESS) + { + tmp->insert_last(tmp, current); + } + while (tmp->remove_first(tmp, (void**)¤t) == SUCCESS) + { + if (!inserted && + current->algo == algo && + current->speed < speed) + { + list->insert_last(list, entry); + inserted = TRUE; + } + list->insert_last(list, current); + } + tmp->destroy(tmp); + } + if (!inserted) { - entry_t *entry = malloc_thing(entry_t); + list->insert_last(list, entry); + } + this->lock->unlock(this->lock); +} + +METHOD(crypto_factory_t, add_crypter, void, + private_crypto_factory_t *this, encryption_algorithm_t algo, + crypter_constructor_t create) +{ + u_int speed = 0; - entry->algo = algo; - entry->create_crypter = create; - this->lock->write_lock(this->lock); - this->crypters->insert_last(this->crypters, entry); - this->lock->unlock(this->lock); + if (!this->test_on_add || + this->tester->test_crypter(this->tester, algo, 0, create, + this->bench ? &speed : NULL)) + { + add_entry(this, this->crypters, algo, speed, create); } } -/** - * Implementation of crypto_factory_t.remove_crypter. - */ -static void remove_crypter(private_crypto_factory_t *this, - crypter_constructor_t create) +METHOD(crypto_factory_t, remove_crypter, void, + private_crypto_factory_t *this, crypter_constructor_t create) { entry_t *entry; enumerator_t *enumerator; @@ -343,30 +424,56 @@ static void remove_crypter(private_crypto_factory_t *this, this->lock->unlock(this->lock); } -/** - * Implementation of crypto_factory_t.add_signer. - */ -static void add_signer(private_crypto_factory_t *this, - integrity_algorithm_t algo, signer_constructor_t create) +METHOD(crypto_factory_t, add_aead, void, + private_crypto_factory_t *this, encryption_algorithm_t algo, + aead_constructor_t create) { + u_int speed = 0; + if (!this->test_on_add || - this->tester->test_signer(this->tester, algo, create)) + this->tester->test_aead(this->tester, algo, 0, create, + this->bench ? &speed : NULL)) { - entry_t *entry = malloc_thing(entry_t); + add_entry(this, this->aeads, algo, speed, create); + } +} - entry->algo = algo; - entry->create_signer = create; - this->lock->write_lock(this->lock); - this->signers->insert_last(this->signers, entry); - this->lock->unlock(this->lock); +METHOD(crypto_factory_t, remove_aead, void, + private_crypto_factory_t *this, aead_constructor_t create) +{ + entry_t *entry; + enumerator_t *enumerator; + + this->lock->write_lock(this->lock); + enumerator = this->aeads->create_enumerator(this->aeads); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->create_aead == create) + { + this->aeads->remove_at(this->aeads, enumerator); + free(entry); + } } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); } -/** - * Implementation of crypto_factory_t.remove_signer. - */ -static void remove_signer(private_crypto_factory_t *this, - signer_constructor_t create) +METHOD(crypto_factory_t, add_signer, void, + private_crypto_factory_t *this, integrity_algorithm_t algo, + signer_constructor_t create) +{ + u_int speed = 0; + + if (!this->test_on_add || + this->tester->test_signer(this->tester, algo, create, + this->bench ? &speed : NULL)) + { + add_entry(this, this->signers, algo, speed, create); + } +} + +METHOD(crypto_factory_t, remove_signer, void, + private_crypto_factory_t *this, signer_constructor_t create) { entry_t *entry; enumerator_t *enumerator; @@ -385,30 +492,22 @@ static void remove_signer(private_crypto_factory_t *this, this->lock->unlock(this->lock); } -/** - * Implementation of crypto_factory_t.add_hasher. - */ -static void add_hasher(private_crypto_factory_t *this, hash_algorithm_t algo, - hasher_constructor_t create) +METHOD(crypto_factory_t, add_hasher, void, + private_crypto_factory_t *this, hash_algorithm_t algo, + hasher_constructor_t create) { + u_int speed = 0; + if (!this->test_on_add || - this->tester->test_hasher(this->tester, algo, create)) + this->tester->test_hasher(this->tester, algo, create, + this->bench ? &speed : NULL)) { - entry_t *entry = malloc_thing(entry_t); - - entry->algo = algo; - entry->create_hasher = create; - this->lock->write_lock(this->lock); - this->hashers->insert_last(this->hashers, entry); - this->lock->unlock(this->lock); + add_entry(this, this->hashers, algo, speed, create); } } -/** - * Implementation of crypto_factory_t.remove_hasher. - */ -static void remove_hasher(private_crypto_factory_t *this, - hasher_constructor_t create) +METHOD(crypto_factory_t, remove_hasher, void, + private_crypto_factory_t *this, hasher_constructor_t create) { entry_t *entry; enumerator_t *enumerator; @@ -427,29 +526,22 @@ static void remove_hasher(private_crypto_factory_t *this, this->lock->unlock(this->lock); } -/** - * Implementation of crypto_factory_t.add_prf. - */ -static void add_prf(private_crypto_factory_t *this, - pseudo_random_function_t algo, prf_constructor_t create) +METHOD(crypto_factory_t, add_prf, void, + private_crypto_factory_t *this, pseudo_random_function_t algo, + prf_constructor_t create) { + u_int speed = 0; + if (!this->test_on_add || - this->tester->test_prf(this->tester, algo, create)) + this->tester->test_prf(this->tester, algo, create, + this->bench ? &speed : NULL)) { - entry_t *entry = malloc_thing(entry_t); - - entry->algo = algo; - entry->create_prf = create; - this->lock->write_lock(this->lock); - this->prfs->insert_last(this->prfs, entry); - this->lock->unlock(this->lock); + add_entry(this, this->prfs, algo, speed, create); } } -/** - * Implementation of crypto_factory_t.remove_prf. - */ -static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create) +METHOD(crypto_factory_t, remove_prf, void, + private_crypto_factory_t *this, prf_constructor_t create) { entry_t *entry; enumerator_t *enumerator; @@ -468,29 +560,22 @@ static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create) this->lock->unlock(this->lock); } -/** - * Implementation of crypto_factory_t.add_rng. - */ -static void add_rng(private_crypto_factory_t *this, rng_quality_t quality, - rng_constructor_t create) +METHOD(crypto_factory_t, add_rng, void, + private_crypto_factory_t *this, rng_quality_t quality, + rng_constructor_t create) { + u_int speed = 0; + if (!this->test_on_add || - this->tester->test_rng(this->tester, quality, create)) + this->tester->test_rng(this->tester, quality, create, + this->bench ? &speed : NULL)) { - entry_t *entry = malloc_thing(entry_t); - - entry->algo = quality; - entry->create_rng = create; - this->lock->write_lock(this->lock); - this->rngs->insert_last(this->rngs, entry); - this->lock->unlock(this->lock); + add_entry(this, this->rngs, quality, speed, create); } } -/** - * Implementation of crypto_factory_t.remove_rng. - */ -static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create) +METHOD(crypto_factory_t, remove_rng, void, + private_crypto_factory_t *this, rng_constructor_t create) { entry_t *entry; enumerator_t *enumerator; @@ -509,25 +594,15 @@ static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create) this->lock->unlock(this->lock); } -/** - * Implementation of crypto_factory_t.add_dh. - */ -static void add_dh(private_crypto_factory_t *this, diffie_hellman_group_t group, - dh_constructor_t create) +METHOD(crypto_factory_t, add_dh, void, + private_crypto_factory_t *this, diffie_hellman_group_t group, + dh_constructor_t create) { - entry_t *entry = malloc_thing(entry_t); - - entry->algo = group; - entry->create_dh = create; - this->lock->write_lock(this->lock); - this->dhs->insert_last(this->dhs, entry); - this->lock->unlock(this->lock); + add_entry(this, this->dhs, group, 0, create); } -/** - * Implementation of crypto_factory_t.remove_dh. - */ -static void remove_dh(private_crypto_factory_t *this, dh_constructor_t create) +METHOD(crypto_factory_t, remove_dh, void, + private_crypto_factory_t *this, dh_constructor_t create) { entry_t *entry; enumerator_t *enumerator; @@ -591,14 +666,18 @@ static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *alg return TRUE; } -/** - * Implementation of crypto_factory_t.create_crypter_enumerator - */ -static enumerator_t* create_crypter_enumerator(private_crypto_factory_t *this) +METHOD(crypto_factory_t, create_crypter_enumerator, enumerator_t*, + private_crypto_factory_t *this) { return create_enumerator(this, this->crypters, crypter_filter); } +METHOD(crypto_factory_t, create_aead_enumerator, enumerator_t*, + private_crypto_factory_t *this) +{ + return create_enumerator(this, this->aeads, crypter_filter); +} + /** * Filter function to enumerate algorithm, not entry */ @@ -608,10 +687,8 @@ static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo) return TRUE; } -/** - * Implementation of crypto_factory_t.create_signer_enumerator - */ -static enumerator_t* create_signer_enumerator(private_crypto_factory_t *this) +METHOD(crypto_factory_t, create_signer_enumerator, enumerator_t*, + private_crypto_factory_t *this) { return create_enumerator(this, this->signers, signer_filter); } @@ -625,10 +702,8 @@ static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo) return TRUE; } -/** - * Implementation of crypto_factory_t.create_hasher_enumerator - */ -static enumerator_t* create_hasher_enumerator(private_crypto_factory_t *this) +METHOD(crypto_factory_t, create_hasher_enumerator, enumerator_t*, + private_crypto_factory_t *this) { return create_enumerator(this, this->hashers, hasher_filter); } @@ -642,10 +717,8 @@ static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo) return TRUE; } -/** - * Implementation of crypto_factory_t.create_prf_enumerator - */ -static enumerator_t* create_prf_enumerator(private_crypto_factory_t *this) +METHOD(crypto_factory_t, create_prf_enumerator, enumerator_t*, + private_crypto_factory_t *this) { return create_enumerator(this, this->prfs, prf_filter); } @@ -659,24 +732,21 @@ static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group) return TRUE; } -/** - * Implementation of crypto_factory_t.create_dh_enumerator - */ -static enumerator_t* create_dh_enumerator(private_crypto_factory_t *this) +METHOD(crypto_factory_t, create_dh_enumerator, enumerator_t*, + private_crypto_factory_t *this) { return create_enumerator(this, this->dhs, dh_filter); } -/** - * Implementation of crypto_factory_t.add_test_vector - */ -static void add_test_vector(private_crypto_factory_t *this, - transform_type_t type, void *vector) +METHOD(crypto_factory_t, add_test_vector, void, + private_crypto_factory_t *this, transform_type_t type, void *vector) { switch (type) { case ENCRYPTION_ALGORITHM: return this->tester->add_crypter_vector(this->tester, vector); + case AEAD_ALGORITHM: + return this->tester->add_aead_vector(this->tester, vector); case INTEGRITY_ALGORITHM: return this->tester->add_signer_vector(this->tester, vector); case HASH_ALGORITHM: @@ -691,17 +761,16 @@ static void add_test_vector(private_crypto_factory_t *this, } } -/** - * Implementation of crypto_factory_t.destroy - */ -static void destroy(private_crypto_factory_t *this) -{ - this->crypters->destroy_function(this->crypters, free); - this->signers->destroy_function(this->signers, free); - this->hashers->destroy_function(this->hashers, free); - this->prfs->destroy_function(this->prfs, free); - this->rngs->destroy_function(this->rngs, free); - this->dhs->destroy_function(this->dhs, free); +METHOD(crypto_factory_t, destroy, void, + private_crypto_factory_t *this) +{ + this->crypters->destroy(this->crypters); + this->aeads->destroy(this->aeads); + this->signers->destroy(this->signers); + this->hashers->destroy(this->hashers); + this->prfs->destroy(this->prfs); + this->rngs->destroy(this->rngs); + this->dhs->destroy(this->dhs); this->tester->destroy(this->tester); this->lock->destroy(this->lock); free(this); @@ -712,46 +781,56 @@ static void destroy(private_crypto_factory_t *this) */ crypto_factory_t *crypto_factory_create() { - private_crypto_factory_t *this = malloc_thing(private_crypto_factory_t); - - this->public.create_crypter = (crypter_t*(*)(crypto_factory_t*, encryption_algorithm_t, size_t))create_crypter; - this->public.create_signer = (signer_t*(*)(crypto_factory_t*, integrity_algorithm_t))create_signer; - this->public.create_hasher = (hasher_t*(*)(crypto_factory_t*, hash_algorithm_t))create_hasher; - this->public.create_prf = (prf_t*(*)(crypto_factory_t*, pseudo_random_function_t))create_prf; - this->public.create_rng = (rng_t*(*)(crypto_factory_t*, rng_quality_t quality))create_rng; - this->public.create_dh = (diffie_hellman_t*(*)(crypto_factory_t*, diffie_hellman_group_t group))create_dh; - this->public.add_crypter = (void(*)(crypto_factory_t*, encryption_algorithm_t algo, crypter_constructor_t create))add_crypter; - this->public.remove_crypter = (void(*)(crypto_factory_t*, crypter_constructor_t create))remove_crypter; - this->public.add_signer = (void(*)(crypto_factory_t*, integrity_algorithm_t algo, signer_constructor_t create))add_signer; - this->public.remove_signer = (void(*)(crypto_factory_t*, signer_constructor_t create))remove_signer; - this->public.add_hasher = (void(*)(crypto_factory_t*, hash_algorithm_t algo, hasher_constructor_t create))add_hasher; - this->public.remove_hasher = (void(*)(crypto_factory_t*, hasher_constructor_t create))remove_hasher; - this->public.add_prf = (void(*)(crypto_factory_t*, pseudo_random_function_t algo, prf_constructor_t create))add_prf; - this->public.remove_prf = (void(*)(crypto_factory_t*, prf_constructor_t create))remove_prf; - this->public.add_rng = (void(*)(crypto_factory_t*, rng_quality_t quality, rng_constructor_t create))add_rng; - this->public.remove_rng = (void(*)(crypto_factory_t*, rng_constructor_t create))remove_rng; - this->public.add_dh = (void(*)(crypto_factory_t*, diffie_hellman_group_t algo, dh_constructor_t create))add_dh; - this->public.remove_dh = (void(*)(crypto_factory_t*, dh_constructor_t create))remove_dh; - this->public.create_crypter_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_crypter_enumerator; - this->public.create_signer_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_signer_enumerator; - this->public.create_hasher_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_hasher_enumerator; - this->public.create_prf_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_prf_enumerator; - this->public.create_dh_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_dh_enumerator; - this->public.add_test_vector = (void(*)(crypto_factory_t*, transform_type_t type, ...))add_test_vector; - this->public.destroy = (void(*)(crypto_factory_t*))destroy; - - this->crypters = linked_list_create(); - this->signers = linked_list_create(); - this->hashers = linked_list_create(); - this->prfs = linked_list_create(); - this->rngs = linked_list_create(); - this->dhs = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - this->tester = crypto_tester_create(); - this->test_on_add = lib->settings->get_bool(lib->settings, - "libstrongswan.crypto_test.on_add", FALSE); - this->test_on_create = lib->settings->get_bool(lib->settings, - "libstrongswan.crypto_test.on_create", FALSE); + private_crypto_factory_t *this; + + INIT(this, + .public = { + .create_crypter = _create_crypter, + .create_aead = _create_aead, + .create_signer = _create_signer, + .create_hasher = _create_hasher, + .create_prf = _create_prf, + .create_rng = _create_rng, + .create_dh = _create_dh, + .add_crypter = _add_crypter, + .remove_crypter = _remove_crypter, + .add_aead = _add_aead, + .remove_aead = _remove_aead, + .add_signer = _add_signer, + .remove_signer = _remove_signer, + .add_hasher = _add_hasher, + .remove_hasher = _remove_hasher, + .add_prf = _add_prf, + .remove_prf = _remove_prf, + .add_rng = _add_rng, + .remove_rng = _remove_rng, + .add_dh = _add_dh, + .remove_dh = _remove_dh, + .create_crypter_enumerator = _create_crypter_enumerator, + .create_aead_enumerator = _create_aead_enumerator, + .create_signer_enumerator = _create_signer_enumerator, + .create_hasher_enumerator = _create_hasher_enumerator, + .create_prf_enumerator = _create_prf_enumerator, + .create_dh_enumerator = _create_dh_enumerator, + .add_test_vector = _add_test_vector, + .destroy = _destroy, + }, + .crypters = linked_list_create(), + .aeads = linked_list_create(), + .signers = linked_list_create(), + .hashers = linked_list_create(), + .prfs = linked_list_create(), + .rngs = linked_list_create(), + .dhs = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .tester = crypto_tester_create(), + .test_on_add = lib->settings->get_bool(lib->settings, + "libstrongswan.crypto_test.on_add", FALSE), + .test_on_create = lib->settings->get_bool(lib->settings, + "libstrongswan.crypto_test.on_create", FALSE), + .bench = lib->settings->get_bool(lib->settings, + "libstrongswan.crypto_test.bench", FALSE), + ); return &this->public; } diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h index 9c6effd26..ff06eda7b 100644 --- a/src/libstrongswan/crypto/crypto_factory.h +++ b/src/libstrongswan/crypto/crypto_factory.h @@ -25,6 +25,7 @@ typedef struct crypto_factory_t crypto_factory_t; #include <library.h> #include <crypto/crypters/crypter.h> +#include <crypto/aead.h> #include <crypto/signers/signer.h> #include <crypto/hashers/hasher.h> #include <crypto/prfs/prf.h> @@ -38,6 +39,11 @@ typedef struct crypto_factory_t crypto_factory_t; typedef crypter_t* (*crypter_constructor_t)(encryption_algorithm_t algo, size_t key_size); /** + * Constructor function for aead transforms + */ +typedef aead_t* (*aead_constructor_t)(encryption_algorithm_t algo, + size_t key_size); +/** * Constructor function for signers */ typedef signer_t* (*signer_constructor_t)(integrity_algorithm_t algo); @@ -59,8 +65,11 @@ typedef rng_t* (*rng_constructor_t)(rng_quality_t quality); /** * Constructor function for diffie hellman + * + * The DH constructor accepts additional arguments for: + * - MODP_CUSTOM: chunk_t generator, chunk_t prime */ -typedef diffie_hellman_t* (*dh_constructor_t)(diffie_hellman_group_t group); +typedef diffie_hellman_t* (*dh_constructor_t)(diffie_hellman_group_t group, ...); /** * Handles crypto modules and creates instances. @@ -78,6 +87,16 @@ struct crypto_factory_t { encryption_algorithm_t algo, size_t key_size); /** + * Create a aead instance. + * + * @param algo encryption algorithm + * @param key_size length of the key in bytes + * @return aead_t instance, NULL if not supported + */ + aead_t* (*create_aead)(crypto_factory_t *this, + encryption_algorithm_t algo, size_t key_size); + + /** * Create a symmetric signer instance. * * @param algo MAC algorithm to use @@ -113,11 +132,13 @@ struct crypto_factory_t { /** * Create a diffie hellman instance. * + * Additional arguments are passed to the DH constructor. + * * @param group diffie hellman group * @return diffie_hellman_t instance, NULL if not supported */ diffie_hellman_t* (*create_dh)(crypto_factory_t *this, - diffie_hellman_group_t group); + diffie_hellman_group_t group, ...); /** * Register a crypter constructor. @@ -137,6 +158,23 @@ struct crypto_factory_t { void (*remove_crypter)(crypto_factory_t *this, crypter_constructor_t create); /** + * Unregister a aead constructor. + * + * @param create constructor function to unregister + */ + void (*remove_aead)(crypto_factory_t *this, aead_constructor_t create); + + /** + * Register a aead constructor. + * + * @param algo algorithm to constructor + * @param create constructor function for that algorithm + * @return + */ + void (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo, + aead_constructor_t create); + + /** * Register a signer constructor. * * @param algo algorithm to constructor @@ -230,6 +268,13 @@ struct crypto_factory_t { enumerator_t* (*create_crypter_enumerator)(crypto_factory_t *this); /** + * Create an enumerator over all registered aead algorithms. + * + * @return enumerator over encryption_algorithm_t + */ + enumerator_t* (*create_aead_enumerator)(crypto_factory_t *this); + + /** * Create an enumerator over all registered signer algorithms. * * @return enumerator over integrity_algorithm_t @@ -261,9 +306,10 @@ struct crypto_factory_t { * Add a test vector to the crypto factory. * * @param type type of the test vector - * @param ... pointer to a test vector, defined in crypto_tester.h + * @param vector pointer to a test vector, defined in crypto_tester.h */ - void (*add_test_vector)(crypto_factory_t *this, transform_type_t type, ...); + void (*add_test_vector)(crypto_factory_t *this, transform_type_t type, + void *vector); /** * Destroy a crypto_factory instance. diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index 76cc1cf2c..d17485ff2 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -1,6 +1,7 @@ /* - * Copyright (C) 2009 Martin Willi + * Copyright (C) 2009-2010 Martin Willi * Hochschule fuer Technik Rapperswil + * Copyright (C) 2010 revosec AG * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -13,6 +14,10 @@ * for more details. */ +#define _GNU_SOURCE +#include <dlfcn.h> +#include <time.h> + #include "crypto_tester.h" #include <debug.h> @@ -36,6 +41,11 @@ struct private_crypto_tester_t { linked_list_t *crypter; /** + * List of aead test vectors + */ + linked_list_t *aead; + + /** * List of signer test vectors */ linked_list_t *signer; @@ -64,13 +74,98 @@ struct private_crypto_tester_t { * should we run RNG_TRUE tests? Enough entropy? */ bool rng_true; + + /** + * time we test each algorithm + */ + int bench_time; + + /** + * size of buffer we use for benchmarking + */ + int bench_size; }; /** - * Implementation of crypto_tester_t.test_crypter + * Get the name of a test vector, if available + */ +static const char* get_name(void *sym) +{ +#ifdef HAVE_DLADDR + Dl_info dli; + + if (dladdr(sym, &dli)) + { + return dli.dli_sname; + } +#endif + return "unknown"; +} + +/** + * Start a benchmark timer + */ +static void start_timing(struct timespec *start) +{ + clock_gettime(CLOCK_THREAD_CPUTIME_ID, start); +} + +/** + * End a benchmark timer, return ms + */ +static u_int end_timing(struct timespec *start) +{ + struct timespec end; + + clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end); + return (end.tv_nsec - start->tv_nsec) / 1000000 + + (end.tv_sec - start->tv_sec) * 1000; +} + +/** + * Benchmark a crypter */ -static bool test_crypter(private_crypto_tester_t *this, - encryption_algorithm_t alg, size_t key_size, crypter_constructor_t create) +static u_int bench_crypter(private_crypto_tester_t *this, + encryption_algorithm_t alg, crypter_constructor_t create) +{ + crypter_t *crypter; + + crypter = create(alg, 0); + if (crypter) + { + char iv[crypter->get_iv_size(crypter)]; + char key[crypter->get_key_size(crypter)]; + chunk_t buf; + struct timespec start; + u_int runs; + + memset(iv, 0x56, sizeof(iv)); + memset(key, 0x12, sizeof(key)); + crypter->set_key(crypter, chunk_from_thing(key)); + + buf = chunk_alloc(this->bench_size); + memset(buf.ptr, 0x34, buf.len); + + runs = 0; + start_timing(&start); + while (end_timing(&start) < this->bench_time) + { + crypter->encrypt(crypter, buf, chunk_from_thing(iv), NULL); + runs++; + crypter->decrypt(crypter, buf, chunk_from_thing(iv), NULL); + runs++; + } + free(buf.ptr); + crypter->destroy(crypter); + + return runs; + } + return 0; +} + +METHOD(crypto_tester_t, test_crypter, bool, + private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, + crypter_constructor_t create, u_int *speed) { enumerator_t *enumerator; crypter_test_vector_t *vector; @@ -102,7 +197,7 @@ static bool test_crypter(private_crypto_tester_t *this, key = chunk_create(vector->key, crypter->get_key_size(crypter)); crypter->set_key(crypter, key); - iv = chunk_create(vector->iv, crypter->get_block_size(crypter)); + iv = chunk_create(vector->iv, crypter->get_iv_size(crypter)); /* allocated encryption */ plain = chunk_create(vector->plain, vector->len); @@ -136,8 +231,165 @@ static bool test_crypter(private_crypto_tester_t *this, crypter->destroy(crypter); if (failed) { - DBG1(DBG_LIB, "disabled %N: test vector %u failed", + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + encryption_algorithm_names, alg, get_name(vector)); + break; + } + } + enumerator->destroy(enumerator); + if (!tested) + { + DBG1(DBG_LIB, "%s %N: no test vectors found", + this->required ? "disabled" : "enabled ", + encryption_algorithm_names, alg); + return !this->required; + } + if (!failed) + { + if (speed) + { + *speed = bench_crypter(this, alg, create); + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + encryption_algorithm_names, alg, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", encryption_algorithm_names, alg, tested); + } + } + return !failed; +} + +/** + * Benchmark an aead transform + */ +static u_int bench_aead(private_crypto_tester_t *this, + encryption_algorithm_t alg, aead_constructor_t create) +{ + aead_t *aead; + + aead = create(alg, 0); + if (aead) + { + char iv[aead->get_iv_size(aead)]; + char key[aead->get_key_size(aead)]; + char assoc[4]; + chunk_t buf; + struct timespec start; + u_int runs; + size_t icv; + + memset(iv, 0x56, sizeof(iv)); + memset(key, 0x12, sizeof(key)); + memset(assoc, 0x78, sizeof(assoc)); + aead->set_key(aead, chunk_from_thing(key)); + icv = aead->get_icv_size(aead); + + buf = chunk_alloc(this->bench_size + icv); + memset(buf.ptr, 0x34, buf.len); + buf.len -= icv; + + runs = 0; + start_timing(&start); + while (end_timing(&start) < this->bench_time) + { + aead->encrypt(aead, buf, chunk_from_thing(assoc), + chunk_from_thing(iv), NULL); + runs += 2; + aead->decrypt(aead, chunk_create(buf.ptr, buf.len + icv), + chunk_from_thing(assoc), chunk_from_thing(iv), NULL); + runs += 2; + } + free(buf.ptr); + aead->destroy(aead); + + return runs; + } + return 0; +} + +METHOD(crypto_tester_t, test_aead, bool, + private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, + aead_constructor_t create, u_int *speed) +{ + enumerator_t *enumerator; + aead_test_vector_t *vector; + bool failed = FALSE; + u_int tested = 0; + + enumerator = this->aead->create_enumerator(this->aead); + while (enumerator->enumerate(enumerator, &vector)) + { + aead_t *aead; + chunk_t key, plain, cipher, iv, assoc; + size_t icv; + + if (vector->alg != alg) + { + continue; + } + if (key_size && key_size != vector->key_size) + { /* test only vectors with a specific key size, if key size given */ + continue; + } + aead = create(alg, vector->key_size); + if (!aead) + { /* key size not supported... */ + continue; + } + + failed = FALSE; + tested++; + + key = chunk_create(vector->key, aead->get_key_size(aead)); + aead->set_key(aead, key); + iv = chunk_create(vector->iv, aead->get_iv_size(aead)); + assoc = chunk_create(vector->adata, vector->alen); + icv = aead->get_icv_size(aead); + + /* allocated encryption */ + plain = chunk_create(vector->plain, vector->len); + aead->encrypt(aead, plain, assoc, iv, &cipher); + if (!memeq(vector->cipher, cipher.ptr, cipher.len)) + { + failed = TRUE; + } + /* inline decryption */ + if (!aead->decrypt(aead, cipher, assoc, iv, NULL)) + { + failed = TRUE; + } + if (!memeq(vector->plain, cipher.ptr, cipher.len - icv)) + { + failed = TRUE; + } + free(cipher.ptr); + /* allocated decryption */ + cipher = chunk_create(vector->cipher, vector->len + icv); + if (!aead->decrypt(aead, cipher, assoc, iv, &plain)) + { + plain = chunk_empty; + failed = TRUE; + } + else if (!memeq(vector->plain, plain.ptr, plain.len)) + { + failed = TRUE; + } + plain.ptr = realloc(plain.ptr, plain.len + icv); + /* inline encryption */ + aead->encrypt(aead, plain, assoc, iv, NULL); + if (!memeq(vector->cipher, plain.ptr, plain.len + icv)) + { + failed = TRUE; + } + free(plain.ptr); + + aead->destroy(aead); + if (failed) + { + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + encryption_algorithm_names, alg, get_name(vector)); break; } } @@ -151,17 +403,64 @@ static bool test_crypter(private_crypto_tester_t *this, } if (!failed) { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - encryption_algorithm_names, alg, tested); + if (speed) + { + *speed = bench_aead(this, alg, create); + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + encryption_algorithm_names, alg, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + encryption_algorithm_names, alg, tested); + } } return !failed; } /** - * Implementation of crypto_tester_t.test_signer + * Benchmark a signer */ -static bool test_signer(private_crypto_tester_t *this, - integrity_algorithm_t alg, signer_constructor_t create) +static u_int bench_signer(private_crypto_tester_t *this, + encryption_algorithm_t alg, signer_constructor_t create) +{ + signer_t *signer; + + signer = create(alg); + if (signer) + { + char key[signer->get_key_size(signer)]; + char mac[signer->get_block_size(signer)]; + chunk_t buf; + struct timespec start; + u_int runs; + + memset(key, 0x12, sizeof(key)); + signer->set_key(signer, chunk_from_thing(key)); + + buf = chunk_alloc(this->bench_size); + memset(buf.ptr, 0x34, buf.len); + + runs = 0; + start_timing(&start); + while (end_timing(&start) < this->bench_time) + { + signer->get_signature(signer, buf, mac); + runs++; + signer->verify_signature(signer, buf, chunk_from_thing(mac)); + runs++; + } + free(buf.ptr); + signer->destroy(signer); + + return runs; + } + return 0; +} + +METHOD(crypto_tester_t, test_signer, bool, + private_crypto_tester_t *this, integrity_algorithm_t alg, + signer_constructor_t create, u_int *speed) { enumerator_t *enumerator; signer_test_vector_t *vector; @@ -226,11 +525,10 @@ static bool test_signer(private_crypto_tester_t *this, /* signature to existing buffer, using append mode */ if (data.len > 2) { - memset(mac.ptr, 0, mac.len); signer->allocate_signature(signer, chunk_create(data.ptr, 1), NULL); signer->get_signature(signer, chunk_create(data.ptr + 1, 1), NULL); - signer->get_signature(signer, chunk_skip(data, 2), mac.ptr); - if (!memeq(vector->mac, mac.ptr, mac.len)) + if (!signer->verify_signature(signer, chunk_skip(data, 2), + chunk_create(vector->mac, mac.len))) { failed = TRUE; } @@ -240,8 +538,8 @@ static bool test_signer(private_crypto_tester_t *this, signer->destroy(signer); if (failed) { - DBG1(DBG_LIB, "disabled %N: test vector %u failed", - integrity_algorithm_names, alg, tested); + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + integrity_algorithm_names, alg, get_name(vector)); break; } } @@ -255,17 +553,58 @@ static bool test_signer(private_crypto_tester_t *this, } if (!failed) { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - integrity_algorithm_names, alg, tested); + if (speed) + { + *speed = bench_signer(this, alg, create); + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + integrity_algorithm_names, alg, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + integrity_algorithm_names, alg, tested); + } } return !failed; } /** - * Implementation of hasher_t.test_hasher + * Benchmark a hasher */ -static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg, - hasher_constructor_t create) +static u_int bench_hasher(private_crypto_tester_t *this, + hash_algorithm_t alg, hasher_constructor_t create) +{ + hasher_t *hasher; + + hasher = create(alg); + if (hasher) + { + char hash[hasher->get_hash_size(hasher)]; + chunk_t buf; + struct timespec start; + u_int runs; + + buf = chunk_alloc(this->bench_size); + memset(buf.ptr, 0x34, buf.len); + + runs = 0; + start_timing(&start); + while (end_timing(&start) < this->bench_time) + { + hasher->get_hash(hasher, buf, hash); + runs++; + } + free(buf.ptr); + hasher->destroy(hasher); + + return runs; + } + return 0; +} + +METHOD(crypto_tester_t, test_hasher, bool, + private_crypto_tester_t *this, hash_algorithm_t alg, + hasher_constructor_t create, u_int *speed) { enumerator_t *enumerator; hasher_test_vector_t *vector; @@ -330,8 +669,8 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg, hasher->destroy(hasher); if (failed) { - DBG1(DBG_LIB, "disabled %N: test vector %u failed", - hash_algorithm_names, alg, tested); + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + hash_algorithm_names, alg, get_name(vector)); break; } } @@ -345,17 +684,58 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg, } if (!failed) { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - hash_algorithm_names, alg, tested); + if (speed) + { + *speed = bench_hasher(this, alg, create); + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + hash_algorithm_names, alg, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + hash_algorithm_names, alg, tested); + } } return !failed; } /** - * Implementation of crypto_tester_t.test_prf + * Benchmark a PRF */ -static bool test_prf(private_crypto_tester_t *this, - pseudo_random_function_t alg, prf_constructor_t create) +static u_int bench_prf(private_crypto_tester_t *this, + pseudo_random_function_t alg, prf_constructor_t create) +{ + prf_t *prf; + + prf = create(alg); + if (prf) + { + char bytes[prf->get_block_size(prf)]; + chunk_t buf; + struct timespec start; + u_int runs; + + buf = chunk_alloc(this->bench_size); + memset(buf.ptr, 0x34, buf.len); + + runs = 0; + start_timing(&start); + while (end_timing(&start) < this->bench_time) + { + prf->get_bytes(prf, buf, bytes); + runs++; + } + free(buf.ptr); + prf->destroy(prf); + + return runs; + } + return 0; +} + +METHOD(crypto_tester_t, test_prf, bool, + private_crypto_tester_t *this, pseudo_random_function_t alg, + prf_constructor_t create, u_int *speed) { enumerator_t *enumerator; prf_test_vector_t *vector; @@ -431,8 +811,8 @@ static bool test_prf(private_crypto_tester_t *this, prf->destroy(prf); if (failed) { - DBG1(DBG_LIB, "disabled %N: test vector %u failed", - pseudo_random_function_names, alg, tested); + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + pseudo_random_function_names, alg, get_name(vector)); break; } } @@ -446,17 +826,55 @@ static bool test_prf(private_crypto_tester_t *this, } if (!failed) { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - pseudo_random_function_names, alg, tested); + if (speed) + { + *speed = bench_prf(this, alg, create); + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + pseudo_random_function_names, alg, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + pseudo_random_function_names, alg, tested); + } } return !failed; } /** - * Implementation of crypto_tester_t.test_rng + * Benchmark a RNG */ -static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality, - rng_constructor_t create) +static u_int bench_rng(private_crypto_tester_t *this, + rng_quality_t quality, rng_constructor_t create) +{ + rng_t *rng; + + rng = create(quality); + if (rng) + { + struct timespec start; + chunk_t buf; + u_int runs; + + runs = 0; + buf = chunk_alloc(this->bench_size); + start_timing(&start); + while (end_timing(&start) < this->bench_time) + { + rng->get_bytes(rng, buf.len, buf.ptr); + runs++; + } + free(buf.ptr); + rng->destroy(rng); + + return runs; + } + return 0; +} + +METHOD(crypto_tester_t, test_rng, bool, + private_crypto_tester_t *this, rng_quality_t quality, + rng_constructor_t create, u_int *speed) { enumerator_t *enumerator; rng_test_vector_t *vector; @@ -515,8 +933,8 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality, rng->destroy(rng); if (failed) { - DBG1(DBG_LIB, "disabled %N: test vector %u failed", - rng_quality_names, quality, tested); + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + rng_quality_names, quality, get_name(vector)); break; } } @@ -530,63 +948,62 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality, } if (!failed) { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - rng_quality_names, quality, tested); + if (speed) + { + *speed = bench_rng(this, quality, create); + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + rng_quality_names, quality, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + rng_quality_names, quality, tested); + } } return !failed; } -/** - * Implementation of crypter_tester_t.add_crypter_vector - */ -static void add_crypter_vector(private_crypto_tester_t *this, - crypter_test_vector_t *vector) +METHOD(crypto_tester_t, add_crypter_vector, void, + private_crypto_tester_t *this, crypter_test_vector_t *vector) { this->crypter->insert_last(this->crypter, vector); } -/** - * Implementation of crypter_tester_t.add_signer_vector - */ -static void add_signer_vector(private_crypto_tester_t *this, - signer_test_vector_t *vector) +METHOD(crypto_tester_t, add_aead_vector, void, + private_crypto_tester_t *this, aead_test_vector_t *vector) +{ + this->aead->insert_last(this->aead, vector); +} + +METHOD(crypto_tester_t, add_signer_vector, void, + private_crypto_tester_t *this, signer_test_vector_t *vector) { this->signer->insert_last(this->signer, vector); } -/** - * Implementation of crypter_tester_t.add_hasher_vector - */ -static void add_hasher_vector(private_crypto_tester_t *this, - hasher_test_vector_t *vector) +METHOD(crypto_tester_t, add_hasher_vector, void, + private_crypto_tester_t *this, hasher_test_vector_t *vector) { this->hasher->insert_last(this->hasher, vector); } -/** - * Implementation of crypter_tester_t.add_prf_vector - */ -static void add_prf_vector(private_crypto_tester_t *this, - prf_test_vector_t *vector) +METHOD(crypto_tester_t, add_prf_vector, void, + private_crypto_tester_t *this, prf_test_vector_t *vector) { this->prf->insert_last(this->prf, vector); } -/** - * Implementation of crypter_tester_t.add_rng_vector - */ -static void add_rng_vector(private_crypto_tester_t *this, - rng_test_vector_t *vector) +METHOD(crypto_tester_t, add_rng_vector, void, + private_crypto_tester_t *this, rng_test_vector_t *vector) { this->rng->insert_last(this->rng, vector); } -/** - * Implementation of crypto_tester_t.destroy. - */ -static void destroy(private_crypto_tester_t *this) +METHOD(crypto_tester_t, destroy, void, + private_crypto_tester_t *this) { this->crypter->destroy(this->crypter); + this->aead->destroy(this->aead); this->signer->destroy(this->signer); this->hasher->destroy(this->hasher); this->prf->destroy(this->prf); @@ -599,30 +1016,43 @@ static void destroy(private_crypto_tester_t *this) */ crypto_tester_t *crypto_tester_create() { - private_crypto_tester_t *this = malloc_thing(private_crypto_tester_t); - - this->public.test_crypter = (bool(*)(crypto_tester_t*, encryption_algorithm_t alg,size_t key_size, crypter_constructor_t create))test_crypter; - this->public.test_signer = (bool(*)(crypto_tester_t*, integrity_algorithm_t alg, signer_constructor_t create))test_signer; - this->public.test_hasher = (bool(*)(crypto_tester_t*, hash_algorithm_t alg, hasher_constructor_t create))test_hasher; - this->public.test_prf = (bool(*)(crypto_tester_t*, pseudo_random_function_t alg, prf_constructor_t create))test_prf; - this->public.test_rng = (bool(*)(crypto_tester_t*, rng_quality_t quality, rng_constructor_t create))test_rng; - this->public.add_crypter_vector = (void(*)(crypto_tester_t*, crypter_test_vector_t *vector))add_crypter_vector; - this->public.add_signer_vector = (void(*)(crypto_tester_t*, signer_test_vector_t *vector))add_signer_vector; - this->public.add_hasher_vector = (void(*)(crypto_tester_t*, hasher_test_vector_t *vector))add_hasher_vector; - this->public.add_prf_vector = (void(*)(crypto_tester_t*, prf_test_vector_t *vector))add_prf_vector; - this->public.add_rng_vector = (void(*)(crypto_tester_t*, rng_test_vector_t *vector))add_rng_vector; - this->public.destroy = (void(*)(crypto_tester_t*))destroy; - - this->crypter = linked_list_create(); - this->signer = linked_list_create(); - this->hasher = linked_list_create(); - this->prf = linked_list_create(); - this->rng = linked_list_create(); - - this->required = lib->settings->get_bool(lib->settings, - "libstrongswan.crypto_test.required", FALSE); - this->rng_true = lib->settings->get_bool(lib->settings, - "libstrongswan.crypto_test.rng_true", FALSE); + private_crypto_tester_t *this; + + INIT(this, + .public = { + .test_crypter = _test_crypter, + .test_aead = _test_aead, + .test_signer = _test_signer, + .test_hasher = _test_hasher, + .test_prf = _test_prf, + .test_rng = _test_rng, + .add_crypter_vector = _add_crypter_vector, + .add_aead_vector = _add_aead_vector, + .add_signer_vector = _add_signer_vector, + .add_hasher_vector = _add_hasher_vector, + .add_prf_vector = _add_prf_vector, + .add_rng_vector = _add_rng_vector, + .destroy = _destroy, + }, + .crypter = linked_list_create(), + .aead = linked_list_create(), + .signer = linked_list_create(), + .hasher = linked_list_create(), + .prf = linked_list_create(), + .rng = linked_list_create(), + + .required = lib->settings->get_bool(lib->settings, + "libstrongswan.crypto_test.required", FALSE), + .rng_true = lib->settings->get_bool(lib->settings, + "libstrongswan.crypto_test.rng_true", FALSE), + .bench_time = lib->settings->get_int(lib->settings, + "libstrongswan.crypto_test.bench_time", 50), + .bench_size = lib->settings->get_int(lib->settings, + "libstrongswan.crypto_test.bench_size", 1024), + ); + + /* enforce a block size of 16, should be fine for all algorithms */ + this->bench_size = this->bench_size / 16 * 16; return &this->public; } diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h index ddcc2da51..cef0b3c18 100644 --- a/src/libstrongswan/crypto/crypto_tester.h +++ b/src/libstrongswan/crypto/crypto_tester.h @@ -26,6 +26,7 @@ typedef struct crypto_tester_t crypto_tester_t; #include <crypto/crypto_factory.h> typedef struct crypter_test_vector_t crypter_test_vector_t; +typedef struct aead_test_vector_t aead_test_vector_t; typedef struct signer_test_vector_t signer_test_vector_t; typedef struct hasher_test_vector_t hasher_test_vector_t; typedef struct prf_test_vector_t prf_test_vector_t; @@ -48,6 +49,27 @@ struct crypter_test_vector_t { u_char *cipher; }; +struct aead_test_vector_t { + /** encryption algorithm this vector tests */ + encryption_algorithm_t alg; + /** key length to use, in bytes */ + size_t key_size; + /** encryption key of test vector */ + u_char *key; + /** initialization vector, using crypters blocksize bytes */ + u_char *iv; + /** length of associated data */ + size_t alen; + /** associated data */ + u_char *adata; + /** length of plain text */ + size_t len; + /** plain text */ + u_char *plain; + /** cipher text */ + u_char *cipher; +}; + struct signer_test_vector_t { /** signer algorithm this test vector tests */ pseudo_random_function_t alg; @@ -114,48 +136,67 @@ struct crypto_tester_t { * Test a crypter algorithm, optionally using a specified key size. * * @param alg algorithm to test - * @param key_size key size to test, 0 for all + * @param key_size key size to test, 0 for default * @param create constructor function for the crypter + * @param speed speed test result, NULL to omit * @return TRUE if test passed */ bool (*test_crypter)(crypto_tester_t *this, encryption_algorithm_t alg, - size_t key_size, crypter_constructor_t create); + size_t key_size, crypter_constructor_t create, + u_int *speed); + + /** + * Test an aead algorithm, optionally using a specified key size. + * + * @param alg algorithm to test + * @param key_size key size to test, 0 for default + * @param create constructor function for the aead transform + * @param speed speed test result, NULL to omit + * @return TRUE if test passed + */ + bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg, + size_t key_size, aead_constructor_t create, + u_int *speed); /** * Test a signer algorithm. * * @param alg algorithm to test * @param create constructor function for the signer + * @param speed speed test result, NULL to omit * @return TRUE if test passed */ bool (*test_signer)(crypto_tester_t *this, integrity_algorithm_t alg, - signer_constructor_t create); + signer_constructor_t create, u_int *speed); /** * Test a hasher algorithm. * * @param alg algorithm to test * @param create constructor function for the hasher + * @param speed speed test result, NULL to omit * @return TRUE if test passed */ bool (*test_hasher)(crypto_tester_t *this, hash_algorithm_t alg, - hasher_constructor_t create); + hasher_constructor_t create, u_int *speed); /** * Test a PRF algorithm. * * @param alg algorithm to test * @param create constructor function for the PRF + * @param speed speed test result, NULL to omit * @return TRUE if test passed */ bool (*test_prf)(crypto_tester_t *this, pseudo_random_function_t alg, - prf_constructor_t create); + prf_constructor_t create, u_int *speed); /** * Test a RNG implementation. * * @param alg algorithm to test * @param create constructor function for the RNG + * @param speed speed test result, NULL to omit * @return TRUE if test passed */ bool (*test_rng)(crypto_tester_t *this, rng_quality_t quality, - rng_constructor_t create); + rng_constructor_t create, u_int *speed); /** * Add a test vector to test a crypter. * @@ -164,6 +205,13 @@ struct crypto_tester_t { void (*add_crypter_vector)(crypto_tester_t *this, crypter_test_vector_t *vector); /** + * Add a test vector to test an aead transform. + * + * @param vector pointer to test vector + */ + void (*add_aead_vector)(crypto_tester_t *this, + aead_test_vector_t *vector); + /** * Add a test vector to test a signer. * * @param vector pointer to test vector diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c index 9bd8991fc..5f7365321 100644 --- a/src/libstrongswan/crypto/diffie_hellman.c +++ b/src/libstrongswan/crypto/diffie_hellman.c @@ -38,9 +38,10 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_224_BIT, ECP_521_BIT, "MODP_2048_256", "ECP_192", "ECP_224"); -ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_224_BIT, - "MODP_NULL"); -ENUM_END(diffie_hellman_group_names, MODP_NULL); +ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_224_BIT, + "MODP_NULL", + "MODP_CUSTOM"); +ENUM_END(diffie_hellman_group_names, MODP_CUSTOM); /** @@ -441,3 +442,20 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group) return NULL; } +/** + * See header. + */ +bool diffie_hellman_group_is_ec(diffie_hellman_group_t group) +{ + switch (group) + { + case ECP_256_BIT: + case ECP_384_BIT: + case ECP_521_BIT: + case ECP_192_BIT: + case ECP_224_BIT: + return TRUE; + default: + return FALSE; + } +} diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h index cdc9c785e..9ae772363 100644 --- a/src/libstrongswan/crypto/diffie_hellman.h +++ b/src/libstrongswan/crypto/diffie_hellman.h @@ -57,6 +57,8 @@ enum diffie_hellman_group_t { ECP_224_BIT = 26, /** insecure NULL diffie hellman group for testing, in PRIVATE USE */ MODP_NULL = 1024, + /** MODP group with custon generator, prime */ + MODP_CUSTOM = 1025, }; /** @@ -145,4 +147,12 @@ struct diffie_hellman_params_t { */ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group); +/** + * Check if a given DH group is an ECDH group + * + * @param group group to check + * @return TUE if group is an ECP group + */ +bool diffie_hellman_group_is_ec(diffie_hellman_group_t group); + #endif /** DIFFIE_HELLMAN_H_ @}*/ diff --git a/src/libstrongswan/crypto/prfs/prf.c b/src/libstrongswan/crypto/prfs/prf.c index 8681a5b97..12e13ef57 100644 --- a/src/libstrongswan/crypto/prfs/prf.c +++ b/src/libstrongswan/crypto/prfs/prf.c @@ -16,12 +16,13 @@ #include "prf.h" -ENUM_BEGIN(pseudo_random_function_names, PRF_UNDEFINED, PRF_KEYED_SHA1, +ENUM_BEGIN(pseudo_random_function_names, PRF_UNDEFINED, PRF_CAMELLIA128_XCBC, "PRF_UNDEFINED", "PRF_FIPS_SHA1_160", "PRF_FIPS_DES", - "PRF_KEYED_SHA1"); -ENUM_NEXT(pseudo_random_function_names, PRF_HMAC_MD5, PRF_AES128_CMAC, PRF_KEYED_SHA1, + "PRF_KEYED_SHA1", + "PRF_CAMELLIA128_XCBC"); +ENUM_NEXT(pseudo_random_function_names, PRF_HMAC_MD5, PRF_AES128_CMAC, PRF_CAMELLIA128_XCBC, "PRF_HMAC_MD5", "PRF_HMAC_SHA1", "PRF_HMAC_TIGER", diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h index 6e853444f..ad15205d3 100644 --- a/src/libstrongswan/crypto/prfs/prf.h +++ b/src/libstrongswan/crypto/prfs/prf.h @@ -30,8 +30,7 @@ typedef struct prf_t prf_t; /** * Pseudo random function, as in IKEv2 RFC 3.3.2. * - * PRF algorithms not defined in IKEv2 are allocated in "private use" - * space. + * PRF algorithms not defined in IKEv2 are allocated in "private use" space. */ enum pseudo_random_function_t { PRF_UNDEFINED = 1024, @@ -55,11 +54,12 @@ enum pseudo_random_function_t { PRF_FIPS_SHA1_160 = 1025, /** FIPS 186-2-change1, uses fixed output size of 160bit */ PRF_FIPS_DES = 1026, - /** - * Keyed hash algorithm using SHA1, used in EAP-AKA: + /** Keyed hash algorithm using SHA1, used in EAP-AKA: * This PRF uses SHA1, but XORs the key into the IV. No "Final()" operation * is applied to the SHA1 state. */ PRF_KEYED_SHA1 = 1027, + /** draft-kanno-ipsecme-camellia-xcbc, not yet assigned by IANA */ + PRF_CAMELLIA128_XCBC = 1028, }; /** diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c index a43dde7ea..10ab9fc23 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords.c +++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c @@ -1,6 +1,6 @@ /* C code produced by gperf version 3.0.3 */ /* Command-line: /usr/bin/gperf -N proposal_get_token -m 10 -C -G -c -t -D */ -/* Computed positions: -k'1,5,7,10,$' */ +/* Computed positions: -k'1,5,7,10,15,$' */ #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \ && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \ @@ -59,12 +59,12 @@ struct proposal_token { u_int16_t keysize; }; -#define TOTAL_KEYWORDS 95 +#define TOTAL_KEYWORDS 117 #define MIN_WORD_LENGTH 3 -#define MAX_WORD_LENGTH 12 -#define MIN_HASH_VALUE 5 -#define MAX_HASH_VALUE 137 -/* maximum key range = 133, duplicates = 0 */ +#define MAX_WORD_LENGTH 17 +#define MIN_HASH_VALUE 9 +#define MAX_HASH_VALUE 209 +/* maximum key range = 201, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -80,38 +80,45 @@ hash (str, len) { static const unsigned char asso_values[] = { - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 3, 11, - 2, 23, 29, 27, 21, 16, 5, 0, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 17, 138, 1, 0, 1, - 9, 9, 50, 0, 4, 54, 138, 138, 1, 138, - 35, 0, 138, 138, 71, 3, 38, 22, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138, 138, 138, 138, - 138, 138, 138, 138, 138, 138, 138 + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 16, 9, + 4, 41, 66, 19, 8, 4, 5, 3, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 122, 210, 3, 22, 21, + 3, 111, 103, 48, 7, 4, 210, 210, 3, 210, + 57, 3, 210, 210, 78, 6, 3, 28, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210 }; register int hval = len; switch (hval) { default: + hval += asso_values[(unsigned char)str[14]]; + /*FALLTHROUGH*/ + case 14: + case 13: + case 12: + case 11: + case 10: hval += asso_values[(unsigned char)str[9]]; /*FALLTHROUGH*/ case 9: @@ -135,115 +142,148 @@ hash (str, len) static const struct proposal_token wordlist[] = { + {"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, {"null", ENCRYPTION_ALGORITHM, ENCR_NULL, 0}, + {"sha1", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, + {"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, + {"sha512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0}, + {"camellia192", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192}, + {"cast128", ENCRYPTION_ALGORITHM, ENCR_CAST, 128}, + {"camellia128", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, {"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128}, {"aes192", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192}, - {"aesxcbc", INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0}, - {"aes192gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192}, + {"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0}, {"aes128", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128}, - {"aes128gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128}, - {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0}, - {"aes192gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192}, + {"camellia192ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192}, + {"camellia128ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128}, + {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192}, + {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128}, + {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192}, + {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128}, + {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192}, + {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128}, + {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192}, + {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128}, + {"camellia256", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256}, + {"twofish", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, + {"camellia256ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256}, + {"aes256", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256}, + {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256}, + {"twofish192", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192}, + {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256}, + {"twofish128", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, + {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256}, + {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256}, + {"camelliaxcbc", INTEGRITY_ALGORITHM, AUTH_CAMELLIA_XCBC_96, 0}, + {"twofish256", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256}, {"aes192ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192}, - {"aes128gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128}, {"aes128ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128}, - {"aes192gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192}, + {"aes192ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192}, + {"aes128ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128}, {"aes192ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192}, - {"aes128gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128}, {"aes128ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128}, - {"aes192gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192}, {"aes192ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192}, - {"aes128gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128}, {"aes128ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128}, + {"aes192ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192}, + {"aes128ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128}, + {"3des", ENCRYPTION_ALGORITHM, ENCR_3DES, 0}, + {"modp8192", DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0}, + {"modp768", DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0}, + {"md5", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0}, + {"sha384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}, + {"aes256ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, + {"aes256ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256}, + {"aes256ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256}, + {"aes256ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256}, + {"aes256ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256}, + {"aesxcbc", INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0}, + {"aes192gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192}, + {"aes128gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128}, {"aes192gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192}, - {"aes192ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192}, {"aes128gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128}, - {"aes128ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128}, - {"3des", ENCRYPTION_ALGORITHM, ENCR_3DES, 0}, - {"cast128", ENCRYPTION_ALGORITHM, ENCR_CAST, 128}, - {"aes256gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256}, - {"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, + {"aes192gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192}, + {"aes128gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128}, + {"aes192gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192}, + {"aes128gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128}, {"aes192gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192}, - {"aes192ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192}, {"aes128gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128}, - {"aes128ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128}, + {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192}, + {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128}, + {"camellia192ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192}, + {"camellia128ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128}, + {"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0}, {"aes256gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256}, - {"aes256ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, - {"modp8192", DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0}, + {"aes256gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256}, {"aes256gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256}, - {"aes256ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256}, - {"sha1", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, - {"aes256", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256}, + {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0}, {"aes256gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256}, - {"aes256ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256}, - {"sha512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0}, {"ecp192", DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0}, - {"aes256gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256}, - {"aes256ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256}, - {"aes192gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192}, - {"aes192ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192}, - {"aes128gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128}, - {"aes128ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128}, - {"md5", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0}, - {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, - {"blowfish192", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192}, - {"modp768", DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0}, - {"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0}, {"aes256gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256}, - {"aes256ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256}, - {"blowfish128", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, - {"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, - {"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0}, - {"sha2_512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0}, - {"camellia192", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192}, - {"sha384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}, - {"modp2048", DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0}, + {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256}, + {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0}, + {"camellia256ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256}, + {"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0}, + {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0}, + {"aes192gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192}, + {"aes128gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128}, + {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128}, {"modpnull", DIFFIE_HELLMAN_GROUP, MODP_NULL, 0}, + {"aes192ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192}, + {"aes128ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128}, {"aes192ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192}, - {"camellia128", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, {"aes128ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128}, - {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0}, - {"modp1024", DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0}, - {"ecp224", DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0}, - {"aes256gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256}, - {"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, - {"ecp384", DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0}, - {"twofish", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, - {"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0}, - {"modp4096", DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0}, - {"twofish192", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192}, - {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}, - {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0}, {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192}, - {"twofish128", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, - {"modp2048s256", DIFFIE_HELLMAN_GROUP, MODP_2048_256, 0}, {"ecp256", DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0}, {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128}, + {"modp2048", DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0}, + {"aes256gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256}, + {"modp4096", DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0}, + {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256}, + {"modp1024", DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0}, + {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, + {"sha2_512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0}, + {"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, + {"blowfish192", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192}, {"aes256ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256}, - {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0}, + {"blowfish128", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, + {"modp2048s256", DIFFIE_HELLMAN_GROUP, MODP_2048_256, 0}, + {"aes192gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192}, + {"aes128gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128}, {"sha2_256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0}, {"sha256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0}, - {"blowfish256", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256}, {"sha2_256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0}, + {"blowfish256", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256}, + {"aes256gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256}, + {"ecp224", DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0}, + {"ecp384", DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0}, + {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}, {"modp6144", DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0}, - {"camellia256", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256}, - {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128}, - {"twofish256", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256}, - {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256} + {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0} }; static const short lookup[] = { - -1, -1, -1, -1, -1, 0, 1, -1, 2, -1, 3, -1, 4, 5, - 6, 7, -1, -1, -1, -1, 8, 9, 10, 11, 12, 13, 14, 15, - 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, 26, -1, -1, - 27, 28, 29, 30, 31, 32, 33, -1, 34, 35, 36, 37, 38, 39, - 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, - 54, 55, 56, 57, 58, -1, 59, 60, 61, 62, 63, 64, 65, 66, - 67, 68, -1, 69, 70, 71, 72, 73, 74, 75, 76, -1, -1, 77, - 78, 79, 80, 81, -1, -1, 82, 83, -1, -1, 84, 85, -1, 86, - 87, 88, 89, -1, -1, -1, -1, -1, -1, -1, 90, 91, -1, -1, - -1, -1, -1, -1, 92, -1, 93, -1, -1, -1, -1, 94 + -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, + 1, -1, -1, -1, -1, -1, 2, -1, -1, -1, + -1, 3, 4, -1, -1, -1, -1, -1, 5, 6, + 7, 8, -1, -1, -1, 9, 10, 11, 12, 13, + 14, 15, 16, 17, 18, 19, 20, 21, 22, -1, + -1, -1, -1, 23, 24, 25, 26, 27, 28, 29, + 30, -1, 31, -1, 32, 33, 34, 35, 36, 37, + 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, + 48, -1, 49, -1, 50, -1, 51, -1, 52, -1, + 53, -1, 54, 55, 56, 57, 58, 59, 60, 61, + 62, 63, 64, 65, 66, 67, 68, 69, -1, 70, + -1, 71, -1, 72, 73, 74, 75, 76, -1, 77, + 78, 79, 80, 81, -1, 82, 83, 84, 85, -1, + -1, 86, 87, 88, 89, 90, 91, 92, -1, -1, + 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, + 103, 104, -1, -1, -1, -1, -1, -1, 105, 106, + 107, 108, -1, -1, -1, -1, 109, -1, 110, -1, + -1, -1, -1, -1, 111, -1, -1, -1, -1, 112, + 113, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, 114, 115, -1, -1, -1, 116 }; #ifdef __GNUC__ diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.txt b/src/libstrongswan/crypto/proposal/proposal_keywords.txt index 338993821..208c6715b 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords.txt +++ b/src/libstrongswan/crypto/proposal/proposal_keywords.txt @@ -86,6 +86,27 @@ camellia, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128 camellia128, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128 camellia192, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192 camellia256, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256 +camellia128ctr, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128 +camellia192ctr, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192 +camellia256ctr, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256 +camellia128ccm8, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128 +camellia128ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128 +camellia128ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128 +camellia128ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128 +camellia128ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128 +camellia128ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128 +camellia192ccm8, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192 +camellia192ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192 +camellia192ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192 +camellia192ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192 +camellia192ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192 +camellia192ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192 +camellia256ccm8, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256 +camellia256ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256 +camellia256ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256 +camellia256ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256 +camellia256ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256 +camellia256ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256 cast128, ENCRYPTION_ALGORITHM, ENCR_CAST, 128 serpent, ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128 serpent128, ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128 @@ -107,6 +128,7 @@ sha512, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0 sha2_512, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0 md5, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0 aesxcbc, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0 +camelliaxcbc, INTEGRITY_ALGORITHM, AUTH_CAMELLIA_XCBC_96, 0 modpnull, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0 modp768, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0 modp1024, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0 diff --git a/src/libstrongswan/crypto/signers/signer.c b/src/libstrongswan/crypto/signers/signer.c index e98916bfe..d8659170b 100644 --- a/src/libstrongswan/crypto/signers/signer.c +++ b/src/libstrongswan/crypto/signers/signer.c @@ -16,11 +16,14 @@ #include "signer.h" -ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_HMAC_SHA2_256_96, +ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_CAMELLIA_XCBC_96, "UNDEFINED", "HMAC_SHA1_128", - "HMAC_SHA2_256_96"); -ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_HMAC_SHA2_256_96, + "HMAC_SHA2_256_96", + "HMAC_SHA2_256_256", + "HMAC_SHA2_384_384", + "CAMELLIA_XCBC_96"); +ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_CAMELLIA_XCBC_96, "HMAC_MD5_96", "HMAC_SHA1_96", "DES_MAC", diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h index 94e8c99b9..e2c224d8b 100644 --- a/src/libstrongswan/crypto/signers/signer.h +++ b/src/libstrongswan/crypto/signers/signer.h @@ -66,6 +66,12 @@ enum integrity_algorithm_t { AUTH_HMAC_SHA1_128 = 1025, /** SHA256 96 bit truncation variant, supported by Linux kernels */ AUTH_HMAC_SHA2_256_96 = 1026, + /** SHA256 full length tuncation variant, as used in TLS */ + AUTH_HMAC_SHA2_256_256 = 1027, + /** SHA384 full length tuncation variant, as used in TLS */ + AUTH_HMAC_SHA2_384_384 = 1028, + /** draft-kanno-ipsecme-camellia-xcbc, not yet assigned by IANA */ + AUTH_CAMELLIA_XCBC_96 = 1029, }; /** @@ -102,6 +108,10 @@ struct signer_t { /** * Verify a signature. * + * To verify a signature of multiple chunks of data, pass the + * data to get_signature() with a NULL buffer. verify_signature() acts + * as a final call and includes all data fed to get_signature(). + * * @param data a chunk containing the data to verify * @param signature a chunk containing the signature * @return TRUE, if signature is valid, FALSE otherwise diff --git a/src/libstrongswan/crypto/transform.c b/src/libstrongswan/crypto/transform.c index af40f4de6..cec90a616 100644 --- a/src/libstrongswan/crypto/transform.c +++ b/src/libstrongswan/crypto/transform.c @@ -15,11 +15,12 @@ #include <crypto/transform.h> -ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, RANDOM_NUMBER_GENERATOR, +ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, AEAD_ALGORITHM, "UNDEFINED_TRANSFORM_TYPE", "HASH_ALGORITHM", - "RANDOM_NUMBER_GENERATOR"); -ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, RANDOM_NUMBER_GENERATOR, + "RANDOM_NUMBER_GENERATOR", + "AEAD_ALGORITHM"); +ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, AEAD_ALGORITHM, "ENCRYPTION_ALGORITHM", "PSEUDO_RANDOM_FUNCTION", "INTEGRITY_ALGORITHM", diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h index d11700a73..1a2660199 100644 --- a/src/libstrongswan/crypto/transform.h +++ b/src/libstrongswan/crypto/transform.h @@ -32,6 +32,7 @@ enum transform_type_t { UNDEFINED_TRANSFORM_TYPE = 241, HASH_ALGORITHM = 242, RANDOM_NUMBER_GENERATOR = 243, + AEAD_ALGORITHM = 244, ENCRYPTION_ALGORITHM = 1, PSEUDO_RANDOM_FUNCTION = 2, INTEGRITY_ALGORITHM = 3, diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/debug.c index 21a7e63dd..6ded70248 100644 --- a/src/libstrongswan/debug.c +++ b/src/libstrongswan/debug.c @@ -27,6 +27,8 @@ ENUM(debug_names, DBG_DMN, DBG_LIB, "KNL", "NET", "ENC", + "TNC", + "TLS", "LIB", ); @@ -40,6 +42,8 @@ ENUM(debug_lower_names, DBG_DMN, DBG_LIB, "knl", "net", "enc", + "tnc", + "tls", "lib", ); diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h index a21111d93..d3399bff6 100644 --- a/src/libstrongswan/debug.h +++ b/src/libstrongswan/debug.h @@ -50,6 +50,10 @@ enum debug_t { DBG_NET, /** message encoding/decoding */ DBG_ENC, + /** trusted network connect */ + DBG_TNC, + /** libtls */ + DBG_TLS, /** libstrongswan */ DBG_LIB, /** number of groups */ diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c new file mode 100644 index 000000000..71734017a --- /dev/null +++ b/src/libstrongswan/eap/eap.c @@ -0,0 +1,131 @@ +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap.h" + +ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE, + "EAP_REQUEST", + "EAP_RESPONSE", + "EAP_SUCCESS", + "EAP_FAILURE", +); + +ENUM(eap_code_short_names, EAP_REQUEST, EAP_FAILURE, + "REQ", + "RES", + "SUCC", + "FAIL", +); + +ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC, + "EAP_IDENTITY", + "EAP_NOTIFICATION", + "EAP_NAK", + "EAP_MD5", + "EAP_OTP", + "EAP_GTC"); +ENUM_NEXT(eap_type_names, EAP_TLS, EAP_TLS, EAP_GTC, + "EAP_TLS"); +ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_TLS, + "EAP_SIM"); +ENUM_NEXT(eap_type_names, EAP_TTLS, EAP_TTLS, EAP_SIM, + "EAP_TTLS"); +ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_TTLS, + "EAP_AKA"); +ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, + "EAP_MSCHAPV2"); +ENUM_NEXT(eap_type_names, EAP_TNC, EAP_TNC, EAP_MSCHAPV2, + "EAP_TNC"); +ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_TNC, + "EAP_RADIUS", + "EAP_EXPANDED", + "EAP_EXPERIMENTAL"); +ENUM_END(eap_type_names, EAP_EXPERIMENTAL); + +ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC, + "ID", + "NTF", + "NAK", + "MD5", + "OTP", + "GTC"); +ENUM_NEXT(eap_type_short_names, EAP_TLS, EAP_TLS, EAP_GTC, + "TLS"); +ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_TLS, + "SIM"); +ENUM_NEXT(eap_type_short_names, EAP_TTLS, EAP_TTLS, EAP_SIM, + "TTLS"); +ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_TTLS, + "AKA"); +ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, + "MSCHAPV2"); +ENUM_NEXT(eap_type_short_names, EAP_TNC, EAP_TNC, EAP_MSCHAPV2, + "TNC"); +ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_TNC, + "RAD", + "EXP", + "XP"); +ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL); + +ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL, + "RULE_IDENTITY", + "RULE_AUTH_CLASS", + "RULE_EAP_IDENTITY", + "RULE_EAP_TYPE", + "RULE_EAP_VENDOR", + "RULE_CA_CERT", + "RULE_IM_CERT", + "RULE_SUBJECT_CERT", + "RULE_CRL_VALIDATION", + "RULE_OCSP_VALIDATION", + "RULE_GROUP", + "HELPER_IM_CERT", + "HELPER_SUBJECT_CERT", + "HELPER_IM_HASH_URL", + "HELPER_SUBJECT_HASH_URL", +); + +/* + * See header + */ +eap_type_t eap_type_from_string(char *name) +{ + int i; + static struct { + char *name; + eap_type_t type; + } types[] = { + {"identity", EAP_IDENTITY}, + {"md5", EAP_MD5}, + {"otp", EAP_OTP}, + {"gtc", EAP_GTC}, + {"tls", EAP_TLS}, + {"ttls", EAP_TTLS}, + {"sim", EAP_SIM}, + {"aka", EAP_AKA}, + {"mschapv2", EAP_MSCHAPV2}, + {"tnc", EAP_TNC}, + {"radius", EAP_RADIUS}, + }; + + for (i = 0; i < countof(types); i++) + { + if (strcaseeq(name, types[i].name)) + { + return types[i].type; + } + } + return 0; +} diff --git a/src/libstrongswan/eap/eap.h b/src/libstrongswan/eap/eap.h new file mode 100644 index 000000000..1d55747a4 --- /dev/null +++ b/src/libstrongswan/eap/eap.h @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap eap + * @{ @ingroup libstrongswan + */ + +#ifndef EAP_H_ +#define EAP_H_ + +typedef enum eap_code_t eap_code_t; +typedef enum eap_type_t eap_type_t; + +#include <library.h> + +/** + * EAP code, type of an EAP message + */ +enum eap_code_t { + EAP_REQUEST = 1, + EAP_RESPONSE = 2, + EAP_SUCCESS = 3, + EAP_FAILURE = 4, +}; + +/** + * enum names for eap_code_t. + */ +extern enum_name_t *eap_code_names; + +/** + * short string enum names for eap_code_t. + */ +extern enum_name_t *eap_code_short_names; + +/** + * EAP types, defines the EAP method implementation + */ +enum eap_type_t { + EAP_IDENTITY = 1, + EAP_NOTIFICATION = 2, + EAP_NAK = 3, + EAP_MD5 = 4, + EAP_OTP = 5, + EAP_GTC = 6, + EAP_TLS = 13, + EAP_SIM = 18, + EAP_TTLS = 21, + EAP_AKA = 23, + EAP_MSCHAPV2 = 26, + EAP_TNC = 38, + /** not a method, but an implementation providing different methods */ + EAP_RADIUS = 253, + EAP_EXPANDED = 254, + EAP_EXPERIMENTAL = 255, +}; + +/** + * enum names for eap_type_t. + */ +extern enum_name_t *eap_type_names; + +/** + * short string enum names for eap_type_t. + */ +extern enum_name_t *eap_type_short_names; + +/** + * Lookup the EAP method type from a string. + * + * @param name EAP method name (such as "md5", "aka") + * @return method type, 0 if unkown + */ +eap_type_t eap_type_from_string(char *name); + +#endif /** EAP_H_ @}*/ diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c index 946a54deb..258a5b410 100644 --- a/src/libstrongswan/enum.c +++ b/src/libstrongswan/enum.c @@ -16,12 +16,14 @@ #include <stddef.h> #include <stdio.h> +#include <library.h> + #include "enum.h" /** - * get the name of an enum value in a enum_name_t list + * See header. */ -static char *enum_name(enum_name_t *e, int val) +char *enum_to_name(enum_name_t *e, int val) { do { @@ -35,6 +37,27 @@ static char *enum_name(enum_name_t *e, int val) } /** + * See header. + */ +int enum_from_name(enum_name_t *e, char *name) +{ + do + { + int i, count = e->last - e->first; + + for (i = 0; i < count; i++) + { + if (strcaseeq(name, e->names[i])) + { + return e->first + i; + } + } + } + while ((e = e->next)); + return -1; +} + +/** * Described in header. */ int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, @@ -43,7 +66,7 @@ int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, enum_name_t *ed = *((enum_name_t**)(args[0])); int val = *((int*)(args[1])); - char *name = enum_name(ed, val); + char *name = enum_to_name(ed, val); if (name == NULL) { diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/enum.h index 691f9f2bc..d5f169772 100644 --- a/src/libstrongswan/enum.h +++ b/src/libstrongswan/enum.h @@ -107,6 +107,24 @@ struct enum_name_t { #define ENUM(name, first, last, ...) ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last) /** + * Convert a enum value to its string representation. + * + * @param e enum names for this enum value + * @param val enum value to get string for + * @return string for enum, NULL if not found + */ +char *enum_to_name(enum_name_t *e, int val); + +/** + * Convert a enum string back to its enum value. + * + * @param e enum names for this enum value + * @param name name to get enum value for + * @return enum value, -1 if not found + */ +int enum_from_name(enum_name_t *e, char *name); + +/** * printf hook function for enum_names_t. * * Arguments are: diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index b61bdf7a0..b7e75aec5 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -65,6 +65,8 @@ void library_deinit() detailed = lib->settings->get_bool(lib->settings, "libstrongswan.leak_detective.detailed", TRUE); + this->public.scheduler->destroy(this->public.scheduler); + this->public.processor->destroy(this->public.processor); this->public.plugins->destroy(this->public.plugins); this->public.settings->destroy(this->public.settings); this->public.credmgr->destroy(this->public.credmgr); @@ -141,6 +143,8 @@ bool library_init(char *settings) this->public.encoding = cred_encoding_create(); this->public.fetcher = fetcher_manager_create(); this->public.db = database_factory_create(); + this->public.processor = processor_create(); + this->public.scheduler = scheduler_create(); this->public.plugins = plugin_loader_create(); this->public.integrity = NULL; diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index cd5dfb479..034ff10c5 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -43,6 +43,12 @@ * @defgroup plugins plugins * @ingroup libstrongswan * + * @defgroup processing processing + * @ingroup libstrongswan + * + * @defgroup jobs jobs + * @ingroup processing + * * @defgroup threading threading * @ingroup libstrongswan * @@ -64,6 +70,8 @@ #include "settings.h" #include "integrity_checker.h" #include "plugins/plugin_loader.h" +#include "processing/processor.h" +#include "processing/scheduler.h" #include "crypto/crypto_factory.h" #include "fetcher/fetcher_manager.h" #include "database/database_factory.h" @@ -119,6 +127,16 @@ struct library_t { plugin_loader_t *plugins; /** + * process jobs using a thread pool + */ + processor_t *processor; + + /** + * schedule jobs + */ + scheduler_t *scheduler; + + /** * various settings loaded from settings file */ settings_t *settings; diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 9859b75cf..99a520852 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -195,14 +198,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -242,7 +255,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c index 10d48cf67..f13e33492 100644 --- a/src/libstrongswan/plugins/aes/aes_crypter.c +++ b/src/libstrongswan/plugins/aes/aes_crypter.c @@ -1331,11 +1331,8 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char state_out(out_blk, b0); } -/** - * Implementation of crypter_t.decrypt. - */ -static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv, - chunk_t *decrypted) +METHOD(crypter_t, decrypt, void, + private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted) { int pos; const u_int32_t *iv_i; @@ -1376,12 +1373,8 @@ static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv, } } - -/** - * Implementation of crypter_t.decrypt. - */ -static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv, - chunk_t *encrypted) +METHOD(crypter_t, encrypt, void, + private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted) { int pos; const u_int32_t *iv_i; @@ -1417,26 +1410,26 @@ static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv, } } -/** - * Implementation of crypter_t.get_block_size. - */ -static size_t get_block_size (private_aes_crypter_t *this) +METHOD(crypter_t, get_block_size, size_t, + private_aes_crypter_t *this) { return AES_BLOCK_SIZE; } -/** - * Implementation of crypter_t.get_key_size. - */ -static size_t get_key_size (private_aes_crypter_t *this) +METHOD(crypter_t, get_iv_size, size_t, + private_aes_crypter_t *this) +{ + return AES_BLOCK_SIZE; +} + +METHOD(crypter_t, get_key_size, size_t, + private_aes_crypter_t *this) { return this->key_size; } -/** - * Implementation of crypter_t.set_key. - */ -static void set_key (private_aes_crypter_t *this, chunk_t key) +METHOD(crypter_t, set_key, void, + private_aes_crypter_t *this, chunk_t key) { u_int32_t *kf, *kt, rci, f = 0; u_int8_t *in_key = key.ptr; @@ -1498,8 +1491,8 @@ static void set_key (private_aes_crypter_t *this, chunk_t key) } if(!f) - { - u_int32_t i; + { + u_int32_t i; kt = this->aes_d_key + nc * this->aes_Nrnd; kf = this->aes_e_key; @@ -1517,15 +1510,13 @@ static void set_key (private_aes_crypter_t *this, chunk_t key) cpy(kt, kf); #endif kt -= 2 * nc; - } + } cpy(kt, kf); - } + } } -/** - * Implementation of crypter_t.destroy and aes_crypter_t.destroy. - */ -static void destroy (private_aes_crypter_t *this) +METHOD(crypter_t, destroy, void, + private_aes_crypter_t *this) { free(this); } @@ -1541,36 +1532,38 @@ aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo, size_t key_size) { return NULL; } - - this = malloc_thing(private_aes_crypter_t); + switch (key_size) + { + case 0: + key_size = 16; + break; + case 32: + case 24: + case 16: + break; + default: + return NULL; + } #if !defined(FIXED_TABLES) if(!tab_gen) { gen_tabs(); tab_gen = 1; } #endif - this->key_size = key_size; - switch(key_size) - { - case 32: /* bytes */ - this->aes_Nkey = 8; - break; - case 24: /* bytes */ - this->aes_Nkey = 6; - break; - case 16: /* bytes */ - this->aes_Nkey = 4; - break; - default: - free(this); - return NULL; - } - - this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt; - this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt; - this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size; - this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size; - this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key; - this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy; - - return &(this->public); + INIT(this, + .public = { + .crypter = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .key_size = key_size, + .aes_Nkey = key_size / 4, + ); + + return &this->public; } diff --git a/src/libstrongswan/plugins/aes/aes_crypter.h b/src/libstrongswan/plugins/aes/aes_crypter.h index 061d72fd6..473772f04 100644 --- a/src/libstrongswan/plugins/aes/aes_crypter.h +++ b/src/libstrongswan/plugins/aes/aes_crypter.h @@ -32,9 +32,9 @@ typedef struct aes_crypter_t aes_crypter_t; struct aes_crypter_t { /** - * The crypter_t interface. + * Implements crypter_t interface. */ - crypter_t crypter_interface; + crypter_t crypter; }; /** diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c index 1e920f8cc..22b47e334 100644 --- a/src/libstrongswan/plugins/aes/aes_plugin.c +++ b/src/libstrongswan/plugins/aes/aes_plugin.c @@ -31,10 +31,8 @@ struct private_aes_plugin_t { aes_plugin_t public; }; -/** - * Implementation of aes_plugin_t.destroy - */ -static void destroy(private_aes_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_aes_plugin_t *this) { lib->crypto->remove_crypter(lib->crypto, (crypter_constructor_t)aes_crypter_create); @@ -46,9 +44,15 @@ static void destroy(private_aes_plugin_t *this) */ plugin_t *aes_plugin_create() { - private_aes_plugin_t *this = malloc_thing(private_aes_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_aes_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, (crypter_constructor_t)aes_crypter_create); diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index c95e7b778..9f65f4ffb 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c index d40b437bb..bd3c1ac75 100644 --- a/src/libstrongswan/plugins/agent/agent_plugin.c +++ b/src/libstrongswan/plugins/agent/agent_plugin.c @@ -31,10 +31,8 @@ struct private_agent_plugin_t { agent_plugin_t public; }; -/** - * Implementation of agent_plugin_t.agenttroy - */ -static void destroy(private_agent_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_agent_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)agent_private_key_open); @@ -46,11 +44,17 @@ static void destroy(private_agent_plugin_t *this) */ plugin_t *agent_plugin_create() { - private_agent_plugin_t *this = malloc_thing(private_agent_plugin_t); + private_agent_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, (builder_function_t)agent_private_key_open); return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c index 51ddbecc6..0864f4118 100644 --- a/src/libstrongswan/plugins/agent/agent_private_key.c +++ b/src/libstrongswan/plugins/agent/agent_private_key.c @@ -205,7 +205,7 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey) { break;; } - if (pubkey && !private_key_belongs_to(&this->public.interface, pubkey)) + if (pubkey && !private_key_belongs_to(&this->public.key, pubkey)) { continue; } @@ -221,11 +221,9 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey) return FALSE; } -/** - * Implementation of agent_private_key.destroy. - */ -static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) +METHOD(private_key_t, sign, bool, + private_agent_private_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t *signature) { u_int32_t len, flags; char buf[2048]; @@ -294,36 +292,28 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme, return TRUE; } -/** - * Implementation of agent_private_key.destroy. - */ -static key_type_t get_type(private_agent_private_key_t *this) +METHOD(private_key_t, get_type, key_type_t, + private_agent_private_key_t *this) { return KEY_RSA; } -/** - * Implementation of agent_private_key.destroy. - */ -static bool decrypt(private_agent_private_key_t *this, - chunk_t crypto, chunk_t *plain) +METHOD(private_key_t, decrypt, bool, + private_agent_private_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) { DBG1(DBG_LIB, "private key decryption not supported by ssh-agent"); return FALSE; } -/** - * Implementation of agent_private_key.destroy. - */ -static size_t get_keysize(private_agent_private_key_t *this) +METHOD(private_key_t, get_keysize, int, + private_agent_private_key_t *this) { - return this->key_size; + return this->key_size * 8; } -/** - * Implementation of agent_private_key.get_public_key. - */ -static public_key_t* get_public_key(private_agent_private_key_t *this) +METHOD(private_key_t, get_public_key, public_key_t*, + private_agent_private_key_t *this) { chunk_t key, n, e; @@ -336,20 +326,15 @@ static public_key_t* get_public_key(private_agent_private_key_t *this) BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END); } -/** - * Implementation of private_key_t.get_encoding - */ -static bool get_encoding(private_agent_private_key_t *this, - cred_encoding_type_t type, chunk_t *encoding) +METHOD(private_key_t, get_encoding, bool, + private_agent_private_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) { return FALSE; } -/** - * Implementation of private_key_t.get_fingerprint - */ -static bool get_fingerprint(private_agent_private_key_t *this, - cred_encoding_type_t type, chunk_t *fp) +METHOD(private_key_t, get_fingerprint, bool, + private_agent_private_key_t *this, cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e, key; @@ -366,19 +351,15 @@ static bool get_fingerprint(private_agent_private_key_t *this, CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); } -/** - * Implementation of agent_private_key.get_ref. - */ -static private_agent_private_key_t* get_ref(private_agent_private_key_t *this) +METHOD(private_key_t, get_ref, private_key_t*, + private_agent_private_key_t *this) { ref_get(&this->ref); - return this; + return &this->public.key; } -/** - * Implementation of agent_private_key.destroy. - */ -static void destroy(private_agent_private_key_t *this) +METHOD(private_key_t, destroy, void, + private_agent_private_key_t *this) { if (ref_put(&this->ref)) { @@ -420,20 +401,25 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args) return FALSE; } - this = malloc_thing(private_agent_private_key_t); - - this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type; - this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign; - this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt; - this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize; - this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key; - this->public.interface.belongs_to = private_key_belongs_to; - this->public.interface.equals = private_key_equals; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; - this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; - this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref; - this->public.interface.destroy = (void (*)(private_key_t *this))destroy; + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .sign = _sign, + .decrypt = _decrypt, + .get_keysize = _get_keysize, + .get_public_key = _get_public_key, + .belongs_to = private_key_belongs_to, + .equals = private_key_equals, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = private_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); this->socket = open_connection(path); if (this->socket < 0) @@ -441,9 +427,6 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args) free(this); return NULL; } - this->key = chunk_empty; - this->ref = 1; - if (!read_key(this, pubkey)) { destroy(this); diff --git a/src/libstrongswan/plugins/agent/agent_private_key.h b/src/libstrongswan/plugins/agent/agent_private_key.h index 3d9500c1a..0623f2bb9 100644 --- a/src/libstrongswan/plugins/agent/agent_private_key.h +++ b/src/libstrongswan/plugins/agent/agent_private_key.h @@ -34,7 +34,7 @@ struct agent_private_key_t { /** * Implements private_key_t interface */ - private_key_t interface; + private_key_t key; }; /** diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index 6a82ce94a..d310843ac 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c index fb856ed37..784c07eaf 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c +++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c @@ -68,8 +68,6 @@ typedef struct private_blowfish_crypter_t private_blowfish_crypter_t; /** * Class implementing the Blowfish symmetric encryption algorithm. - * - * @ingroup crypters */ struct private_blowfish_crypter_t { @@ -89,11 +87,9 @@ struct private_blowfish_crypter_t { u_int32_t key_size; }; -/** - * Implementation of crypter_t.decrypt. - */ -static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv, - chunk_t *decrypted) +METHOD(crypter_t, decrypt, void, + private_blowfish_crypter_t *this, chunk_t data, chunk_t iv, + chunk_t *decrypted) { u_int8_t *in, *out; @@ -114,11 +110,9 @@ static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv, free(iv.ptr); } -/** - * Implementation of crypter_t.decrypt. - */ -static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv, - chunk_t *encrypted) +METHOD(crypter_t, encrypt, void, + private_blowfish_crypter_t *this, chunk_t data, chunk_t iv, + chunk_t *encrypted) { u_int8_t *in, *out; @@ -139,34 +133,32 @@ static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv, free(iv.ptr); } -/** - * Implementation of crypter_t.get_block_size. - */ -static size_t get_block_size (private_blowfish_crypter_t *this) +METHOD(crypter_t, get_block_size, size_t, + private_blowfish_crypter_t *this) { return BLOWFISH_BLOCK_SIZE; } -/** - * Implementation of crypter_t.get_key_size. - */ -static size_t get_key_size (private_blowfish_crypter_t *this) +METHOD(crypter_t, get_iv_size, size_t, + private_blowfish_crypter_t *this) +{ + return BLOWFISH_BLOCK_SIZE; +} + +METHOD(crypter_t, get_key_size, size_t, + private_blowfish_crypter_t *this) { return this->key_size; } -/** - * Implementation of crypter_t.set_key. - */ -static void set_key (private_blowfish_crypter_t *this, chunk_t key) +METHOD(crypter_t, set_key, void, + private_blowfish_crypter_t *this, chunk_t key) { BF_set_key(&this->schedule, key.len , key.ptr); } -/** - * Implementation of crypter_t.destroy and blowfish_crypter_t.destroy. - */ -static void destroy (private_blowfish_crypter_t *this) +METHOD(crypter_t, destroy, void, + private_blowfish_crypter_t *this) { free(this); } @@ -174,7 +166,8 @@ static void destroy (private_blowfish_crypter_t *this) /* * Described in header */ -blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t key_size) +blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, + size_t key_size) { private_blowfish_crypter_t *this; @@ -183,15 +176,20 @@ blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t return NULL; } - this = malloc_thing(private_blowfish_crypter_t); - - this->key_size = key_size; - this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt; - this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt; - this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size; - this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size; - this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key; - this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy; - - return &(this->public); + INIT(this, + .public = { + .crypter = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .key_size = key_size ?: 16, + ); + + return &this->public; } diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h index 71cc09cd0..70dcae66e 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h +++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h @@ -32,9 +32,9 @@ typedef struct blowfish_crypter_t blowfish_crypter_t; struct blowfish_crypter_t { /** - * The crypter_t interface. + * Implements crypter_t interface. */ - crypter_t crypter_interface; + crypter_t crypter; }; /** diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c index f9fb605b3..6ab093d7b 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c +++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c @@ -32,10 +32,8 @@ struct private_blowfish_plugin_t { blowfish_plugin_t public; }; -/** - * Implementation of blowfish_plugin_t.destroy - */ -static void destroy(private_blowfish_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_blowfish_plugin_t *this) { lib->crypto->remove_crypter(lib->crypto, (crypter_constructor_t)blowfish_crypter_create); @@ -47,9 +45,15 @@ static void destroy(private_blowfish_plugin_t *this) */ plugin_t *blowfish_plugin_create() { - private_blowfish_plugin_t *this = malloc_thing(private_blowfish_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_blowfish_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, (crypter_constructor_t)blowfish_crypter_create); diff --git a/src/libstrongswan/plugins/ccm/Makefile.am b/src/libstrongswan/plugins/ccm/Makefile.am new file mode 100644 index 000000000..bca1f0735 --- /dev/null +++ b/src/libstrongswan/plugins/ccm/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-ccm.la +else +plugin_LTLIBRARIES = libstrongswan-ccm.la +endif + +libstrongswan_ccm_la_SOURCES = \ + ccm_plugin.h ccm_plugin.c \ + ccm_aead.h ccm_aead.c + +libstrongswan_ccm_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in new file mode 100644 index 000000000..017d75c48 --- /dev/null +++ b/src/libstrongswan/plugins/ccm/Makefile.in @@ -0,0 +1,600 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/ccm +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_ccm_la_LIBADD = +am_libstrongswan_ccm_la_OBJECTS = ccm_plugin.lo ccm_aead.lo +libstrongswan_ccm_la_OBJECTS = $(am_libstrongswan_ccm_la_OBJECTS) +libstrongswan_ccm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_ccm_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_ccm_la_rpath = -rpath $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_ccm_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_ccm_la_SOURCES) +DIST_SOURCES = $(libstrongswan_ccm_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ccm.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ccm.la +libstrongswan_ccm_la_SOURCES = \ + ccm_plugin.h ccm_plugin.c \ + ccm_aead.h ccm_aead.c + +libstrongswan_ccm_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ccm/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/ccm/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) + $(libstrongswan_ccm_la_LINK) $(am_libstrongswan_ccm_la_rpath) $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ccm_aead.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ccm_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c new file mode 100644 index 000000000..7fee2b3c4 --- /dev/null +++ b/src/libstrongswan/plugins/ccm/ccm_aead.c @@ -0,0 +1,397 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ccm_aead.h" + +#define BLOCK_SIZE 16 +#define SALT_SIZE 3 +#define IV_SIZE 8 +#define NONCE_SIZE (SALT_SIZE + IV_SIZE) /* 11 */ +#define Q_SIZE (BLOCK_SIZE - NONCE_SIZE - 1) /* 4 */ + +typedef struct private_ccm_aead_t private_ccm_aead_t; + +/** + * Private data of an ccm_aead_t object. + */ +struct private_ccm_aead_t { + + /** + * Public ccm_aead_t interface. + */ + ccm_aead_t public; + + /** + * Underlying CBC crypter. + */ + crypter_t *crypter; + + /** + * Length of the integrity check value + */ + size_t icv_size; + + /** + * salt to add to nonce + */ + u_char salt[SALT_SIZE]; +}; + +/** + * First block with control information + */ +typedef struct __attribute__((packed)) { + BITFIELD4(u_int8_t, + /* size of p length field q, as q-1 */ + q_len: 3, + /* size of our ICV t, as (t-2)/2 */ + t_len: 3, + /* do we have associated data */ + assoc: 1, + reserved: 1, + ) flags; + /* nonce value */ + struct __attribute__((packed)) { + u_char salt[SALT_SIZE]; + u_char iv[IV_SIZE]; + } nonce; + /* lenght of plain text, q */ + u_char q[Q_SIZE]; +} b0_t; + +/** + * Counter block + */ +typedef struct __attribute__((packed)) { + BITFIELD3(u_int8_t, + /* size of p length field q, as q-1 */ + q_len: 3, + zero: 3, + reserved: 2, + ) flags; + /* nonce value */ + struct __attribute__((packed)) { + u_char salt[SALT_SIZE]; + u_char iv[IV_SIZE]; + } nonce; + /* counter value */ + u_char i[Q_SIZE]; +} ctr_t; + +/** + * Build the first block B0 + */ +static void build_b0(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, + chunk_t iv, char *out) +{ + b0_t *block = (b0_t*)out; + + block->flags.reserved = 0; + block->flags.assoc = assoc.len ? 1 : 0; + block->flags.t_len = (this->icv_size - 2) / 2; + block->flags.q_len = Q_SIZE - 1; + memcpy(block->nonce.salt, this->salt, SALT_SIZE); + memcpy(block->nonce.iv, iv.ptr, IV_SIZE); + htoun32(block->q, plain.len); +} + +/** + * Build a counter block for counter i + */ +static void build_ctr(private_ccm_aead_t *this, u_int32_t i, chunk_t iv, + char *out) +{ + ctr_t *ctr = (ctr_t*)out; + + ctr->flags.reserved = 0; + ctr->flags.zero = 0; + ctr->flags.q_len = Q_SIZE - 1; + memcpy(ctr->nonce.salt, this->salt, SALT_SIZE); + memcpy(ctr->nonce.iv, iv.ptr, IV_SIZE); + htoun32(ctr->i, i); +} + +/** + * En-/Decrypt data + */ +static void crypt_data(private_ccm_aead_t *this, chunk_t iv, + chunk_t in, chunk_t out) +{ + char ctr[BLOCK_SIZE]; + char zero[BLOCK_SIZE]; + char block[BLOCK_SIZE]; + + build_ctr(this, 1, iv, ctr); + memset(zero, 0, BLOCK_SIZE); + + while (in.len > 0) + { + memcpy(block, ctr, BLOCK_SIZE); + this->crypter->encrypt(this->crypter, chunk_from_thing(block), + chunk_from_thing(zero), NULL); + chunk_increment(chunk_from_thing(ctr)); + + if (in.ptr != out.ptr) + { + memcpy(out.ptr, in.ptr, min(in.len, BLOCK_SIZE)); + } + memxor(out.ptr, block, min(in.len, BLOCK_SIZE)); + in = chunk_skip(in, BLOCK_SIZE); + out = chunk_skip(out, BLOCK_SIZE); + } +} + +/** + * En-/Decrypt the ICV + */ +static void crypt_icv(private_ccm_aead_t *this, chunk_t iv, char *icv) +{ + char ctr[BLOCK_SIZE]; + char zero[BLOCK_SIZE]; + + build_ctr(this, 0, iv, ctr); + memset(zero, 0, BLOCK_SIZE); + + this->crypter->encrypt(this->crypter, chunk_from_thing(ctr), + chunk_from_thing(zero), NULL); + memxor(icv, ctr, this->icv_size); +} + +/** + * Create the ICV + */ +static void create_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, + chunk_t iv, char *icv) +{ + char zero[BLOCK_SIZE]; + chunk_t chunk; + char *pos; + int r, len; + + memset(zero, 0, BLOCK_SIZE); + + /* calculate number of blocks, including b0 */ + r = 1; + if (assoc.len) + { /* assoc gets a 2 byte length header, gets padded to BLOCK_SIZE */ + r += (2 + assoc.len + BLOCK_SIZE - 1) / BLOCK_SIZE; + } + /* plain text gets padded to BLOCK_SIZE */ + r += (plain.len + BLOCK_SIZE - 1) / BLOCK_SIZE; + + /* concatenate data to a new chunk */ + chunk = chunk_alloc(r * BLOCK_SIZE); + /* write control block */ + build_b0(this, plain, assoc, iv, chunk.ptr); + pos = chunk.ptr + BLOCK_SIZE; + /* append associated data, with length header */ + if (assoc.len) + { + /* currently we support two byte headers only (up to 2^16-2^8 bytes) */ + htoun16(pos, assoc.len); + memcpy(pos + 2, assoc.ptr, assoc.len); + pos += 2 + assoc.len; + /* padding */ + len = (BLOCK_SIZE - ((2 + assoc.len) % BLOCK_SIZE)) % BLOCK_SIZE; + memset(pos, 0, len); + pos += len; + } + /* write plain data */ + memcpy(pos, plain.ptr, plain.len); + pos += plain.len; + /* padding */ + len = (BLOCK_SIZE - (plain.len % BLOCK_SIZE)) % BLOCK_SIZE; + + memset(pos, 0, len); + + /* encrypt inline with CBC, zero IV */ + this->crypter->encrypt(this->crypter, chunk, chunk_from_thing(zero), NULL); + /* copy last icv_size bytes as ICV to output */ + memcpy(icv, chunk.ptr + chunk.len - BLOCK_SIZE, this->icv_size); + + /* encrypt the ICV value */ + crypt_icv(this, iv, icv); + + free(chunk.ptr); +} + +/** + * Verify the ICV + */ +static bool verify_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, + chunk_t iv, char *icv) +{ + char buf[this->icv_size]; + + create_icv(this, plain, assoc, iv, buf); + + return memeq(buf, icv, this->icv_size); +} + +METHOD(aead_t, encrypt, void, + private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, + chunk_t *encrypted) +{ + if (encrypted) + { + *encrypted = chunk_alloc(plain.len + this->icv_size); + create_icv(this, plain, assoc, iv, encrypted->ptr + plain.len); + crypt_data(this, iv, plain, *encrypted); + } + else + { + create_icv(this, plain, assoc, iv, plain.ptr + plain.len); + crypt_data(this, iv, plain, plain); + } +} + +METHOD(aead_t, decrypt, bool, + private_ccm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv, + chunk_t *plain) +{ + if (encrypted.len < this->icv_size) + { + return FALSE; + } + encrypted.len -= this->icv_size; + if (plain) + { + *plain = chunk_alloc(encrypted.len); + crypt_data(this, iv, encrypted, *plain); + return verify_icv(this, *plain, assoc, iv, + encrypted.ptr + encrypted.len); + } + else + { + crypt_data(this, iv, encrypted, encrypted); + return verify_icv(this, encrypted, assoc, iv, + encrypted.ptr + encrypted.len); + } +} + +METHOD(aead_t, get_block_size, size_t, + private_ccm_aead_t *this) +{ + return 1; +} + +METHOD(aead_t, get_icv_size, size_t, + private_ccm_aead_t *this) +{ + return this->icv_size; +} + +METHOD(aead_t, get_iv_size, size_t, + private_ccm_aead_t *this) +{ + return IV_SIZE; +} + +METHOD(aead_t, get_key_size, size_t, + private_ccm_aead_t *this) +{ + return this->crypter->get_key_size(this->crypter) + SALT_SIZE; +} + +METHOD(aead_t, set_key, void, + private_ccm_aead_t *this, chunk_t key) +{ + memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE); + key.len -= SALT_SIZE; + this->crypter->set_key(this->crypter, key); +} + +METHOD(aead_t, destroy, void, + private_ccm_aead_t *this) +{ + this->crypter->destroy(this->crypter); + free(this); +} + +/** + * See header + */ +ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size) +{ + private_ccm_aead_t *this; + size_t icv_size; + + switch (key_size) + { + case 0: + key_size = 16; + break; + case 16: + case 24: + case 32: + break; + default: + return NULL; + } + switch (algo) + { + case ENCR_AES_CCM_ICV8: + algo = ENCR_AES_CBC; + icv_size = 8; + break; + case ENCR_AES_CCM_ICV12: + algo = ENCR_AES_CBC; + icv_size = 12; + break; + case ENCR_AES_CCM_ICV16: + algo = ENCR_AES_CBC; + icv_size = 16; + break; + case ENCR_CAMELLIA_CCM_ICV8: + algo = ENCR_CAMELLIA_CBC; + icv_size = 8; + break; + case ENCR_CAMELLIA_CCM_ICV12: + algo = ENCR_CAMELLIA_CBC; + icv_size = 12; + break; + case ENCR_CAMELLIA_CCM_ICV16: + algo = ENCR_CAMELLIA_CBC; + icv_size = 16; + break; + default: + return NULL; + } + + INIT(this, + .public = { + .aead = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_icv_size = _get_icv_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size), + .icv_size = icv_size, + ); + + if (!this->crypter) + { + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h new file mode 100644 index 000000000..d5e302f94 --- /dev/null +++ b/src/libstrongswan/plugins/ccm/ccm_aead.h @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ccm_aead ccm_aead + * @{ @ingroup ccm + */ + +#ifndef CCM_AEAD_H_ +#define CCM_AEAD_H_ + +#include <crypto/aead.h> + +typedef struct ccm_aead_t ccm_aead_t; + +/** + * Counter with Cipher Block Chaining-Message Authentication Code (CCM). + * + * Implements CCM as specified in NIST 800-38B, using AEAD semantics from + * RFC 5282, based on RFC4309. + */ +struct ccm_aead_t { + + /** + * Implements aead_t interface. + */ + aead_t aead; +}; + +/** + * Create a ccm_aead instance. + * + * @param key_size key size in bytes + * @param algo algorithm to implement, a CCM mode + * @return aead, NULL if not supported + */ +ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size); + +#endif /** CCM_AEAD_H_ @}*/ diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.c b/src/libstrongswan/plugins/ccm/ccm_plugin.c new file mode 100644 index 000000000..5fc3b14d7 --- /dev/null +++ b/src/libstrongswan/plugins/ccm/ccm_plugin.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ccm_plugin.h" + +#include <library.h> + +#include "ccm_aead.h" + +typedef struct private_ccm_plugin_t private_ccm_plugin_t; + +/** + * private data of ccm_plugin + */ +struct private_ccm_plugin_t { + + /** + * public functions + */ + ccm_plugin_t public; +}; + +METHOD(plugin_t, destroy, void, + private_ccm_plugin_t *this) +{ + lib->crypto->remove_aead(lib->crypto, + (aead_constructor_t)ccm_aead_create); + + free(this); +} + +/* + * see header file + */ +plugin_t *ccm_plugin_create() +{ + private_ccm_plugin_t *this; + + INIT(this, + .public.plugin.destroy = _destroy, + ); + + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, + (aead_constructor_t)ccm_aead_create); + + return &this->public.plugin; +} diff --git a/src/pluto/kernel_netlink.h b/src/libstrongswan/plugins/ccm/ccm_plugin.h index 65163c966..9a3252012 100644 --- a/src/pluto/kernel_netlink.h +++ b/src/libstrongswan/plugins/ccm/ccm_plugin.h @@ -1,6 +1,6 @@ -/* declarations of routines that interface with the kernel's pfkey mechanism - * Copyright (C) 1998-2001 D. Hugh Redelmeier. - * Copyright (C) 2003 Herbert Xu +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -13,6 +13,30 @@ * for more details. */ -#if defined(KLIPS) && defined(linux) -extern const struct kernel_ops linux_kernel_ops; -#endif +/** + * @defgroup ccm ccm + * @ingroup plugins + * + * @defgroup ccm_plugin ccm_plugin + * @{ @ingroup ccm + */ + +#ifndef CCM_PLUGIN_H_ +#define CCM_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct ccm_plugin_t ccm_plugin_t; + +/** + * Plugin providing CCM mode operation. + */ +struct ccm_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** CCM_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/ctr/Makefile.am b/src/libstrongswan/plugins/ctr/Makefile.am new file mode 100644 index 000000000..893171aab --- /dev/null +++ b/src/libstrongswan/plugins/ctr/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-ctr.la +else +plugin_LTLIBRARIES = libstrongswan-ctr.la +endif + +libstrongswan_ctr_la_SOURCES = \ + ctr_plugin.h ctr_plugin.c \ + ctr_ipsec_crypter.h ctr_ipsec_crypter.c + +libstrongswan_ctr_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in new file mode 100644 index 000000000..b51f57113 --- /dev/null +++ b/src/libstrongswan/plugins/ctr/Makefile.in @@ -0,0 +1,600 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/ctr +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_ctr_la_LIBADD = +am_libstrongswan_ctr_la_OBJECTS = ctr_plugin.lo ctr_ipsec_crypter.lo +libstrongswan_ctr_la_OBJECTS = $(am_libstrongswan_ctr_la_OBJECTS) +libstrongswan_ctr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_ctr_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_ctr_la_rpath = -rpath $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_ctr_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_ctr_la_SOURCES) +DIST_SOURCES = $(libstrongswan_ctr_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ctr.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ctr.la +libstrongswan_ctr_la_SOURCES = \ + ctr_plugin.h ctr_plugin.c \ + ctr_ipsec_crypter.h ctr_ipsec_crypter.c + +libstrongswan_ctr_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ctr/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/ctr/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) + $(libstrongswan_ctr_la_LINK) $(am_libstrongswan_ctr_la_rpath) $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctr_ipsec_crypter.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctr_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c new file mode 100644 index 000000000..ddcae423b --- /dev/null +++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c @@ -0,0 +1,173 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ctr_ipsec_crypter.h" + +typedef struct private_ctr_ipsec_crypter_t private_ctr_ipsec_crypter_t; + +/** + * Private data of an ctr_ipsec_crypter_t object. + */ +struct private_ctr_ipsec_crypter_t { + + /** + * Public ctr_ipsec_crypter_t interface. + */ + ctr_ipsec_crypter_t public; + + /** + * Underlying CBC crypter + */ + crypter_t *crypter; + + /** + * counter state + */ + struct { + char nonce[4]; + char iv[8]; + u_int32_t counter; + } __attribute__((packed)) state; +}; + +/** + * Do the CTR crypto operation + */ +static void crypt_ctr(private_ctr_ipsec_crypter_t *this, + chunk_t in, chunk_t out) +{ + size_t is, bs; + chunk_t state; + + is = this->crypter->get_iv_size(this->crypter); + bs = sizeof(this->state); + + this->state.counter = htonl(1); + state = chunk_create((char*)&this->state, bs); + + while (in.len > 0) + { + char iv[is], block[bs]; + + memset(iv, 0, is); + memcpy(block, state.ptr, bs); + this->crypter->encrypt(this->crypter, + chunk_create(block, bs), chunk_create(iv, is), NULL); + chunk_increment(state); + + if (in.ptr != out.ptr) + { + memcpy(out.ptr, in.ptr, min(in.len, bs)); + } + memxor(out.ptr, block, min(in.len, bs)); + in = chunk_skip(in, bs); + out = chunk_skip(out, bs); + } +} + +METHOD(crypter_t, crypt, void, + private_ctr_ipsec_crypter_t *this, chunk_t in, chunk_t iv, chunk_t *out) +{ + memcpy(this->state.iv, iv.ptr, sizeof(this->state.iv)); + + if (out) + { + *out = chunk_alloc(in.len); + crypt_ctr(this, in, *out); + } + else + { + crypt_ctr(this, in, in); + } +} + +METHOD(crypter_t, get_block_size, size_t, + private_ctr_ipsec_crypter_t *this) +{ + return 1; +} + +METHOD(crypter_t, get_iv_size, size_t, + private_ctr_ipsec_crypter_t *this) +{ + return sizeof(this->state.iv); +} + +METHOD(crypter_t, get_key_size, size_t, + private_ctr_ipsec_crypter_t *this) +{ + return this->crypter->get_key_size(this->crypter) + + sizeof(this->state.nonce); +} + +METHOD(crypter_t, set_key, void, + private_ctr_ipsec_crypter_t *this, chunk_t key) +{ + memcpy(this->state.nonce, key.ptr + key.len - sizeof(this->state.nonce), + sizeof(this->state.nonce)); + key.len -= sizeof(this->state.nonce); + this->crypter->set_key(this->crypter, key); +} + +METHOD(crypter_t, destroy, void, + private_ctr_ipsec_crypter_t *this) +{ + this->crypter->destroy(this->crypter); + free(this); +} + +/** + * See header + */ +ctr_ipsec_crypter_t *ctr_ipsec_crypter_create(encryption_algorithm_t algo, + size_t key_size) +{ + private_ctr_ipsec_crypter_t *this; + + switch (algo) + { + case ENCR_AES_CTR: + algo = ENCR_AES_CBC; + break; + case ENCR_CAMELLIA_CTR: + algo = ENCR_CAMELLIA_CBC; + break; + default: + return NULL; + } + + INIT(this, + .public = { + .crypter = { + .encrypt = _crypt, + .decrypt = _crypt, + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size), + ); + + if (!this->crypter) + { + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h new file mode 100644 index 000000000..db21aec3b --- /dev/null +++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ctr_ipsec_crypter ctr_ipsec_crypter + * @{ @ingroup ctr + */ + +#ifndef CTR_IPSEC_CRYPTER_H_ +#define CTR_IPSEC_CRYPTER_H_ + +#include <crypto/crypters/crypter.h> + +typedef struct ctr_ipsec_crypter_t ctr_ipsec_crypter_t; + +/** + * Counter Mode wrapper for encryption algorithms, IPsec variant (RFC3686). + */ +struct ctr_ipsec_crypter_t { + + /** + * Implements crypter_t interface. + */ + crypter_t crypter; +}; + +/** + * Create a ctr_ipsec_crypter instance. + */ +ctr_ipsec_crypter_t *ctr_ipsec_crypter_create(); + +/** + * Create a ctr_ipsec_crypter instance. + * + * @param key_size key size in bytes + * @param algo algorithm to implement, a counter mode + * @return crypter, NULL if not supported + */ +ctr_ipsec_crypter_t *ctr_ipsec_crypter_create(encryption_algorithm_t algo, + size_t key_size); + +#endif /** CTR_IPSEC_CRYPTER_H_ @}*/ diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.c b/src/libstrongswan/plugins/ctr/ctr_plugin.c new file mode 100644 index 000000000..5e47f23ec --- /dev/null +++ b/src/libstrongswan/plugins/ctr/ctr_plugin.c @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ctr_plugin.h" + +#include <library.h> + +#include "ctr_ipsec_crypter.h" + +typedef struct private_ctr_plugin_t private_ctr_plugin_t; + +/** + * private data of ctr_plugin + */ +struct private_ctr_plugin_t { + + /** + * public functions + */ + ctr_plugin_t public; +}; + +METHOD(plugin_t, destroy, void, + private_ctr_plugin_t *this) +{ + lib->crypto->remove_crypter(lib->crypto, + (crypter_constructor_t)ctr_ipsec_crypter_create); + + free(this); +} + +/* + * see header file + */ +plugin_t *ctr_plugin_create() +{ + private_ctr_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); + + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, + (crypter_constructor_t)ctr_ipsec_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, + (crypter_constructor_t)ctr_ipsec_crypter_create); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.h b/src/libstrongswan/plugins/ctr/ctr_plugin.h new file mode 100644 index 000000000..7b2f901dc --- /dev/null +++ b/src/libstrongswan/plugins/ctr/ctr_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ctr ctr + * @ingroup plugins + * + * @defgroup ctr_plugin ctr_plugin + * @{ @ingroup ctr + */ + +#ifndef CTR_PLUGIN_H_ +#define CTR_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct ctr_plugin_t ctr_plugin_t; + +/** + * Plugin providing CTR mode operation of symmetric encryption algorithms. + */ +struct ctr_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** CTR_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index fc3b0ab1a..9cc99063c 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -195,14 +198,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -242,7 +255,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c index 2341c9052..4835f6461 100644 --- a/src/libstrongswan/plugins/curl/curl_fetcher.c +++ b/src/libstrongswan/plugins/curl/curl_fetcher.c @@ -166,10 +166,12 @@ curl_fetcher_t *curl_fetcher_create() private_curl_fetcher_t *this; INIT(this, - .public.interface = { - .fetch = _fetch, - .set_option = _set_option, - .destroy = _destroy, + .public = { + .interface = { + .fetch = _fetch, + .set_option = _set_option, + .destroy = _destroy, + }, }, .curl = curl_easy_init(), ); diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index 319baa04c..0e8fa7315 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -195,14 +198,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -242,7 +255,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c index 142e79613..7d9fbe852 100644 --- a/src/libstrongswan/plugins/des/des_crypter.c +++ b/src/libstrongswan/plugins/des/des_crypter.c @@ -1416,11 +1416,8 @@ static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long len tin[0]=tin[1]=0; } -/** - * Implementation of crypter_t.decrypt for DES. - */ -static void decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv, - chunk_t *decrypted) +METHOD(crypter_t, decrypt, void, + private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted) { des_cblock ivb; u_int8_t *out; @@ -1437,11 +1434,8 @@ static void decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv, } -/** - * Implementation of crypter_t.decrypt for DES. - */ -static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv, - chunk_t *encrypted) +METHOD(crypter_t, encrypt, void, + private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted) { des_cblock ivb; u_int8_t *out; @@ -1457,11 +1451,8 @@ static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv, data.len, this->ks, &ivb, DES_ENCRYPT); } -/** - * Implementation of crypter_t.decrypt for DES (ECB). - */ -static void decrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv, - chunk_t *decrypted) +METHOD(crypter_t, decrypt_ecb, void, + private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted) { u_int8_t *out; @@ -1475,11 +1466,8 @@ static void decrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv, data.len, this->ks, DES_DECRYPT); } -/** - * Implementation of crypter_t.decrypt for DES (ECB). - */ -static void encrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv, - chunk_t *encrypted) +METHOD(crypter_t, encrypt_ecb, void, + private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted) { u_int8_t *out; @@ -1493,11 +1481,8 @@ static void encrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv, data.len, this->ks, DES_ENCRYPT); } -/** - * Implementation of crypter_t.decrypt for 3DES. - */ -static void decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv, - chunk_t *decrypted) +METHOD(crypter_t, decrypt3, void, + private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted) { des_cblock ivb; u_int8_t *out; @@ -1514,11 +1499,8 @@ static void decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv, &ivb, DES_DECRYPT); } -/** - * Implementation of crypter_t.decrypt for 3DES. - */ -static void encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv, - chunk_t *encrypted) +METHOD(crypter_t, encrypt3, void, + private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted) { des_cblock ivb; u_int8_t *out; @@ -1535,44 +1517,40 @@ static void encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv, &ivb, DES_ENCRYPT); } -/** - * Implementation of crypter_t.get_block_size. - */ -static size_t get_block_size (private_des_crypter_t *this) +METHOD(crypter_t, get_block_size, size_t, + private_des_crypter_t *this) { return sizeof(des_cblock); } -/** - * Implementation of crypter_t.get_key_size. - */ -static size_t get_key_size (private_des_crypter_t *this) +METHOD(crypter_t, get_iv_size, size_t, + private_des_crypter_t *this) +{ + return sizeof(des_cblock); +} + +METHOD(crypter_t, get_key_size, size_t, + private_des_crypter_t *this) { return this->key_size; } -/** - * Implementation of crypter_t.set_key for DES. - */ -static void set_key(private_des_crypter_t *this, chunk_t key) +METHOD(crypter_t, set_key, void, + private_des_crypter_t *this, chunk_t key) { des_set_key((des_cblock*)(key.ptr), &this->ks); } -/** - * Implementation of crypter_t.set_key for 3DES. - */ -static void set_key3(private_des_crypter_t *this, chunk_t key) +METHOD(crypter_t, set_key3, void, + private_des_crypter_t *this, chunk_t key) { des_set_key((des_cblock*)(key.ptr) + 0, &this->ks3[0]); des_set_key((des_cblock*)(key.ptr) + 1, &this->ks3[1]); des_set_key((des_cblock*)(key.ptr) + 2, &this->ks3[2]); } -/** - * Implementation of crypter_t.destroy and des_crypter_t.destroy. - */ -static void destroy(private_des_crypter_t *this) +METHOD(crypter_t, destroy, void, + private_des_crypter_t *this) { free(this); } @@ -1582,33 +1560,39 @@ static void destroy(private_des_crypter_t *this) */ des_crypter_t *des_crypter_create(encryption_algorithm_t algo) { - private_des_crypter_t *this = malloc_thing(private_des_crypter_t); - - /* functions of crypter_t interface */ - this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size; - this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size; - this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy; + private_des_crypter_t *this; + + INIT(this, + .public = { + .crypter = { + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .destroy = _destroy, + }, + }, + ); /* use functions depending on algorithm */ switch (algo) { case ENCR_DES: this->key_size = sizeof(des_cblock); - this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key; - this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt; - this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt; + this->public.crypter.set_key = _set_key; + this->public.crypter.encrypt = _encrypt; + this->public.crypter.decrypt = _decrypt; break; case ENCR_3DES: this->key_size = 3 * sizeof(des_cblock); - this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key3; - this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt3; - this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt3; + this->public.crypter.set_key = _set_key3; + this->public.crypter.encrypt = _encrypt3; + this->public.crypter.decrypt = _decrypt3; break; case ENCR_DES_ECB: this->key_size = sizeof(des_cblock); - this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key; - this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt_ecb; - this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt_ecb; + this->public.crypter.set_key = _set_key; + this->public.crypter.encrypt = _encrypt_ecb; + this->public.crypter.decrypt = _decrypt_ecb; break; default: free(this); diff --git a/src/libstrongswan/plugins/des/des_crypter.h b/src/libstrongswan/plugins/des/des_crypter.h index cffbd4ce3..07215d0c5 100644 --- a/src/libstrongswan/plugins/des/des_crypter.h +++ b/src/libstrongswan/plugins/des/des_crypter.h @@ -32,9 +32,9 @@ typedef struct des_crypter_t des_crypter_t; struct des_crypter_t { /** - * The crypter_t interface. + * Implements crypter_t interface. */ - crypter_t crypter_interface; + crypter_t crypter; }; /** diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c index afc82e8d4..43b457ce2 100644 --- a/src/libstrongswan/plugins/des/des_plugin.c +++ b/src/libstrongswan/plugins/des/des_plugin.c @@ -31,10 +31,8 @@ struct private_des_plugin_t { des_plugin_t public; }; -/** - * Implementation of des_plugin_t.destroy - */ -static void destroy(private_des_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_des_plugin_t *this) { lib->crypto->remove_crypter(lib->crypto, (crypter_constructor_t)des_crypter_create); @@ -46,9 +44,15 @@ static void destroy(private_des_plugin_t *this) */ plugin_t *des_plugin_create() { - private_des_plugin_t *this = malloc_thing(private_des_plugin_t); + private_des_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->crypto->add_crypter(lib->crypto, ENCR_3DES, (crypter_constructor_t)des_crypter_create); diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index 73f81f4db..7f4529211 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c index 125047b05..bc0ee30ae 100644 --- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c +++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c @@ -50,9 +50,9 @@ plugin_t *dnskey_plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)dnskey_public_key_load); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE, (builder_function_t)dnskey_public_key_load); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 4ed8276c4..7e2a1ccdf 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/gcm/Makefile.am b/src/libstrongswan/plugins/gcm/Makefile.am new file mode 100644 index 000000000..ec733fbcc --- /dev/null +++ b/src/libstrongswan/plugins/gcm/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-gcm.la +else +plugin_LTLIBRARIES = libstrongswan-gcm.la +endif + +libstrongswan_gcm_la_SOURCES = \ + gcm_plugin.h gcm_plugin.c \ + gcm_aead.h gcm_aead.c + +libstrongswan_gcm_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in new file mode 100644 index 000000000..a4de9ea77 --- /dev/null +++ b/src/libstrongswan/plugins/gcm/Makefile.in @@ -0,0 +1,600 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/gcm +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_gcm_la_LIBADD = +am_libstrongswan_gcm_la_OBJECTS = gcm_plugin.lo gcm_aead.lo +libstrongswan_gcm_la_OBJECTS = $(am_libstrongswan_gcm_la_OBJECTS) +libstrongswan_gcm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_gcm_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_gcm_la_rpath = -rpath $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_gcm_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_gcm_la_SOURCES) +DIST_SOURCES = $(libstrongswan_gcm_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gcm.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gcm.la +libstrongswan_gcm_la_SOURCES = \ + gcm_plugin.h gcm_plugin.c \ + gcm_aead.h gcm_aead.c + +libstrongswan_gcm_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/gcm/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/gcm/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) + $(libstrongswan_gcm_la_LINK) $(am_libstrongswan_gcm_la_rpath) $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcm_aead.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcm_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c new file mode 100644 index 000000000..0d7d91dbf --- /dev/null +++ b/src/libstrongswan/plugins/gcm/gcm_aead.c @@ -0,0 +1,425 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "gcm_aead.h" + +#include <limits.h> + +#define BLOCK_SIZE 16 +#define NONCE_SIZE 12 +#define IV_SIZE 8 +#define SALT_SIZE (NONCE_SIZE - IV_SIZE) + +typedef struct private_gcm_aead_t private_gcm_aead_t; + +/** + * Private data of an gcm_aead_t object. + */ +struct private_gcm_aead_t { + + /** + * Public gcm_aead_t interface. + */ + gcm_aead_t public; + + /** + * Underlying CBC crypter. + */ + crypter_t *crypter; + + /** + * Size of the integrity check value + */ + size_t icv_size; + + /** + * Salt value + */ + char salt[SALT_SIZE]; + + /** + * GHASH subkey H + */ + char h[BLOCK_SIZE]; +}; + +/** + * Find a suiteable word size and network order conversion functions + */ +#if ULONG_MAX == 18446744073709551615UL && defined(htobe64) +# define htobeword htobe64 +# define bewordtoh be64toh +# define SHIFT_WORD_TYPE u_int64_t +#else +# define htobeword htonl +# define bewordtoh ntohl +# define SHIFT_WORD_TYPE u_int32_t +#endif + +/** + * Bitshift a block right by one bit + */ +static void sr_block(char *block) +{ + int i; + SHIFT_WORD_TYPE *word = (SHIFT_WORD_TYPE*)block; + + for (i = 0; i < BLOCK_SIZE / sizeof(*word); i++) + { + word[i] = bewordtoh(word[i]); + } + for (i = BLOCK_SIZE / sizeof(*word) - 1; i >= 0; i--) + { + word[i] >>= 1; + if (i != 0) + { + word[i] |= word[i - 1] << (sizeof(*word) * 8 - 1); + } + } + for (i = 0; i < BLOCK_SIZE / sizeof(*word); i++) + { + word[i] = htobeword(word[i]); + } +} + +/** + * Naive implementation of block multiplication in GF128, no tables + */ +static void mult_block(char *x, char *y, char *res) +{ + char z[BLOCK_SIZE], v[BLOCK_SIZE], r; + int bit, byte; + + r = 0xE1; + memset(z, 0, BLOCK_SIZE); + memcpy(v, y, BLOCK_SIZE); + + for (byte = 0; byte < BLOCK_SIZE; byte++) + { + for (bit = 7; bit >= 0; bit--) + { + if (x[byte] & (1 << bit)) + { + memxor(z, v, BLOCK_SIZE); + } + if (v[BLOCK_SIZE - 1] & 0x01) + { + sr_block(v); + v[0] ^= r; + } + else + { + sr_block(v); + } + } + } + memcpy(res, z, BLOCK_SIZE); +} + +/** + * GHASH function + */ +static void ghash(private_gcm_aead_t *this, chunk_t x, char *res) +{ + char y[BLOCK_SIZE]; + + memset(y, 0, BLOCK_SIZE); + + while (x.len) + { + memxor(y, x.ptr, BLOCK_SIZE); + mult_block(y, this->h, y); + x = chunk_skip(x, BLOCK_SIZE); + } + memcpy(res, y, BLOCK_SIZE); +} + +/** + * GCTR function, en-/decrypts x inline + */ +static void gctr(private_gcm_aead_t *this, char *icb, chunk_t x) +{ + char cb[BLOCK_SIZE], iv[BLOCK_SIZE], tmp[BLOCK_SIZE]; + + memset(iv, 0, BLOCK_SIZE); + memcpy(cb, icb, BLOCK_SIZE); + + while (x.len) + { + memcpy(tmp, cb, BLOCK_SIZE); + this->crypter->encrypt(this->crypter, chunk_from_thing(tmp), + chunk_from_thing(iv), NULL); + memxor(x.ptr, tmp, min(BLOCK_SIZE, x.len)); + chunk_increment(chunk_from_thing(cb)); + x = chunk_skip(x, BLOCK_SIZE); + } +} + +/** + * Generate the block J0 + */ +static void create_j(private_gcm_aead_t *this, char *iv, char *j) +{ + memcpy(j, this->salt, SALT_SIZE); + memcpy(j + SALT_SIZE, iv, IV_SIZE); + htoun32(j + SALT_SIZE + IV_SIZE, 1); +} + +/** + * Create GHASH subkey H + */ +static void create_h(private_gcm_aead_t *this, char *h) +{ + char zero[BLOCK_SIZE]; + + memset(zero, 0, BLOCK_SIZE); + memset(h, 0, BLOCK_SIZE); + + this->crypter->encrypt(this->crypter, chunk_create(h, BLOCK_SIZE), + chunk_from_thing(zero), NULL); +} + +/** + * Encrypt/decrypt + */ +static void crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out) +{ + char icb[BLOCK_SIZE]; + + memcpy(icb, j, BLOCK_SIZE); + chunk_increment(chunk_from_thing(icb)); + + out.len = in.len; + if (in.ptr != out.ptr) + { + memcpy(out.ptr, in.ptr, in.len); + } + gctr(this, icb, out); +} + +/** + * Create ICV + */ +static void create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt, + char *j, char *icv) +{ + size_t assoc_pad, crypt_pad; + chunk_t chunk; + char s[BLOCK_SIZE], *pos; + + assoc_pad = (BLOCK_SIZE - (assoc.len % BLOCK_SIZE)) % BLOCK_SIZE; + crypt_pad = (BLOCK_SIZE - (crypt.len % BLOCK_SIZE)) % BLOCK_SIZE; + + /* concatenate data to a new chunk */ + chunk = chunk_alloc(assoc.len + assoc_pad + + crypt.len + crypt_pad + BLOCK_SIZE); + pos = chunk.ptr; + /* add associated data */ + memcpy(pos, assoc.ptr, assoc.len); + pos += assoc.len; + memset(pos, 0, assoc_pad); + pos += assoc_pad; + /* add encrypted data */ + memcpy(pos, crypt.ptr, crypt.len); + pos += crypt.len; + memset(pos, 0, crypt_pad); + pos += crypt_pad; + /* write associated len */ + memset(pos, 0, 4); + pos += 4; + htoun32(pos, assoc.len * 8); + pos += 4; + /* write encrypted length */ + memset(pos, 0, 4); + pos += 4; + htoun32(pos, crypt.len * 8); + pos += 4; + + ghash(this, chunk, s); + free(chunk.ptr); + gctr(this, j, chunk_from_thing(s)); + + memcpy(icv, s, this->icv_size); +} + +/** + * Verify the ICV value + */ +static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt, + char *j, char *icv) +{ + char tmp[this->icv_size]; + + create_icv(this, assoc, crypt, j, tmp); + + return memeq(tmp, icv, this->icv_size); +} + +METHOD(aead_t, encrypt, void, + private_gcm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, + chunk_t *encrypted) +{ + char j[BLOCK_SIZE]; + + create_j(this, iv.ptr, j); + + if (encrypted) + { + *encrypted = chunk_alloc(plain.len + this->icv_size); + crypt(this, j, plain, *encrypted); + create_icv(this, assoc, + chunk_create(encrypted->ptr, encrypted->len - this->icv_size), + j, encrypted->ptr + encrypted->len - this->icv_size); + } + else + { + crypt(this, j, plain, plain); + create_icv(this, assoc, plain, j, plain.ptr + plain.len); + } +} + +METHOD(aead_t, decrypt, bool, + private_gcm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv, + chunk_t *plain) +{ + char j[BLOCK_SIZE]; + + if (encrypted.len < this->icv_size) + { + return FALSE; + } + + create_j(this, iv.ptr, j); + + encrypted.len -= this->icv_size; + if (!verify_icv(this, assoc, encrypted, j, encrypted.ptr + encrypted.len)) + { + return FALSE; + } + if (plain) + { + *plain = chunk_alloc(encrypted.len); + crypt(this, j, encrypted, *plain); + } + else + { + crypt(this, j, encrypted, encrypted); + } + return TRUE; +} + +METHOD(aead_t, get_block_size, size_t, + private_gcm_aead_t *this) +{ + return 1; +} + +METHOD(aead_t, get_icv_size, size_t, + private_gcm_aead_t *this) +{ + return this->icv_size; +} + +METHOD(aead_t, get_iv_size, size_t, + private_gcm_aead_t *this) +{ + return IV_SIZE; +} + +METHOD(aead_t, get_key_size, size_t, + private_gcm_aead_t *this) +{ + return this->crypter->get_key_size(this->crypter) + SALT_SIZE; +} + +METHOD(aead_t, set_key, void, + private_gcm_aead_t *this, chunk_t key) +{ + memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE); + key.len -= SALT_SIZE; + this->crypter->set_key(this->crypter, key); + create_h(this, this->h); +} + +METHOD(aead_t, destroy, void, + private_gcm_aead_t *this) +{ + this->crypter->destroy(this->crypter); + free(this); +} + +/** + * See header + */ +gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size) +{ + private_gcm_aead_t *this; + size_t icv_size; + + switch (key_size) + { + case 0: + key_size = 16; + break; + case 16: + case 24: + case 32: + break; + default: + return NULL; + } + switch (algo) + { + case ENCR_AES_GCM_ICV8: + algo = ENCR_AES_CBC; + icv_size = 8; + break; + case ENCR_AES_GCM_ICV12: + algo = ENCR_AES_CBC; + icv_size = 12; + break; + case ENCR_AES_GCM_ICV16: + algo = ENCR_AES_CBC; + icv_size = 16; + break; + default: + return NULL; + } + + INIT(this, + .public = { + .aead = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_icv_size = _get_icv_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size), + .icv_size = icv_size, + ); + + if (!this->crypter) + { + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h new file mode 100644 index 000000000..db4be2442 --- /dev/null +++ b/src/libstrongswan/plugins/gcm/gcm_aead.h @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup gcm_aead gcm_aead + * @{ @ingroup gcm + */ + +#ifndef GCM_AEAD_H_ +#define GCM_AEAD_H_ + +#include <crypto/aead.h> + +typedef struct gcm_aead_t gcm_aead_t; + +/** + * Galois/Counter Mode (GCM). + * + * Implements GCM as specified in NIST 800-38D, using AEAD semantics from + * RFC 5282, based on RFC4106. + */ +struct gcm_aead_t { + + /** + * Implements aead_t interface. + */ + aead_t aead; +}; + +/** + * Create a gcm_aead instance. + * + * @param key_size key size in bytes + * @param algo algorithm to implement, a gcm mode + * @return aead, NULL if not supported + */ +gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size); + +#endif /** GCM_AEAD_H_ @}*/ diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c new file mode 100644 index 000000000..061001b30 --- /dev/null +++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "gcm_plugin.h" + +#include <library.h> + +#include "gcm_aead.h" + +typedef struct private_gcm_plugin_t private_gcm_plugin_t; + +/** + * private data of gcm_plugin + */ +struct private_gcm_plugin_t { + + /** + * public functions + */ + gcm_plugin_t public; +}; + +METHOD(plugin_t, destroy, void, + private_gcm_plugin_t *this) +{ + lib->crypto->remove_aead(lib->crypto, + (aead_constructor_t)gcm_aead_create); + + free(this); +} + +/* + * see header file + */ +plugin_t *gcm_plugin_create() +{ + private_gcm_plugin_t *this; + + INIT(this, + .public.plugin.destroy = _destroy, + ); + + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, + (aead_constructor_t)gcm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, + (aead_constructor_t)gcm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, + (aead_constructor_t)gcm_aead_create); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.h b/src/libstrongswan/plugins/gcm/gcm_plugin.h new file mode 100644 index 000000000..52676708e --- /dev/null +++ b/src/libstrongswan/plugins/gcm/gcm_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup gcm gcm + * @ingroup plugins + * + * @defgroup gcm_plugin gcm_plugin + * @{ @ingroup gcm + */ + +#ifndef GCM_PLUGIN_H_ +#define GCM_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct gcm_plugin_t gcm_plugin_t; + +/** + * Plugin providing GCM mode operation. + */ +struct gcm_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** GCM_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 09131c4be..00c49c487 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c index 5dbdde32c..599481911 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c @@ -40,15 +40,43 @@ struct private_gcrypt_crypter_t { * gcrypt algorithm identifier */ int alg; + + /** + * are we using counter mode? + */ + bool ctr_mode; + + /** + * counter state + */ + struct { + char nonce[4]; + char iv[8]; + u_int32_t counter; + } __attribute__((packed)) ctr; }; /** - * Implementation of crypter_t.decrypt. + * Set the IV for en/decryption */ -static void decrypt(private_gcrypt_crypter_t *this, chunk_t data, - chunk_t iv, chunk_t *dst) +static void set_iv(private_gcrypt_crypter_t *this, chunk_t iv) +{ + if (this->ctr_mode) + { + memcpy(this->ctr.iv, iv.ptr, sizeof(this->ctr.iv)); + this->ctr.counter = htonl(1); + gcry_cipher_setctr(this->h, &this->ctr, sizeof(this->ctr)); + } + else + { + gcry_cipher_setiv(this->h, iv.ptr, iv.len); + } +} + +METHOD(crypter_t, decrypt, void, + private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) { - gcry_cipher_setiv(this->h, iv.ptr, iv.len); + set_iv(this, iv); if (dst) { @@ -61,13 +89,10 @@ static void decrypt(private_gcrypt_crypter_t *this, chunk_t data, } } -/** - * Implementation of crypter_t.encrypt. - */ -static void encrypt(private_gcrypt_crypter_t *this, chunk_t data, - chunk_t iv, chunk_t *dst) +METHOD(crypter_t, encrypt, void, + private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) { - gcry_cipher_setiv(this->h, iv.ptr, iv.len); + set_iv(this, iv); if (dst) { @@ -80,40 +105,60 @@ static void encrypt(private_gcrypt_crypter_t *this, chunk_t data, } } -/** - * Implementation of crypter_t.get_block_size. - */ -static size_t get_block_size(private_gcrypt_crypter_t *this) +METHOD(crypter_t, get_block_size, size_t, + private_gcrypt_crypter_t *this) { size_t len = 0; + if (this->ctr_mode) + { /* counter mode does not need any padding */ + return 1; + } gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len); return len; } -/** - * Implementation of crypter_t.get_key_size. - */ -static size_t get_key_size(private_gcrypt_crypter_t *this) +METHOD(crypter_t, get_iv_size, size_t, + private_gcrypt_crypter_t *this) +{ + size_t len = 0; + + if (this->ctr_mode) + { + return sizeof(this->ctr.iv); + } + gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len); + return len; +} + +METHOD(crypter_t, get_key_size, size_t, + private_gcrypt_crypter_t *this) { size_t len = 0; gcry_cipher_algo_info(this->alg, GCRYCTL_GET_KEYLEN, NULL, &len); + if (this->ctr_mode) + { + return len + sizeof(this->ctr.nonce); + } return len; } -/** - * Implementation of crypter_t.set_key. - */ -static void set_key(private_gcrypt_crypter_t *this, chunk_t key) +METHOD(crypter_t, set_key, void, + private_gcrypt_crypter_t *this, chunk_t key) { + if (this->ctr_mode) + { + /* last 4 bytes are the nonce */ + memcpy(this->ctr.nonce, key.ptr + key.len - sizeof(this->ctr.nonce), + sizeof(this->ctr.nonce)); + key.len -= sizeof(this->ctr.nonce); + } gcry_cipher_setkey(this->h, key.ptr, key.len); } -/** - * Implementation of crypter_t.destroy. - */ -static void destroy (private_gcrypt_crypter_t *this) +METHOD(crypter_t, destroy, void, + private_gcrypt_crypter_t *this) { gcry_cipher_close(this->h); free(this); @@ -149,18 +194,19 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo, gcrypt_alg = GCRY_CIPHER_CAST5; break; case ENCR_BLOWFISH: - if (key_size != 16) + if (key_size != 16 && key_size != 0) { /* gcrypt currently supports 128 bit blowfish only */ return NULL; } gcrypt_alg = GCRY_CIPHER_BLOWFISH; break; - /* case ENCR_AES_CTR: - mode = GCRY_CIPHER_MODE_CTR; */ + case ENCR_AES_CTR: + mode = GCRY_CIPHER_MODE_CTR; /* fall */ case ENCR_AES_CBC: switch (key_size) { + case 0: case 16: gcrypt_alg = GCRY_CIPHER_AES128; break; @@ -174,13 +220,14 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo, return NULL; } break; - /* case ENCR_CAMELLIA_CTR: - mode = GCRY_CIPHER_MODE_CTR; */ + case ENCR_CAMELLIA_CTR: + mode = GCRY_CIPHER_MODE_CTR; /* fall */ case ENCR_CAMELLIA_CBC: switch (key_size) { #ifdef HAVE_GCRY_CIPHER_CAMELLIA + case 0: case 16: gcrypt_alg = GCRY_CIPHER_CAMELLIA128; break; @@ -198,6 +245,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo, case ENCR_SERPENT_CBC: switch (key_size) { + case 0: case 16: gcrypt_alg = GCRY_CIPHER_SERPENT128; break; @@ -214,6 +262,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo, case ENCR_TWOFISH_CBC: switch (key_size) { + case 0: case 16: gcrypt_alg = GCRY_CIPHER_TWOFISH128; break; @@ -228,9 +277,22 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo, return NULL; } - this = malloc_thing(private_gcrypt_crypter_t); + INIT(this, + .public = { + .crypter = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .alg = gcrypt_alg, + .ctr_mode = mode == GCRY_CIPHER_MODE_CTR, + ); - this->alg = gcrypt_alg; err = gcry_cipher_open(&this->h, gcrypt_alg, mode, 0); if (err) { @@ -239,14 +301,6 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo, free(this); return NULL; } - - this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *))encrypt; - this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *))decrypt; - this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *))get_block_size; - this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *))get_key_size; - this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t))set_key; - this->public.crypter_interface.destroy = (void (*) (crypter_t *))destroy; - return &this->public; } diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h index ce0ead4a8..e565e28c7 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h @@ -33,7 +33,7 @@ struct gcrypt_crypter_t { /** * The crypter_t interface. */ - crypter_t crypter_interface; + crypter_t crypter; }; /** diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c index 08d6239ad..6c4665da2 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c @@ -73,10 +73,8 @@ struct private_gcrypt_dh_t { size_t p_len; }; -/** - * Implementation of gcrypt_dh_t.set_other_public_value. - */ -static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value) +METHOD(diffie_hellman_t, set_other_public_value, void, + private_gcrypt_dh_t *this, chunk_t value) { gcry_mpi_t p_min_1; gcry_error_t err; @@ -134,18 +132,14 @@ static chunk_t export_mpi(gcry_mpi_t value, size_t len) return chunk; } -/** - * Implementation of gcrypt_dh_t.get_my_public_value. - */ -static void get_my_public_value(private_gcrypt_dh_t *this, chunk_t *value) +METHOD(diffie_hellman_t, get_my_public_value, void, + private_gcrypt_dh_t *this, chunk_t *value) { *value = export_mpi(this->ya, this->p_len); } -/** - * Implementation of gcrypt_dh_t.get_shared_secret. - */ -static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret) +METHOD(diffie_hellman_t, get_shared_secret, status_t, + private_gcrypt_dh_t *this, chunk_t *secret) { if (!this->zz) { @@ -155,18 +149,14 @@ static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret) return SUCCESS; } -/** - * Implementation of gcrypt_dh_t.get_dh_group. - */ -static diffie_hellman_group_t get_dh_group(private_gcrypt_dh_t *this) +METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, + private_gcrypt_dh_t *this) { return this->group; } -/** - * Implementation of gcrypt_dh_t.destroy. - */ -static void destroy(private_gcrypt_dh_t *this) +METHOD(diffie_hellman_t, destroy, void, + private_gcrypt_dh_t *this) { gcry_mpi_release(this->p); gcry_mpi_release(this->xa); @@ -178,42 +168,37 @@ static void destroy(private_gcrypt_dh_t *this) } /* - * Described in header. + * Generic internal constructor */ -gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group) +gcrypt_dh_t *create_generic(diffie_hellman_group_t group, size_t exp_len, + chunk_t g, chunk_t p) { private_gcrypt_dh_t *this; - diffie_hellman_params_t *params; gcry_error_t err; chunk_t random; rng_t *rng; - params = diffie_hellman_get_params(group); - if (!params) - { - return NULL; - } - - this = malloc_thing(private_gcrypt_dh_t); - - this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret; - this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value; - this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value; - this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group; - this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy; - - this->group = group; - this->p_len = params->prime.len; - err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG, - params->prime.ptr, params->prime.len, NULL); + INIT(this, + .public = { + .dh = { + .get_shared_secret = _get_shared_secret, + .set_other_public_value = _set_other_public_value, + .get_my_public_value = _get_my_public_value, + .get_dh_group = _get_dh_group, + .destroy = _destroy, + }, + }, + .group = group, + .p_len = p.len, + ); + err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG, p.ptr, p.len, NULL); if (err) { DBG1(DBG_LIB, "importing mpi modulus failed: %s", gpg_strerror(err)); free(this); return NULL; } - err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG, - params->generator.ptr, params->generator.len, NULL); + err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG, g.ptr, g.len, NULL); if (err) { DBG1(DBG_LIB, "importing mpi generator failed: %s", gpg_strerror(err)); @@ -225,7 +210,7 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group) rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); if (rng) { /* prefer external randomizer */ - rng->allocate_bytes(rng, params->exp_len, &random); + rng->allocate_bytes(rng, exp_len, &random); rng->destroy(rng); err = gcry_mpi_scan(&this->xa, GCRYMPI_FMT_USG, random.ptr, random.len, NULL); @@ -241,21 +226,49 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group) } else { /* fallback to gcrypt internal randomizer, shouldn't ever happen */ - this->xa = gcry_mpi_new(params->exp_len * 8); - gcry_mpi_randomize(this->xa, params->exp_len * 8, GCRY_STRONG_RANDOM); + this->xa = gcry_mpi_new(exp_len * 8); + gcry_mpi_randomize(this->xa, exp_len * 8, GCRY_STRONG_RANDOM); } - if (params->exp_len == this->p_len) + if (exp_len == this->p_len) { /* achieve bitsof(p)-1 by setting MSB to 0 */ - gcry_mpi_clear_bit(this->xa, params->exp_len * 8 - 1); + gcry_mpi_clear_bit(this->xa, exp_len * 8 - 1); } this->ya = gcry_mpi_new(this->p_len * 8); - this->yb = NULL; - this->zz = NULL; gcry_mpi_powm(this->ya, this->g, this->xa, this->p); return &this->public; } + +/* + * Described in header. + */ +gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group) +{ + + diffie_hellman_params_t *params; + + params = diffie_hellman_get_params(group); + if (!params) + { + return NULL; + } + return create_generic(group, params->exp_len, + params->generator, params->prime); +} + +/* + * Described in header. + */ +gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group, + chunk_t g, chunk_t p) +{ + if (group == MODP_CUSTOM) + { + return create_generic(group, p.len, g, p); + } + return NULL; +} diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h index 95b68dcd0..a70958dc4 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h @@ -44,5 +44,16 @@ struct gcrypt_dh_t { */ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group); +/** + * Creates a new gcrypt_dh_t object for MODP_CUSTOM. + * + * @param group MODP_CUSTOM + * @param g generator + * @param p prime + * @return gcrypt_dh_t object, NULL if not supported + */ +gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group, + chunk_t g, chunk_t p); + #endif /** GCRYPT_DH_H_ @}*/ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c index 39609c16c..96c87614f 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c @@ -37,27 +37,20 @@ struct private_gcrypt_hasher_t { gcry_md_hd_t hd; }; -/** - * Implementation of hasher_t.get_hash_size. - */ -static size_t get_hash_size(private_gcrypt_hasher_t *this) +METHOD(hasher_t, get_hash_size, size_t, + private_gcrypt_hasher_t *this) { return gcry_md_get_algo_dlen(gcry_md_get_algo(this->hd)); } -/** - * Implementation of hasher_t.reset. - */ -static void reset(private_gcrypt_hasher_t *this) +METHOD(hasher_t, reset, void, + private_gcrypt_hasher_t *this) { gcry_md_reset(this->hd); } -/** - * Implementation of hasher_t.get_hash. - */ -static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk, - u_int8_t *hash) +METHOD(hasher_t, get_hash, void, + private_gcrypt_hasher_t *this, chunk_t chunk, u_int8_t *hash) { gcry_md_write(this->hd, chunk.ptr, chunk.len); if (hash) @@ -67,11 +60,8 @@ static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk, } } -/** - * Implementation of hasher_t.allocate_hash. - */ -static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk, - chunk_t *hash) +METHOD(hasher_t, allocate_hash, void, + private_gcrypt_hasher_t *this, chunk_t chunk, chunk_t *hash) { if (hash) { @@ -84,10 +74,8 @@ static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk, } } -/** - * Implementation of hasher_t.destroy. - */ -static void destroy (private_gcrypt_hasher_t *this) +METHOD(hasher_t, destroy, void, + private_gcrypt_hasher_t *this) { gcry_md_close(this->hd); free(this); @@ -132,7 +120,17 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo) return NULL; } - this = malloc_thing(private_gcrypt_hasher_t); + INIT(this, + .public = { + .hasher = { + .get_hash = _get_hash, + .allocate_hash = _allocate_hash, + .get_hash_size = _get_hash_size, + .reset = _reset, + .destroy = _destroy, + }, + }, + ); err = gcry_md_open(&this->hd, gcrypt_alg, 0); if (err) @@ -143,12 +141,6 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo) return NULL; } - this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash; - this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash; - this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size; - this->public.hasher_interface.reset = (void (*) (hasher_t*))reset; - this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy; - return &this->public; } diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h index 708ccaafb..a7542bcdd 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h @@ -33,7 +33,7 @@ struct gcrypt_hasher_t { /** * The hasher_t interface. */ - hasher_t hasher_interface; + hasher_t hasher; }; /** diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 039036b2c..590add5c8 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -93,10 +93,8 @@ static struct gcry_thread_cbs thread_functions = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; -/** - * Implementation of gcrypt_plugin_t.destroy - */ -static void destroy(private_gcrypt_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_gcrypt_plugin_t *this) { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)gcrypt_hasher_create); @@ -106,6 +104,8 @@ static void destroy(private_gcrypt_plugin_t *this) (rng_constructor_t)gcrypt_rng_create); lib->crypto->remove_dh(lib->crypto, (dh_constructor_t)gcrypt_dh_create); + lib->crypto->remove_dh(lib->crypto, + (dh_constructor_t)gcrypt_dh_create_custom); lib->creds->remove_builder(lib->creds, (builder_function_t)gcrypt_rsa_private_key_gen); lib->creds->remove_builder(lib->creds, @@ -139,9 +139,13 @@ plugin_t *gcrypt_plugin_create() } gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); - this = malloc_thing(private_gcrypt_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); /* hashers */ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, @@ -172,8 +176,14 @@ plugin_t *gcrypt_plugin_create() (crypter_constructor_t)gcrypt_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, (crypter_constructor_t)gcrypt_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, + (crypter_constructor_t)gcrypt_crypter_create); +#ifdef HAVE_GCRY_CIPHER_CAMELLIA lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, (crypter_constructor_t)gcrypt_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, + (crypter_constructor_t)gcrypt_crypter_create); +#endif /* HAVE_GCRY_CIPHER_CAMELLIA */ lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC, (crypter_constructor_t)gcrypt_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC, @@ -210,13 +220,15 @@ plugin_t *gcrypt_plugin_create() (dh_constructor_t)gcrypt_dh_create); lib->crypto->add_dh(lib->crypto, MODP_768_BIT, (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, + (dh_constructor_t)gcrypt_dh_create_custom); /* RSA */ - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, (builder_function_t)gcrypt_rsa_private_key_gen); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE, (builder_function_t)gcrypt_rsa_private_key_load); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE, (builder_function_t)gcrypt_rsa_public_key_load); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c index d0d252572..d29755de9 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c @@ -35,11 +35,8 @@ struct private_gcrypt_rng_t { rng_quality_t quality; }; -/** - * Implementation of gcrypt_rng_t.get_bytes. - */ -static void get_bytes(private_gcrypt_rng_t *this, size_t bytes, - u_int8_t *buffer) +METHOD(rng_t, get_bytes, void, + private_gcrypt_rng_t *this, size_t bytes, u_int8_t *buffer) { switch (this->quality) { @@ -55,20 +52,15 @@ static void get_bytes(private_gcrypt_rng_t *this, size_t bytes, } } -/** - * Implementation of gcrypt_rng_t.allocate_bytes. - */ -static void allocate_bytes(private_gcrypt_rng_t *this, size_t bytes, - chunk_t *chunk) +METHOD(rng_t, allocate_bytes, void, + private_gcrypt_rng_t *this, size_t bytes, chunk_t *chunk) { *chunk = chunk_alloc(bytes); get_bytes(this, chunk->len, chunk->ptr); } -/** - * Implementation of gcrypt_rng_t.destroy. - */ -static void destroy(private_gcrypt_rng_t *this) +METHOD(rng_t, destroy, void, + private_gcrypt_rng_t *this) { free(this); } @@ -90,13 +82,16 @@ gcrypt_rng_t *gcrypt_rng_create(rng_quality_t quality) return NULL; } - this = malloc_thing(private_gcrypt_rng_t); - - this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes; - this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes; - this->public.rng.destroy = (void (*) (rng_t *))destroy; - - this->quality = quality; + INIT(this, + .public = { + .rng = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .destroy = _destroy, + }, + }, + .quality = quality, + ); return &this->public; } diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c index b8e86aba0..38ce2cd6c 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c @@ -192,19 +192,15 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this, return !!signature->len; } -/** - * Implementation of gcrypt_rsa_private_key.destroy. - */ -static key_type_t get_type(private_gcrypt_rsa_private_key_t *this) +METHOD(private_key_t, get_type, key_type_t, + private_gcrypt_rsa_private_key_t *this) { return KEY_RSA; } -/** - * Implementation of gcrypt_rsa_private_key.destroy. - */ -static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *sig) +METHOD(private_key_t, sign, bool, + private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t *sig) { switch (scheme) { @@ -229,17 +225,21 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche } } -/** - * Implementation of gcrypt_rsa_private_key.destroy. - */ -static bool decrypt(private_gcrypt_rsa_private_key_t *this, - chunk_t encrypted, chunk_t *plain) +METHOD(private_key_t, decrypt, bool, + private_gcrypt_rsa_private_key_t *this, encryption_scheme_t scheme, + chunk_t encrypted, chunk_t *plain) { gcry_error_t err; gcry_sexp_t in, out; chunk_t padded; u_char *pos = NULL;; + if (scheme != ENCRYPT_RSA_PKCS1) + { + DBG1(DBG_LIB, "encryption scheme %N not supported", + encryption_scheme_names, scheme); + return FALSE; + } err = gcry_sexp_build(&in, NULL, "(enc-val(flags)(rsa(a %b)))", encrypted.len, encrypted.ptr); if (err) @@ -277,18 +277,14 @@ static bool decrypt(private_gcrypt_rsa_private_key_t *this, return TRUE; } -/** - * Implementation of gcrypt_rsa_private_key.get_keysize. - */ -static size_t get_keysize(private_gcrypt_rsa_private_key_t *this) +METHOD(private_key_t, get_keysize, int, + private_gcrypt_rsa_private_key_t *this) { - return gcry_pk_get_nbits(this->key) / 8; + return gcry_pk_get_nbits(this->key); } -/** - * Implementation of gcrypt_rsa_private_key.get_public_key. - */ -static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this) +METHOD(private_key_t, get_public_key, public_key_t*, + private_gcrypt_rsa_private_key_t *this) { chunk_t n, e; public_key_t *public; @@ -304,11 +300,9 @@ static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this) return public; } -/** - * Implementation of private_key_t.get_encoding - */ -static bool get_encoding(private_gcrypt_rsa_private_key_t *this, - cred_encoding_type_t type, chunk_t *encoding) +METHOD(private_key_t, get_encoding, bool, + private_gcrypt_rsa_private_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) { chunk_t cn, ce, cp, cq, cd, cu, cexp1 = chunk_empty, cexp2 = chunk_empty; gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2; @@ -385,11 +379,9 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this, return success; } -/** - * Implementation of private_key_t.get_fingerprint - */ -static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this, - cred_encoding_type_t type, chunk_t *fp) +METHOD(private_key_t, get_fingerprint, bool, + private_gcrypt_rsa_private_key_t *this, cred_encoding_type_t type, + chunk_t *fp) { chunk_t n, e; bool success; @@ -409,19 +401,15 @@ static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this, return success; } -/** - * Implementation of gcrypt_rsa_private_key.get_ref. - */ -static private_key_t* get_ref(private_gcrypt_rsa_private_key_t *this) +METHOD(private_key_t, get_ref, private_key_t*, + private_gcrypt_rsa_private_key_t *this) { ref_get(&this->ref); - return &this->public.interface; + return &this->public.key; } -/** - * Implementation of gcrypt_rsa_private_key.destroy. - */ -static void destroy(private_gcrypt_rsa_private_key_t *this) +METHOD(private_key_t, destroy, void, + private_gcrypt_rsa_private_key_t *this) { if (ref_put(&this->ref)) { @@ -434,25 +422,29 @@ static void destroy(private_gcrypt_rsa_private_key_t *this) /** * Internal generic constructor */ -static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty() +static private_gcrypt_rsa_private_key_t *create_empty() { - private_gcrypt_rsa_private_key_t *this = malloc_thing(private_gcrypt_rsa_private_key_t); - - this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type; - this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign; - this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt; - this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize; - this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key; - this->public.interface.equals = private_key_equals; - this->public.interface.belongs_to = private_key_belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; - this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; - this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref; - this->public.interface.destroy = (void (*)(private_key_t *this))destroy; - - this->key = NULL; - this->ref = 1; + private_gcrypt_rsa_private_key_t *this; + + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .sign = _sign, + .decrypt = _decrypt, + .get_keysize = _get_keysize, + .get_public_key = _get_public_key, + .equals = private_key_equals, + .belongs_to = private_key_belongs_to, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = private_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); return this; } @@ -493,7 +485,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type, DBG1(DBG_LIB, "building S-expression failed: %s", gpg_strerror(err)); return NULL; } - this = gcrypt_rsa_private_key_create_empty(); + this = create_empty(); err = gcry_pk_genkey(&this->key, param); gcry_sexp_release(param); if (err) @@ -552,7 +544,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type, break; } - this = gcrypt_rsa_private_key_create_empty(); + this = create_empty(); err = gcry_sexp_build(&this->key, NULL, "(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))", n.len, n.ptr, e.len, e.ptr, d.len, d.ptr, diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h index 4c3605f4b..0f3d66b80 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h @@ -34,7 +34,7 @@ struct gcrypt_rsa_private_key_t { /** * Implements private_key_t interface */ - private_key_t interface; + private_key_t key; }; /** diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c index 80a91b976..f8645da97 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c @@ -159,19 +159,15 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this, return TRUE; } -/** - * Implementation of public_key_t.get_type. - */ -static key_type_t get_type(private_gcrypt_rsa_public_key_t *this) +METHOD(public_key_t, get_type, key_type_t, + private_gcrypt_rsa_public_key_t *this) { return KEY_RSA; } -/** - * Implementation of public_key_t.verify. - */ -static bool verify(private_gcrypt_rsa_public_key_t *this, - signature_scheme_t scheme, chunk_t data, chunk_t signature) +METHOD(public_key_t, verify, bool, + private_gcrypt_rsa_public_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t signature) { switch (scheme) { @@ -196,15 +192,19 @@ static bool verify(private_gcrypt_rsa_public_key_t *this, } } -/** - * Implementation of public_key_t.encrypt. - */ -static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain, - chunk_t *encrypted) +METHOD(public_key_t, encrypt_, bool, + private_gcrypt_rsa_public_key_t *this, encryption_scheme_t scheme, + chunk_t plain, chunk_t *encrypted) { gcry_sexp_t in, out; gcry_error_t err; + if (scheme != ENCRYPT_RSA_PKCS1) + { + DBG1(DBG_LIB, "encryption scheme %N not supported", + encryption_scheme_names, scheme); + return FALSE; + } /* "pkcs1" uses PKCS 1.5 (section 8.1) block type 2 encryption: * 00 | 02 | RANDOM | 00 | DATA */ err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(value %b))", @@ -228,19 +228,15 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain, return !!encrypted->len; } -/** - * Implementation of public_key_t.get_keysize. - */ -static size_t get_keysize(private_gcrypt_rsa_public_key_t *this) +METHOD(public_key_t, get_keysize, int, + private_gcrypt_rsa_public_key_t *this) { - return gcry_pk_get_nbits(this->key) / 8; + return gcry_pk_get_nbits(this->key); } -/** - * Implementation of private_key_t.get_encoding - */ -static bool get_encoding(private_gcrypt_rsa_public_key_t *this, - cred_encoding_type_t type, chunk_t *encoding) +METHOD(public_key_t, get_encoding, bool, + private_gcrypt_rsa_public_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) { chunk_t n, e; bool success; @@ -256,11 +252,9 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this, return success; } -/** - * Implementation of private_key_t.get_fingerprint - */ -static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this, - cred_encoding_type_t type, chunk_t *fp) +METHOD(public_key_t, get_fingerprint, bool, + private_gcrypt_rsa_public_key_t *this, cred_encoding_type_t type, + chunk_t *fp) { chunk_t n, e; bool success; @@ -280,19 +274,15 @@ static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this, return success; } -/** - * Implementation of public_key_t.get_ref. - */ -static public_key_t* get_ref(private_gcrypt_rsa_public_key_t *this) +METHOD(public_key_t, get_ref, public_key_t*, + private_gcrypt_rsa_public_key_t *this) { ref_get(&this->ref); - return &this->public.interface; + return &this->public.key; } -/** - * Implementation of gcrypt_rsa_public_key.destroy. - */ -static void destroy(private_gcrypt_rsa_public_key_t *this) +METHOD(public_key_t, destroy, void, + private_gcrypt_rsa_public_key_t *this) { if (ref_put(&this->ref)) { @@ -331,21 +321,23 @@ gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type, break; } - this = malloc_thing(private_gcrypt_rsa_public_key_t); - - this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type; - this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify; - this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; - this->public.interface.equals = public_key_equals; - this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; - this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; - this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref; - this->public.interface.destroy = (void (*)(public_key_t *this))destroy; - - this->key = NULL; - this->ref = 1; + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .verify = _verify, + .encrypt = _encrypt_, + .equals = public_key_equals, + .get_keysize = _get_keysize, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = public_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))", n.len, n.ptr, e.len, e.ptr); diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h index fa18c357b..ca0a284a2 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h @@ -34,7 +34,7 @@ struct gcrypt_rsa_public_key_t { /** * Implements the public_key_t interface */ - public_key_t interface; + public_key_t key; }; /** diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index bd7100b27..b4ec1ed8d 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c index 4ee449890..e99502b27 100644 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c @@ -85,10 +85,8 @@ struct private_gmp_diffie_hellman_t { bool computed; }; -/** - * Implementation of gmp_diffie_hellman_t.set_other_public_value. - */ -static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t value) +METHOD(diffie_hellman_t, set_other_public_value, void, + private_gmp_diffie_hellman_t *this, chunk_t value) { mpz_t p_min_1; @@ -146,10 +144,8 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v mpz_clear(p_min_1); } -/** - * Implementation of gmp_diffie_hellman_t.get_my_public_value. - */ -static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *value) +METHOD(diffie_hellman_t, get_my_public_value, void, + private_gmp_diffie_hellman_t *this,chunk_t *value) { value->len = this->p_len; value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya); @@ -159,10 +155,8 @@ static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *valu } } -/** - * Implementation of gmp_diffie_hellman_t.get_shared_secret. - */ -static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *secret) +METHOD(diffie_hellman_t, get_shared_secret, status_t, + private_gmp_diffie_hellman_t *this, chunk_t *secret) { if (!this->computed) { @@ -177,18 +171,14 @@ static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *s return SUCCESS; } -/** - * Implementation of gmp_diffie_hellman_t.get_dh_group. - */ -static diffie_hellman_group_t get_dh_group(private_gmp_diffie_hellman_t *this) +METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, + private_gmp_diffie_hellman_t *this) { return this->group; } -/** - * Implementation of gmp_diffie_hellman_t.destroy. - */ -static void destroy(private_gmp_diffie_hellman_t *this) +METHOD(diffie_hellman_t, destroy, void, + private_gmp_diffie_hellman_t *this) { mpz_clear(this->p); mpz_clear(this->xa); @@ -199,44 +189,38 @@ static void destroy(private_gmp_diffie_hellman_t *this) free(this); } -/* - * Described in header. +/** + * Generic internal constructor */ -gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group) +static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group, + size_t exp_len, chunk_t g, chunk_t p) { private_gmp_diffie_hellman_t *this; - diffie_hellman_params_t *params; - rng_t *rng; chunk_t random; + rng_t *rng; - params = diffie_hellman_get_params(group); - if (!params) - { - return NULL; - } - - this = malloc_thing(private_gmp_diffie_hellman_t); - - /* public functions */ - this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret; - this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value; - this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value; - this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group; - this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy; + INIT(this, + .public = { + .dh = { + .get_shared_secret = _get_shared_secret, + .set_other_public_value = _set_other_public_value, + .get_my_public_value = _get_my_public_value, + .get_dh_group = _get_dh_group, + .destroy = _destroy, + }, + }, + .group = group, + .p_len = p.len, + ); - /* private variables */ - this->group = group; mpz_init(this->p); mpz_init(this->yb); mpz_init(this->ya); mpz_init(this->xa); mpz_init(this->zz); mpz_init(this->g); - - this->computed = FALSE; - this->p_len = params->prime.len; - mpz_import(this->p, params->prime.len, 1, 1, 1, 0, params->prime.ptr); - mpz_import(this->g, params->generator.len, 1, 1, 1, 0, params->generator.ptr); + mpz_import(this->g, g.len, 1, 1, 1, 0, g.ptr); + mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr); rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); if (!rng) @@ -247,10 +231,10 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group) return NULL; } - rng->allocate_bytes(rng, params->exp_len, &random); + rng->allocate_bytes(rng, exp_len, &random); rng->destroy(rng); - if (params->exp_len == this->p_len) + if (exp_len == this->p_len) { /* achieve bitsof(p)-1 by setting MSB to 0 */ *random.ptr &= 0x7F; @@ -265,3 +249,29 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group) return &this->public; } +/* + * Described in header. + */ +gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group) +{ + diffie_hellman_params_t *params; + + params = diffie_hellman_get_params(group); + if (!params) + { + return NULL; + } + return create_generic(group, params->exp_len, + params->generator, params->prime); +} + + +gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom( + diffie_hellman_group_t group, chunk_t g, chunk_t p) +{ + if (group == MODP_CUSTOM) + { + return create_generic(MODP_CUSTOM, p.len, g, p); + } + return NULL; +} diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h index 2a54eebb1..6d73c0863 100644 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h @@ -45,5 +45,16 @@ struct gmp_diffie_hellman_t { */ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group); +/** + * Creates a new gmp_diffie_hellman_t object for MODP_CUSTOM. + * + * @param group MODP_CUSTOM + * @param g generator + * @param p prime + * @return gmp_diffie_hellman_t object, NULL if not supported + */ +gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom( + diffie_hellman_group_t group, chunk_t g, chunk_t p); + #endif /** GMP_DIFFIE_HELLMAN_H_ @}*/ diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c index fbce9732f..9b4fad3da 100644 --- a/src/libstrongswan/plugins/gmp/gmp_plugin.c +++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c @@ -33,13 +33,13 @@ struct private_gmp_plugin_t { gmp_plugin_t public; }; -/** - * Implementation of gmp_plugin_t.gmptroy - */ -static void destroy(private_gmp_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_gmp_plugin_t *this) { lib->crypto->remove_dh(lib->crypto, (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->remove_dh(lib->crypto, + (dh_constructor_t)gmp_diffie_hellman_create_custom); lib->creds->remove_builder(lib->creds, (builder_function_t)gmp_rsa_private_key_gen); lib->creds->remove_builder(lib->creds, @@ -54,9 +54,15 @@ static void destroy(private_gmp_plugin_t *this) */ plugin_t *gmp_plugin_create() { - private_gmp_plugin_t *this = malloc_thing(private_gmp_plugin_t); + private_gmp_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, (dh_constructor_t)gmp_diffie_hellman_create); @@ -81,11 +87,14 @@ plugin_t *gmp_plugin_create() lib->crypto->add_dh(lib->crypto, MODP_768_BIT, (dh_constructor_t)gmp_diffie_hellman_create); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, + (dh_constructor_t)gmp_diffie_hellman_create_custom); + + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, (builder_function_t)gmp_rsa_private_key_gen); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE, (builder_function_t)gmp_rsa_private_key_load); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE, (builder_function_t)gmp_rsa_public_key_load); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index cc9985320..1b6c20817 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -209,7 +209,7 @@ static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data) } /** - * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature. + * Build a signature using the PKCS#1 EMSA scheme */ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, hash_algorithm_t hash_algorithm, @@ -250,7 +250,7 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, { free(digestInfo.ptr); DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len, - this->k * 8); + mpz_sizeinbase(this->n, 2)); return FALSE; } @@ -280,19 +280,15 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, return TRUE; } -/** - * Implementation of gmp_rsa_private_key.get_type. - */ -static key_type_t get_type(private_gmp_rsa_private_key_t *this) +METHOD(private_key_t, get_type, key_type_t, + private_gmp_rsa_private_key_t *this) { return KEY_RSA; } -/** - * Implementation of gmp_rsa_private_key.sign. - */ -static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) +METHOD(private_key_t, sign, bool, + private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t *signature) { switch (scheme) { @@ -317,15 +313,19 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, } } -/** - * Implementation of gmp_rsa_private_key.decrypt. - */ -static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto, - chunk_t *plain) +METHOD(private_key_t, decrypt, bool, + private_gmp_rsa_private_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) { chunk_t em, stripped; bool success = FALSE; + if (scheme != ENCRYPT_RSA_PKCS1) + { + DBG1(DBG_LIB, "encryption scheme %N not supported", + encryption_scheme_names, scheme); + return FALSE; + } /* rsa decryption using PKCS#1 RSADP */ stripped = em = rsadp(this, crypto); @@ -356,18 +356,14 @@ end: return success; } -/** - * Implementation of gmp_rsa_private_key.get_keysize. - */ -static size_t get_keysize(private_gmp_rsa_private_key_t *this) +METHOD(private_key_t, get_keysize, int, + private_gmp_rsa_private_key_t *this) { - return this->k; + return mpz_sizeinbase(this->n, 2); } -/** - * Implementation of gmp_rsa_private_key.get_public_key. - */ -static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this) +METHOD(private_key_t, get_public_key, public_key_t*, + private_gmp_rsa_private_key_t *this) { chunk_t n, e; public_key_t *public; @@ -383,27 +379,9 @@ static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this) return public; } -/** - * Implementation of gmp_rsa_private_key.equals. - */ -static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other) -{ - return private_key_equals(&this->public.interface, other); -} - -/** - * Implementation of gmp_rsa_private_key.belongs_to. - */ -static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public) -{ - return private_key_belongs_to(&this->public.interface, public); -} - -/** - * Implementation of private_key_t.get_encoding - */ -static bool get_encoding(private_gmp_rsa_private_key_t *this, - cred_encoding_type_t type, chunk_t *encoding) +METHOD(private_key_t, get_encoding, bool, + private_gmp_rsa_private_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) { chunk_t n, e, d, p, q, exp1, exp2, coeff; bool success; @@ -435,11 +413,8 @@ static bool get_encoding(private_gmp_rsa_private_key_t *this, return success; } -/** - * Implementation of private_key_t.get_fingerprint - */ -static bool get_fingerprint(private_gmp_rsa_private_key_t *this, - cred_encoding_type_t type, chunk_t *fp) +METHOD(private_key_t, get_fingerprint, bool, + private_gmp_rsa_private_key_t *this, cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e; bool success; @@ -459,19 +434,15 @@ static bool get_fingerprint(private_gmp_rsa_private_key_t *this, return success; } -/** - * Implementation of gmp_rsa_private_key.get_ref. - */ -static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this) +METHOD(private_key_t, get_ref, private_key_t*, + private_gmp_rsa_private_key_t *this) { ref_get(&this->ref); - return this; + return &this->public.key; } -/** - * Implementation of gmp_rsa_private_key.destroy. - */ -static void destroy(private_gmp_rsa_private_key_t *this) +METHOD(private_key_t, destroy, void, + private_gmp_rsa_private_key_t *this) { if (ref_put(&this->ref)) { @@ -592,23 +563,27 @@ static status_t check(private_gmp_rsa_private_key_t *this) */ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void) { - private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t); - - this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type; - this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign; - this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt; - this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize; - this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key; - this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals; - this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; - this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; - this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref; - this->public.interface.destroy = (void (*) (private_key_t*))destroy; - - this->ref = 1; + private_gmp_rsa_private_key_t *this; + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .sign = _sign, + .decrypt = _decrypt, + .get_keysize = _get_keysize, + .get_public_key = _get_public_key, + .equals = private_key_equals, + .belongs_to = private_key_belongs_to, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = private_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); return this; } diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h index db1fcf535..32e1f292c 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h @@ -34,7 +34,7 @@ struct gmp_rsa_private_key_t { /** * Implements private_key_t interface */ - private_key_t interface; + private_key_t key; }; /** diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index c114ae80d..a7ba80138 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -273,19 +273,15 @@ end: return success; } -/** - * Implementation of public_key_t.get_type. - */ -static key_type_t get_type(private_gmp_rsa_public_key_t *this) +METHOD(public_key_t, get_type, key_type_t, + private_gmp_rsa_public_key_t *this) { return KEY_RSA; } -/** - * Implementation of public_key_t.verify. - */ -static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t signature) +METHOD(public_key_t, verify, bool, + private_gmp_rsa_public_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t signature) { switch (scheme) { @@ -312,24 +308,21 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme #define MIN_PS_PADDING 8 -/** - * Implementation of public_key_t.encrypt. - */ -static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain, - chunk_t *crypto) +METHOD(public_key_t, encrypt_, bool, + private_gmp_rsa_public_key_t *this, encryption_scheme_t scheme, + chunk_t plain, chunk_t *crypto) { chunk_t em; u_char *pos; int padding, i; rng_t *rng; - rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (rng == NULL) + if (scheme != ENCRYPT_RSA_PKCS1) { - DBG1(DBG_LIB, "no random generator available"); + DBG1(DBG_LIB, "encryption scheme %N not supported", + encryption_scheme_names, scheme); return FALSE; } - /* number of pseudo-random padding octets */ padding = this->k - plain.len - 3; if (padding < MIN_PS_PADDING) @@ -338,6 +331,12 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain, MIN_PS_PADDING); return FALSE; } + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (rng == NULL) + { + DBG1(DBG_LIB, "no random generator available"); + return FALSE; + } /* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */ DBG2(DBG_LIB, "padding %u bytes of data to the rsa modulus size of" @@ -376,27 +375,15 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain, return TRUE; } -/** - * Implementation of gmp_rsa_public_key.equals. - */ -static bool equals(private_gmp_rsa_public_key_t *this, public_key_t *other) -{ - return public_key_equals(&this->public.interface, other); -} - -/** - * Implementation of public_key_t.get_keysize. - */ -static size_t get_keysize(private_gmp_rsa_public_key_t *this) +METHOD(public_key_t, get_keysize, int, + private_gmp_rsa_public_key_t *this) { - return this->k; + return mpz_sizeinbase(this->n, 2); } -/** - * Implementation of public_key_t.get_encoding - */ -static bool get_encoding(private_gmp_rsa_public_key_t *this, - cred_encoding_type_t type, chunk_t *encoding) +METHOD(public_key_t, get_encoding, bool, + private_gmp_rsa_public_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) { chunk_t n, e; bool success; @@ -412,11 +399,8 @@ static bool get_encoding(private_gmp_rsa_public_key_t *this, return success; } -/** - * Implementation of public_key_t.get_fingerprint - */ -static bool get_fingerprint(private_gmp_rsa_public_key_t *this, - cred_encoding_type_t type, chunk_t *fp) +METHOD(public_key_t, get_fingerprint, bool, + private_gmp_rsa_public_key_t *this, cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e; bool success; @@ -436,19 +420,15 @@ static bool get_fingerprint(private_gmp_rsa_public_key_t *this, return success; } -/** - * Implementation of public_key_t.get_ref. - */ -static private_gmp_rsa_public_key_t* get_ref(private_gmp_rsa_public_key_t *this) +METHOD(public_key_t, get_ref, public_key_t*, + private_gmp_rsa_public_key_t *this) { ref_get(&this->ref); - return this; + return &this->public.key; } -/** - * Implementation of gmp_rsa_public_key.destroy. - */ -static void destroy(private_gmp_rsa_public_key_t *this) +METHOD(public_key_t, destroy, void, + private_gmp_rsa_public_key_t *this) { if (ref_put(&this->ref)) { @@ -490,20 +470,23 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args) return NULL; } - this = malloc_thing(private_gmp_rsa_public_key_t); - - this->public.interface.get_type = (key_type_t (*) (public_key_t*))get_type; - this->public.interface.verify = (bool (*) (public_key_t*, signature_scheme_t, chunk_t, chunk_t))verify; - this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_; - this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals; - this->public.interface.get_keysize = (size_t (*) (public_key_t*))get_keysize; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; - this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; - this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref; - this->public.interface.destroy = (void (*) (public_key_t *this))destroy; - - this->ref = 1; + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .verify = _verify, + .encrypt = _encrypt_, + .equals = public_key_equals, + .get_keysize = _get_keysize, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = public_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); mpz_init(this->n); mpz_init(this->e); diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h index 807f0bb7c..14dd71e0b 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h @@ -35,7 +35,7 @@ struct gmp_rsa_public_key_t { /** * Implements the public_key_t interface */ - public_key_t interface; + public_key_t key; }; /** diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index b03ff44a6..42a7d3747 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c index c1ab48899..c7b2739df 100644 --- a/src/libstrongswan/plugins/hmac/hmac.c +++ b/src/libstrongswan/plugins/hmac/hmac.c @@ -30,7 +30,7 @@ struct private_hmac_t { /** * Public hmac_t interface. */ - hmac_t hmac; + hmac_t public; /** * Block size, as in RFC. @@ -53,10 +53,8 @@ struct private_hmac_t { chunk_t ipaded_key; }; -/** - * Implementation of hmac_t.get_mac. - */ -static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out) +METHOD(hmac_t, get_mac, void, + private_hmac_t *this, chunk_t data, u_int8_t *out) { /* H(K XOR opad, H(K XOR ipad, text)) * @@ -91,37 +89,31 @@ static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out) } } -/** - * Implementation of hmac_t.allocate_mac. - */ -static void allocate_mac(private_hmac_t *this, chunk_t data, chunk_t *out) +METHOD(hmac_t, allocate_mac, void, + private_hmac_t *this, chunk_t data, chunk_t *out) { /* allocate space and use get_mac */ if (out == NULL) { /* append mode */ - this->hmac.get_mac(&(this->hmac), data, NULL); + get_mac(this, data, NULL); } else { out->len = this->h->get_hash_size(this->h); out->ptr = malloc(out->len); - this->hmac.get_mac(&(this->hmac), data, out->ptr); + get_mac(this, data, out->ptr); } } -/** - * Implementation of hmac_t.get_block_size. - */ -static size_t get_block_size(private_hmac_t *this) +METHOD(hmac_t, get_block_size, size_t, + private_hmac_t *this) { return this->h->get_hash_size(this->h); } -/** - * Implementation of hmac_t.set_key. - */ -static void set_key(private_hmac_t *this, chunk_t key) +METHOD(hmac_t, set_key, void, + private_hmac_t *this, chunk_t key) { int i; u_int8_t buffer[this->b]; @@ -151,10 +143,8 @@ static void set_key(private_hmac_t *this, chunk_t key) this->h->get_hash(this->h, this->ipaded_key, NULL); } -/** - * Implementation of hmac_t.destroy. - */ -static void destroy(private_hmac_t *this) +METHOD(hmac_t, destroy, void, + private_hmac_t *this) { this->h->destroy(this->h); free(this->opaded_key.ptr); @@ -167,14 +157,17 @@ static void destroy(private_hmac_t *this) */ hmac_t *hmac_create(hash_algorithm_t hash_algorithm) { - private_hmac_t *this = malloc_thing(private_hmac_t); - - /* set hmac_t methods */ - this->hmac.get_mac = (void (*)(hmac_t *,chunk_t,u_int8_t*))get_mac; - this->hmac.allocate_mac = (void (*)(hmac_t *,chunk_t,chunk_t*))allocate_mac; - this->hmac.get_block_size = (size_t (*)(hmac_t *))get_block_size; - this->hmac.set_key = (void (*)(hmac_t *,chunk_t))set_key; - this->hmac.destroy = (void (*)(hmac_t *))destroy; + private_hmac_t *this; + + INIT(this, + .public = { + .get_mac = _get_mac, + .allocate_mac = _allocate_mac, + .get_block_size = _get_block_size, + .set_key = _set_key, + .destroy = _destroy, + }, + ); /* set b, according to hasher */ switch (hash_algorithm) @@ -193,7 +186,6 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm) return NULL; } - /* build the hasher */ this->h = lib->crypto->create_hasher(lib->crypto, hash_algorithm); if (this->h == NULL) { @@ -208,5 +200,5 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm) this->ipaded_key.ptr = malloc(this->b); this->ipaded_key.len = this->b; - return &(this->hmac); + return &this->public; } diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c index e6b9f7a74..73df4dc6c 100644 --- a/src/libstrongswan/plugins/hmac/hmac_plugin.c +++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c @@ -32,10 +32,8 @@ struct private_hmac_plugin_t { hmac_plugin_t public; }; -/** - * Implementation of hmac_plugin_t.hmactroy - */ -static void destroy(private_hmac_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_hmac_plugin_t *this) { lib->crypto->remove_prf(lib->crypto, (prf_constructor_t)hmac_prf_create); @@ -49,9 +47,15 @@ static void destroy(private_hmac_plugin_t *this) */ plugin_t *hmac_plugin_create() { - private_hmac_plugin_t *this = malloc_thing(private_hmac_plugin_t); + private_hmac_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, (prf_constructor_t)hmac_prf_create); @@ -72,12 +76,16 @@ plugin_t *hmac_plugin_create() (signer_constructor_t)hmac_signer_create); lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256, + (signer_constructor_t)hmac_signer_create); lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, (signer_constructor_t)hmac_signer_create); lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, (signer_constructor_t)hmac_signer_create); lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384, + (signer_constructor_t)hmac_signer_create); lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, (signer_constructor_t)hmac_signer_create); diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.c b/src/libstrongswan/plugins/hmac/hmac_prf.c index cca6e9570..ca10612f9 100644 --- a/src/libstrongswan/plugins/hmac/hmac_prf.c +++ b/src/libstrongswan/plugins/hmac/hmac_prf.c @@ -36,51 +36,39 @@ struct private_hmac_prf_t { hmac_t *hmac; }; -/** - * Implementation of prf_t.get_bytes. - */ -static void get_bytes(private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer) +METHOD(prf_t, get_bytes, void, + private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer) { this->hmac->get_mac(this->hmac, seed, buffer); } -/** - * Implementation of prf_t.allocate_bytes. - */ -static void allocate_bytes(private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk) +METHOD(prf_t, allocate_bytes, void, + private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk) { this->hmac->allocate_mac(this->hmac, seed, chunk); } -/** - * Implementation of prf_t.get_block_size. - */ -static size_t get_block_size(private_hmac_prf_t *this) +METHOD(prf_t, get_block_size, size_t, + private_hmac_prf_t *this) { return this->hmac->get_block_size(this->hmac); } -/** - * Implementation of prf_t.get_block_size. - */ -static size_t get_key_size(private_hmac_prf_t *this) +METHOD(prf_t, get_key_size, size_t, + private_hmac_prf_t *this) { /* for HMAC prfs, IKEv2 uses block size as key size */ return this->hmac->get_block_size(this->hmac); } -/** - * Implementation of prf_t.set_key. - */ -static void set_key(private_hmac_prf_t *this, chunk_t key) +METHOD(prf_t, set_key, void, + private_hmac_prf_t *this, chunk_t key) { this->hmac->set_key(this->hmac, key); } -/** - * Implementation of prf_t.destroy. - */ -static void destroy(private_hmac_prf_t *this) +METHOD(prf_t, destroy, void, + private_hmac_prf_t *this) { this->hmac->destroy(this->hmac); free(this); @@ -92,44 +80,47 @@ static void destroy(private_hmac_prf_t *this) hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo) { private_hmac_prf_t *this; - hash_algorithm_t hash; + hmac_t *hmac; switch (algo) { case PRF_HMAC_SHA1: - hash = HASH_SHA1; + hmac = hmac_create(HASH_SHA1); break; case PRF_HMAC_MD5: - hash = HASH_MD5; + hmac = hmac_create(HASH_MD5); break; case PRF_HMAC_SHA2_256: - hash = HASH_SHA256; + hmac = hmac_create(HASH_SHA256); break; case PRF_HMAC_SHA2_384: - hash = HASH_SHA384; + hmac = hmac_create(HASH_SHA384); break; case PRF_HMAC_SHA2_512: - hash = HASH_SHA512; + hmac = hmac_create(HASH_SHA512); break; default: return NULL; } - - this = malloc_thing(private_hmac_prf_t); - this->hmac = hmac_create(hash); - if (this->hmac == NULL) + if (hmac == NULL) { - free(this); return NULL; } - this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes; - this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes; - this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size; - this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size; - this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key; - this->public.prf_interface.destroy = (void (*) (prf_t *))destroy; - - return &(this->public); + INIT(this, + .public = { + .prf = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .get_block_size = _get_block_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .hmac = hmac, + ); + + return &this->public; } diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.h b/src/libstrongswan/plugins/hmac/hmac_prf.h index 975b456f5..29d7269ae 100644 --- a/src/libstrongswan/plugins/hmac/hmac_prf.h +++ b/src/libstrongswan/plugins/hmac/hmac_prf.h @@ -35,9 +35,9 @@ typedef struct hmac_prf_t hmac_prf_t; struct hmac_prf_t { /** - * Generic prf_t interface for this hmac_prf_t class. + * Implements prf_t interface. */ - prf_t prf_interface; + prf_t prf; }; /** diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.c b/src/libstrongswan/plugins/hmac/hmac_signer.c index f82a8f3a1..511a3e3a5 100644 --- a/src/libstrongswan/plugins/hmac/hmac_signer.c +++ b/src/libstrongswan/plugins/hmac/hmac_signer.c @@ -41,11 +41,8 @@ struct private_hmac_signer_t { size_t block_size; }; -/** - * Implementation of signer_t.get_signature. - */ -static void get_signature(private_hmac_signer_t *this, - chunk_t data, u_int8_t *buffer) +METHOD(signer_t, get_signature, void, + private_hmac_signer_t *this, chunk_t data, u_int8_t *buffer) { if (buffer == NULL) { /* append mode */ @@ -60,11 +57,8 @@ static void get_signature(private_hmac_signer_t *this, } } -/** - * Implementation of signer_t.allocate_signature. - */ -static void allocate_signature (private_hmac_signer_t *this, - chunk_t data, chunk_t *chunk) +METHOD(signer_t, allocate_signature, void, + private_hmac_signer_t *this, chunk_t data, chunk_t *chunk) { if (chunk == NULL) { /* append mode */ @@ -83,11 +77,8 @@ static void allocate_signature (private_hmac_signer_t *this, } } -/** - * Implementation of signer_t.verify_signature. - */ -static bool verify_signature(private_hmac_signer_t *this, - chunk_t data, chunk_t signature) +METHOD(signer_t, verify_signature, bool, + private_hmac_signer_t *this, chunk_t data, chunk_t signature) { u_int8_t mac[this->hmac->get_block_size(this->hmac)]; @@ -100,38 +91,29 @@ static bool verify_signature(private_hmac_signer_t *this, return memeq(signature.ptr, mac, this->block_size); } -/** - * Implementation of signer_t.get_key_size. - */ -static size_t get_key_size(private_hmac_signer_t *this) +METHOD(signer_t, get_key_size, size_t, + private_hmac_signer_t *this) { return this->hmac->get_block_size(this->hmac); } -/** - * Implementation of signer_t.get_block_size. - */ -static size_t get_block_size(private_hmac_signer_t *this) +METHOD(signer_t, get_block_size, size_t, + private_hmac_signer_t *this) { return this->block_size; } -/** - * Implementation of signer_t.set_key. - */ -static void set_key(private_hmac_signer_t *this, chunk_t key) +METHOD(signer_t, set_key, void, + private_hmac_signer_t *this, chunk_t key) { this->hmac->set_key(this->hmac, key); } -/** - * Implementation of signer_t.destroy. - */ -static status_t destroy(private_hmac_signer_t *this) +METHOD(signer_t, destroy, void, + private_hmac_signer_t *this) { this->hmac->destroy(this->hmac); free(this); - return SUCCESS; } /* @@ -140,66 +122,76 @@ static status_t destroy(private_hmac_signer_t *this) hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo) { private_hmac_signer_t *this; + hmac_t *hmac; size_t trunc; - hash_algorithm_t hash; switch (algo) { case AUTH_HMAC_SHA1_96: - hash = HASH_SHA1; + hmac = hmac_create(HASH_SHA1); trunc = 12; break; case AUTH_HMAC_SHA1_128: - hash = HASH_SHA1; + hmac = hmac_create(HASH_SHA1); trunc = 16; break; case AUTH_HMAC_SHA1_160: - hash = HASH_SHA1; + hmac = hmac_create(HASH_SHA1); trunc = 20; break; case AUTH_HMAC_MD5_96: - hash = HASH_MD5; + hmac = hmac_create(HASH_MD5); trunc = 12; break; case AUTH_HMAC_MD5_128: - hash = HASH_MD5; + hmac = hmac_create(HASH_MD5); trunc = 16; break; case AUTH_HMAC_SHA2_256_128: - hash = HASH_SHA256; + hmac = hmac_create(HASH_SHA256); trunc = 16; break; case AUTH_HMAC_SHA2_384_192: - hash = HASH_SHA384; + hmac = hmac_create(HASH_SHA384); trunc = 24; break; case AUTH_HMAC_SHA2_512_256: - hash = HASH_SHA512; + hmac = hmac_create(HASH_SHA512); trunc = 32; break; + case AUTH_HMAC_SHA2_256_256: + hmac = hmac_create(HASH_SHA256); + trunc = 32; + break; + case AUTH_HMAC_SHA2_384_384: + hmac = hmac_create(HASH_SHA384); + trunc = 48; + break; default: return NULL; } - this = malloc_thing(private_hmac_signer_t); - this->hmac = hmac_create(hash); - if (this->hmac == NULL) + if (hmac == NULL) { - free(this); return NULL; } - /* prevent invalid truncation */ - this->block_size = min(trunc, this->hmac->get_block_size(this->hmac)); - - /* interface functions */ - this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature; - this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature; - this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature; - this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size; - this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size; - this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key; - this->public.signer_interface.destroy = (void (*) (signer_t*))destroy; - - return &(this->public); + + INIT(this, + .public = { + .signer = { + .get_signature = _get_signature, + .allocate_signature = _allocate_signature, + .verify_signature = _verify_signature, + .get_key_size = _get_key_size, + .get_block_size = _get_block_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .block_size = min(trunc, hmac->get_block_size(hmac)), + .hmac = hmac, + ); + + return &this->public; } diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.h b/src/libstrongswan/plugins/hmac/hmac_signer.h index 0de93440c..5e798683b 100644 --- a/src/libstrongswan/plugins/hmac/hmac_signer.h +++ b/src/libstrongswan/plugins/hmac/hmac_signer.h @@ -34,9 +34,9 @@ typedef struct hmac_signer_t hmac_signer_t; struct hmac_signer_t { /** - * generic signer_t interface for this signer + * Implements signer_t interface. */ - signer_t signer_interface; + signer_t signer; }; /** @@ -44,8 +44,7 @@ struct hmac_signer_t { * * HMAC signatures are often truncated to shorten them to a more usable, but * still secure enough length. - * Block size must be equal or smaller then the hash algorithms - * hash. + * Block size must be equal or smaller then the hash algorithms hash. * * @param algo algorithm to implement * @return hmac_signer_t, NULL if not supported diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index b96fd5abf..65a135e76 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -195,14 +198,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -242,7 +255,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index 874ee07a2..a78dad97c 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -195,14 +198,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -242,7 +255,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index cc32bca88..6de400e8e 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -195,14 +198,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -242,7 +255,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index 83c1188b6..7d4d42c14 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index de9df7271..a32418b16 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -202,14 +205,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -249,7 +262,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index 5645d72d7..b9d97a901 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -416,10 +416,19 @@ static bool parse_authKeyIdentifier_ext(private_openssl_crl_t *this, static bool parse_crlNumber_ext(private_openssl_crl_t *this, X509_EXTENSION *ext) { - free(this->serial.ptr); - this->serial = chunk_clone( - openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext))); - return this->serial.len != 0; + chunk_t chunk; + + chunk = openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext)); + /* quick and dirty INTEGER unwrap */ + if (chunk.len > 1 && chunk.ptr[0] == V_ASN1_INTEGER && + chunk.ptr[1] == chunk.len - 2) + { + chunk = chunk_skip(chunk, 2); + free(this->serial.ptr); + this->serial = chunk_clone(chunk); + return TRUE; + } + return FALSE; } /** diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c index a8923ab56..2ed07ff0c 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crypter.c +++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c @@ -41,85 +41,57 @@ struct private_openssl_crypter_t { }; /** - * Mapping from the algorithms defined in IKEv2 to - * OpenSSL algorithm names and their key length - */ -typedef struct { - /** - * Identifier specified in IKEv2 - */ - int ikev2_id; - - /** - * Name of the algorithm, as used in OpenSSL - */ - char *name; - - /** - * Minimum valid key length in bytes - */ - size_t key_size_min; - - /** - * Maximum valid key length in bytes - */ - size_t key_size_max; -} openssl_algorithm_t; - -#define END_OF_LIST -1 - -/** - * Algorithms for encryption - */ -static openssl_algorithm_t encryption_algs[] = { -/* {ENCR_DES_IV64, "***", 0, 0}, */ - {ENCR_DES, "des", 8, 8}, /* 64 bits */ - {ENCR_3DES, "des3", 24, 24}, /* 192 bits */ - {ENCR_RC5, "rc5", 5, 255}, /* 40 to 2040 bits, RFC 2451 */ - {ENCR_IDEA, "idea", 16, 16}, /* 128 bits, RFC 2451 */ - {ENCR_CAST, "cast", 5, 16}, /* 40 to 128 bits, RFC 2451 */ - {ENCR_BLOWFISH, "blowfish", 5, 56}, /* 40 to 448 bits, RFC 2451 */ -/* {ENCR_3IDEA, "***", 0, 0}, */ -/* {ENCR_DES_IV32, "***", 0, 0}, */ -/* {ENCR_NULL, "***", 0, 0}, */ /* handled separately */ -/* {ENCR_AES_CBC, "***", 0, 0}, */ /* handled separately */ -/* {ENCR_CAMELLIA_CBC, "***", 0, 0}, */ /* handled separately */ -/* {ENCR_AES_CTR, "***", 0, 0}, */ /* disabled in evp.h */ - {END_OF_LIST, NULL, 0, 0}, -}; - -/** * Look up an OpenSSL algorithm name and validate its key size */ -static char* lookup_algorithm(openssl_algorithm_t *openssl_algo, - u_int16_t ikev2_algo, size_t *key_size) +static char* lookup_algorithm(u_int16_t ikev2_algo, size_t *key_size) { - while (openssl_algo->ikev2_id != END_OF_LIST) + struct { + /* identifier specified in IKEv2 */ + int ikev2_id; + /* name of the algorithm, as used in OpenSSL */ + char *name; + /* default key size in bytes */ + size_t key_def; + /* minimum key size */ + size_t key_min; + /* maximum key size */ + size_t key_max; + } mappings[] = { + {ENCR_DES, "des", 8, 8, 8}, + {ENCR_3DES, "des3", 24, 24, 24}, + {ENCR_RC5, "rc5", 16, 5, 255}, + {ENCR_IDEA, "idea", 16, 16, 16}, + {ENCR_CAST, "cast", 16, 5, 16}, + {ENCR_BLOWFISH, "blowfish", 16, 5, 56}, + }; + int i; + + for (i = 0; i < countof(mappings); i++) { - if (ikev2_algo == openssl_algo->ikev2_id) + if (ikev2_algo == mappings[i].ikev2_id) { /* set the key size if it is not set */ - if (*key_size == 0 && - (openssl_algo->key_size_min == openssl_algo->key_size_max)) + if (*key_size == 0) { - *key_size = openssl_algo->key_size_min; + *key_size = mappings[i].key_def; } - /* validate key size */ - if (*key_size < openssl_algo->key_size_min || - *key_size > openssl_algo->key_size_max) + if (*key_size < mappings[i].key_min || + *key_size > mappings[i].key_max) { return NULL; } - return openssl_algo->name; + return mappings[i].name; } - openssl_algo++; } return NULL; } -static void crypt(private_openssl_crypter_t *this, chunk_t data, - chunk_t iv, chunk_t *dst, int enc) +/** + * Do the actual en/decryption in an EVP context + */ +static void crypt(private_openssl_crypter_t *this, chunk_t data, chunk_t iv, + chunk_t *dst, int enc) { int len; u_char *out; @@ -141,53 +113,44 @@ static void crypt(private_openssl_crypter_t *this, chunk_t data, EVP_CIPHER_CTX_cleanup(&ctx); } -/** - * Implementation of crypter_t.decrypt. - */ -static void decrypt(private_openssl_crypter_t *this, chunk_t data, - chunk_t iv, chunk_t *dst) +METHOD(crypter_t, decrypt, void, + private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) { crypt(this, data, iv, dst, 0); } - -/** - * Implementation of crypter_t.encrypt. - */ -static void encrypt (private_openssl_crypter_t *this, chunk_t data, - chunk_t iv, chunk_t *dst) +METHOD(crypter_t, encrypt, void, + private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) { crypt(this, data, iv, dst, 1); } -/** - * Implementation of crypter_t.get_block_size. - */ -static size_t get_block_size(private_openssl_crypter_t *this) +METHOD(crypter_t, get_block_size, size_t, + private_openssl_crypter_t *this) { return this->cipher->block_size; } -/** - * Implementation of crypter_t.get_key_size. - */ -static size_t get_key_size(private_openssl_crypter_t *this) +METHOD(crypter_t, get_iv_size, size_t, + private_openssl_crypter_t *this) +{ + return this->cipher->block_size; +} + +METHOD(crypter_t, get_key_size, size_t, + private_openssl_crypter_t *this) { return this->key.len; } -/** - * Implementation of crypter_t.set_key. - */ -static void set_key(private_openssl_crypter_t *this, chunk_t key) +METHOD(crypter_t, set_key, void, + private_openssl_crypter_t *this, chunk_t key) { memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len)); } -/** - * Implementation of crypter_t.destroy. - */ -static void destroy (private_openssl_crypter_t *this) +METHOD(crypter_t, destroy, void, + private_openssl_crypter_t *this) { free(this->key.ptr); free(this); @@ -201,16 +164,32 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo, { private_openssl_crypter_t *this; - this = malloc_thing(private_openssl_crypter_t); + INIT(this, + .public = { + .crypter = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + ); switch (algo) { case ENCR_NULL: this->cipher = EVP_enc_null(); + key_size = 0; break; case ENCR_AES_CBC: switch (key_size) { + case 0: + key_size = 16; + /* FALL */ case 16: /* AES 128 */ this->cipher = EVP_get_cipherbyname("aes128"); break; @@ -228,6 +207,9 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo, case ENCR_CAMELLIA_CBC: switch (key_size) { + case 0: + key_size = 16; + /* FALL */ case 16: /* CAMELLIA 128 */ this->cipher = EVP_get_cipherbyname("camellia128"); break; @@ -243,11 +225,14 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo, } break; case ENCR_DES_ECB: + key_size = 8; this->cipher = EVP_des_ecb(); break; default: { - char* name = lookup_algorithm(encryption_algs, algo, &key_size); + char* name; + + name = lookup_algorithm(algo, &key_size); if (!name) { /* algo unavailable or key_size invalid */ @@ -268,12 +253,5 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo, this->key = chunk_alloc(key_size); - this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt; - this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt; - this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size; - this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size; - this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key; - this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy; - return &this->public; } diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.h b/src/libstrongswan/plugins/openssl/openssl_crypter.h index 7e30ae03c..b12e7a6ab 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crypter.h +++ b/src/libstrongswan/plugins/openssl/openssl_crypter.h @@ -31,9 +31,9 @@ typedef struct openssl_crypter_t openssl_crypter_t; struct openssl_crypter_t { /** - * The crypter_t interface. + * Implements crypter_t interface. */ - crypter_t crypter_interface; + crypter_t crypter; }; /** diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c index 9a032c54f..b27aa3391 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c @@ -57,11 +57,8 @@ struct private_openssl_diffie_hellman_t { bool computed; }; -/** - * Implementation of openssl_diffie_hellman_t.get_my_public_value. - */ -static void get_my_public_value(private_openssl_diffie_hellman_t *this, - chunk_t *value) +METHOD(diffie_hellman_t, get_my_public_value, void, + private_openssl_diffie_hellman_t *this, chunk_t *value) { *value = chunk_alloc(DH_size(this->dh)); memset(value->ptr, 0, value->len); @@ -69,11 +66,8 @@ static void get_my_public_value(private_openssl_diffie_hellman_t *this, value->ptr + value->len - BN_num_bytes(this->dh->pub_key)); } -/** - * Implementation of openssl_diffie_hellman_t.get_shared_secret. - */ -static status_t get_shared_secret(private_openssl_diffie_hellman_t *this, - chunk_t *secret) +METHOD(diffie_hellman_t, get_shared_secret, status_t, + private_openssl_diffie_hellman_t *this, chunk_t *secret) { if (!this->computed) { @@ -88,11 +82,8 @@ static status_t get_shared_secret(private_openssl_diffie_hellman_t *this, } -/** - * Implementation of openssl_diffie_hellman_t.set_other_public_value. - */ -static void set_other_public_value(private_openssl_diffie_hellman_t *this, - chunk_t value) +METHOD(diffie_hellman_t, set_other_public_value, void, + private_openssl_diffie_hellman_t *this, chunk_t value) { int len; @@ -110,10 +101,8 @@ static void set_other_public_value(private_openssl_diffie_hellman_t *this, this->computed = TRUE; } -/** - * Implementation of openssl_diffie_hellman_t.get_dh_group. - */ -static diffie_hellman_group_t get_dh_group(private_openssl_diffie_hellman_t *this) +METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, + private_openssl_diffie_hellman_t *this) { return this->group; } @@ -137,10 +126,8 @@ static status_t set_modulus(private_openssl_diffie_hellman_t *this) return SUCCESS; } -/** - * Implementation of openssl_diffie_hellman_t.destroy. - */ -static void destroy(private_openssl_diffie_hellman_t *this) +METHOD(diffie_hellman_t, destroy, void, + private_openssl_diffie_hellman_t *this) { BN_clear_free(this->pub_key); DH_free(this->dh); @@ -151,15 +138,22 @@ static void destroy(private_openssl_diffie_hellman_t *this) /* * Described in header. */ -openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group) +openssl_diffie_hellman_t *openssl_diffie_hellman_create( + diffie_hellman_group_t group, chunk_t g, chunk_t p) { - private_openssl_diffie_hellman_t *this = malloc_thing(private_openssl_diffie_hellman_t); - - this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret; - this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value; - this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value; - this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group; - this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy; + private_openssl_diffie_hellman_t *this; + + INIT(this, + .public = { + .dh = { + .get_shared_secret = _get_shared_secret, + .set_other_public_value = _set_other_public_value, + .get_my_public_value = _get_my_public_value, + .get_dh_group = _get_dh_group, + .destroy = _destroy, + }, + }, + ); this->dh = DH_new(); if (!this->dh) @@ -173,11 +167,19 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g this->pub_key = BN_new(); this->shared_secret = chunk_empty; - /* find a modulus according to group */ - if (set_modulus(this) != SUCCESS) + if (group == MODP_CUSTOM) { - destroy(this); - return NULL; + this->dh->p = BN_bin2bn(p.ptr, p.len, NULL); + this->dh->g = BN_bin2bn(g.ptr, g.len, NULL); + } + else + { + /* find a modulus according to group */ + if (set_modulus(this) != SUCCESS) + { + destroy(this); + return NULL; + } } /* generate my public and private values */ diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h index 6c4b4fe81..53dc59c78 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h @@ -40,9 +40,12 @@ struct openssl_diffie_hellman_t { * Creates a new openssl_diffie_hellman_t object. * * @param group Diffie Hellman group number to use + * @param g custom generator, if MODP_CUSTOM + * @param p custom prime, if MODP_CUSTOM * @return openssl_diffie_hellman_t object, NULL if not supported */ -openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group); +openssl_diffie_hellman_t *openssl_diffie_hellman_create( + diffie_hellman_group_t group, chunk_t g, chunk_t p); #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index a53e8aea0..32fc2bccd 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -165,7 +165,8 @@ error: * of the Diffie-Hellman shared secret value is the same as that of the * Diffie-Hellman public value." */ -static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_t *shared_secret) +static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, + chunk_t *shared_secret) { const BIGNUM *priv_key; EC_POINT *secret = NULL; @@ -209,10 +210,8 @@ error: return ret; } -/** - * Implementation of openssl_ec_diffie_hellman_t.set_other_public_value. - */ -static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, chunk_t value) +METHOD(diffie_hellman_t, set_other_public_value, void, + private_openssl_ec_diffie_hellman_t *this, chunk_t value) { if (!chunk2ecp(this->ec_group, value, this->pub_key)) { @@ -230,18 +229,14 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch this->computed = TRUE; } -/** - * Implementation of openssl_ec_diffie_hellman_t.get_my_public_value. - */ -static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value) +METHOD(diffie_hellman_t, get_my_public_value, void, + private_openssl_ec_diffie_hellman_t *this,chunk_t *value) { ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE); } -/** - * Implementation of openssl_ec_diffie_hellman_t.get_shared_secret. - */ -static status_t get_shared_secret(private_openssl_ec_diffie_hellman_t *this, chunk_t *secret) +METHOD(diffie_hellman_t, get_shared_secret, status_t, + private_openssl_ec_diffie_hellman_t *this, chunk_t *secret) { if (!this->computed) { @@ -251,18 +246,14 @@ static status_t get_shared_secret(private_openssl_ec_diffie_hellman_t *this, chu return SUCCESS; } -/** - * Implementation of openssl_ec_diffie_hellman_t.get_dh_group. - */ -static diffie_hellman_group_t get_dh_group(private_openssl_ec_diffie_hellman_t *this) +METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, + private_openssl_ec_diffie_hellman_t *this) { return this->group; } -/** - * Implementation of openssl_ec_diffie_hellman_t.destroy. - */ -static void destroy(private_openssl_ec_diffie_hellman_t *this) +METHOD(diffie_hellman_t, destroy, void, + private_openssl_ec_diffie_hellman_t *this) { EC_POINT_clear_free(this->pub_key); EC_KEY_free(this->key); @@ -275,13 +266,20 @@ static void destroy(private_openssl_ec_diffie_hellman_t *this) */ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group) { - private_openssl_ec_diffie_hellman_t *this = malloc_thing(private_openssl_ec_diffie_hellman_t); - - this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret; - this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value; - this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value; - this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group; - this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy; + private_openssl_ec_diffie_hellman_t *this; + + INIT(this, + .public = { + .dh = { + .get_shared_secret = _get_shared_secret, + .set_other_public_value = _set_other_public_value, + .get_my_public_value = _get_my_public_value, + .get_dh_group = _get_dh_group, + .destroy = _destroy, + }, + }, + .group = group, + ); switch (group) { @@ -328,11 +326,6 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro return NULL; } - this->group = group; - this->computed = FALSE; - - this->shared_secret = chunk_empty; - return &this->public; } #endif /* OPENSSL_NO_EC */ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c index 281155913..f4c4759bf 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c @@ -138,11 +138,9 @@ static bool build_der_signature(private_openssl_ec_private_key_t *this, return built; } -/** - * Implementation of private_key_t.sign. - */ -static bool sign(private_openssl_ec_private_key_t *this, - signature_scheme_t scheme, chunk_t data, chunk_t *signature) +METHOD(private_key_t, sign, bool, + private_openssl_ec_private_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t *signature) { switch (scheme) { @@ -172,36 +170,38 @@ static bool sign(private_openssl_ec_private_key_t *this, } } -/** - * Implementation of private_key_t.destroy. - */ -static bool decrypt(private_openssl_ec_private_key_t *this, - chunk_t crypto, chunk_t *plain) +METHOD(private_key_t, decrypt, bool, + private_openssl_ec_private_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) { DBG1(DBG_LIB, "EC private key decryption not implemented"); return FALSE; } -/** - * Implementation of private_key_t.get_keysize. - */ -static size_t get_keysize(private_openssl_ec_private_key_t *this) +METHOD(private_key_t, get_keysize, int, + private_openssl_ec_private_key_t *this) { - return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec)); + switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(this->ec))) + { + case NID_X9_62_prime256v1: + return 256; + case NID_secp384r1: + return 384; + case NID_secp521r1: + return 521; + default: + return 0; + } } -/** - * Implementation of private_key_t.get_type. - */ -static key_type_t get_type(private_openssl_ec_private_key_t *this) +METHOD(private_key_t, get_type, key_type_t, + private_openssl_ec_private_key_t *this) { return KEY_ECDSA; } -/** - * Implementation of private_key_t.get_public_key. - */ -static public_key_t* get_public_key(private_openssl_ec_private_key_t *this) +METHOD(private_key_t, get_public_key, public_key_t*, + private_openssl_ec_private_key_t *this) { public_key_t *public; chunk_t key; @@ -217,20 +217,16 @@ static public_key_t* get_public_key(private_openssl_ec_private_key_t *this) return public; } -/** - * Implementation of private_key_t.get_fingerprint. - */ -static bool get_fingerprint(private_openssl_ec_private_key_t *this, - cred_encoding_type_t type, chunk_t *fingerprint) +METHOD(private_key_t, get_fingerprint, bool, + private_openssl_ec_private_key_t *this, cred_encoding_type_t type, + chunk_t *fingerprint) { return openssl_ec_fingerprint(this->ec, type, fingerprint); } -/** - * Implementation of private_key_t.get_encoding. - */ -static bool get_encoding(private_openssl_ec_private_key_t *this, - cred_encoding_type_t type, chunk_t *encoding) +METHOD(private_key_t, get_encoding, bool, + private_openssl_ec_private_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) { u_char *p; @@ -261,19 +257,15 @@ static bool get_encoding(private_openssl_ec_private_key_t *this, } } -/** - * Implementation of private_key_t.get_ref. - */ -static private_key_t* get_ref(private_openssl_ec_private_key_t *this) +METHOD(private_key_t, get_ref, private_key_t*, + private_openssl_ec_private_key_t *this) { ref_get(&this->ref); - return &this->public.interface; + return &this->public.key; } -/** - * Implementation of private_key_t.destroy. - */ -static void destroy(private_openssl_ec_private_key_t *this) +METHOD(private_key_t, destroy, void, + private_openssl_ec_private_key_t *this) { if (ref_put(&this->ref)) { @@ -291,23 +283,27 @@ static void destroy(private_openssl_ec_private_key_t *this) */ static private_openssl_ec_private_key_t *create_empty(void) { - private_openssl_ec_private_key_t *this = malloc_thing(private_openssl_ec_private_key_t); - - this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type; - this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign; - this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt; - this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize; - this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key; - this->public.interface.equals = private_key_equals; - this->public.interface.belongs_to = private_key_belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; - this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; - this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref; - this->public.interface.destroy = (void (*)(private_key_t *this))destroy; - - this->ec = NULL; - this->ref = 1; + private_openssl_ec_private_key_t *this; + + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .sign = _sign, + .decrypt = _decrypt, + .get_keysize = _get_keysize, + .get_public_key = _get_public_key, + .equals = private_key_equals, + .belongs_to = private_key_belongs_to, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = private_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); return this; } diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h index 720c63f90..f56c95aa1 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h @@ -34,7 +34,7 @@ struct openssl_ec_private_key_t { /** * Implements private_key_t interface */ - private_key_t interface; + private_key_t key; }; /** diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index def36c92f..7461695ad 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -130,19 +130,15 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this, return valid; } -/** - * Implementation of public_key_t.get_type. - */ -static key_type_t get_type(private_openssl_ec_public_key_t *this) +METHOD(public_key_t, get_type, key_type_t, + private_openssl_ec_public_key_t *this) { return KEY_ECDSA; } -/** - * Implementation of public_key_t.verify. - */ -static bool verify(private_openssl_ec_public_key_t *this, - signature_scheme_t scheme, chunk_t data, chunk_t signature) +METHOD(public_key_t, verify, bool, + private_openssl_ec_public_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t signature) { switch (scheme) { @@ -172,22 +168,28 @@ static bool verify(private_openssl_ec_public_key_t *this, } } -/** - * Implementation of public_key_t.get_keysize. - */ -static bool encrypt_(private_openssl_ec_public_key_t *this, - chunk_t crypto, chunk_t *plain) +METHOD(public_key_t, encrypt, bool, + private_openssl_ec_public_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) { DBG1(DBG_LIB, "EC public key encryption not implemented"); return FALSE; } -/** - * Implementation of public_key_t.get_keysize. - */ -static size_t get_keysize(private_openssl_ec_public_key_t *this) +METHOD(public_key_t, get_keysize, int, + private_openssl_ec_public_key_t *this) { - return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec)); + switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(this->ec))) + { + case NID_X9_62_prime256v1: + return 256; + case NID_secp384r1: + return 384; + case NID_secp521r1: + return 521; + default: + return 0; + } } /** @@ -232,20 +234,16 @@ bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp) return TRUE; } -/** - * Implementation of private_key_t.get_fingerprint. - */ -static bool get_fingerprint(private_openssl_ec_public_key_t *this, - cred_encoding_type_t type, chunk_t *fingerprint) +METHOD(public_key_t, get_fingerprint, bool, + private_openssl_ec_public_key_t *this, cred_encoding_type_t type, + chunk_t *fingerprint) { return openssl_ec_fingerprint(this->ec, type, fingerprint); } -/** - * Implementation of private_key_t.get_encoding. - */ -static bool get_encoding(private_openssl_ec_public_key_t *this, - cred_encoding_type_t type, chunk_t *encoding) +METHOD(public_key_t, get_encoding, bool, + private_openssl_ec_public_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) { u_char *p; @@ -276,19 +274,15 @@ static bool get_encoding(private_openssl_ec_public_key_t *this, } } -/** - * Implementation of public_key_t.get_ref. - */ -static public_key_t* get_ref(private_openssl_ec_public_key_t *this) +METHOD(public_key_t, get_ref, public_key_t*, + private_openssl_ec_public_key_t *this) { ref_get(&this->ref); - return &this->public.interface; + return &this->public.key; } -/** - * Implementation of openssl_ec_public_key.destroy. - */ -static void destroy(private_openssl_ec_public_key_t *this) +METHOD(public_key_t, destroy, void, + private_openssl_ec_public_key_t *this) { if (ref_put(&this->ref)) { @@ -306,21 +300,25 @@ static void destroy(private_openssl_ec_public_key_t *this) */ static private_openssl_ec_public_key_t *create_empty() { - private_openssl_ec_public_key_t *this = malloc_thing(private_openssl_ec_public_key_t); - - this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type; - this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify; - this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; - this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; - this->public.interface.equals = public_key_equals; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; - this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; - this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref; - this->public.interface.destroy = (void (*)(public_key_t *this))destroy; - - this->ec = NULL; - this->ref = 1; + private_openssl_ec_public_key_t *this; + + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .verify = _verify, + .encrypt = _encrypt, + .get_keysize = _get_keysize, + .equals = public_key_equals, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = public_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); return this; } diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h index 29d607d38..8094083a7 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h @@ -34,7 +34,7 @@ struct openssl_ec_public_key_t { /** * Implements the public_key_t interface */ - public_key_t interface; + public_key_t key; }; /** diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c index 7556bc594..d81f4b21e 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hasher.c +++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c @@ -90,27 +90,20 @@ static char* lookup_algorithm(openssl_algorithm_t *openssl_algo, return NULL; } -/** - * Implementation of hasher_t.get_hash_size. - */ -static size_t get_hash_size(private_openssl_hasher_t *this) +METHOD(hasher_t, get_hash_size, size_t, + private_openssl_hasher_t *this) { return this->hasher->md_size; } -/** - * Implementation of hasher_t.reset. - */ -static void reset(private_openssl_hasher_t *this) +METHOD(hasher_t, reset, void, + private_openssl_hasher_t *this) { EVP_DigestInit_ex(this->ctx, this->hasher, NULL); } -/** - * Implementation of hasher_t.get_hash. - */ -static void get_hash(private_openssl_hasher_t *this, chunk_t chunk, - u_int8_t *hash) +METHOD(hasher_t, get_hash, void, + private_openssl_hasher_t *this, chunk_t chunk, u_int8_t *hash) { EVP_DigestUpdate(this->ctx, chunk.ptr, chunk.len); if (hash) @@ -120,11 +113,8 @@ static void get_hash(private_openssl_hasher_t *this, chunk_t chunk, } } -/** - * Implementation of hasher_t.allocate_hash. - */ -static void allocate_hash(private_openssl_hasher_t *this, chunk_t chunk, - chunk_t *hash) +METHOD(hasher_t, allocate_hash, void, + private_openssl_hasher_t *this, chunk_t chunk, chunk_t *hash) { if (hash) { @@ -137,10 +127,8 @@ static void allocate_hash(private_openssl_hasher_t *this, chunk_t chunk, } } -/** - * Implementation of hasher_t.destroy. - */ -static void destroy (private_openssl_hasher_t *this) +METHOD(hasher_t, destroy, void, + private_openssl_hasher_t *this) { EVP_MD_CTX_destroy(this->ctx); free(this); @@ -160,7 +148,17 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo) return NULL; } - this = malloc_thing(private_openssl_hasher_t); + INIT(this, + .public = { + .hasher = { + .get_hash = _get_hash, + .allocate_hash = _allocate_hash, + .get_hash_size = _get_hash_size, + .reset = _reset, + .destroy = _destroy, + }, + }, + ); this->hasher = EVP_get_digestbyname(name); if (!this->hasher) @@ -170,12 +168,6 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo) return NULL; } - this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash; - this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash; - this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size; - this->public.hasher_interface.reset = (void (*) (hasher_t*))reset; - this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy; - this->ctx = EVP_MD_CTX_create(); /* initialization */ diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.h b/src/libstrongswan/plugins/openssl/openssl_hasher.h index fd7a043d1..b03f6891b 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hasher.h +++ b/src/libstrongswan/plugins/openssl/openssl_hasher.h @@ -31,9 +31,9 @@ typedef struct openssl_hasher_t openssl_hasher_t; struct openssl_hasher_t { /** - * The hasher_t interface. + * Implements hasher_t interface. */ - hasher_t hasher_interface; + hasher_t hasher; }; /** diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 31697dcb8..0ab4eda9c 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -16,6 +16,7 @@ #include <openssl/evp.h> #include <openssl/conf.h> +#include <openssl/rand.h> #include <openssl/crypto.h> #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> @@ -24,6 +25,7 @@ #include "openssl_plugin.h" #include <library.h> +#include <debug.h> #include <threading/thread.h> #include <threading/mutex.h> #include "openssl_util.h" @@ -151,6 +153,31 @@ static void threading_init() } /** + * Seed the OpenSSL RNG, if required + */ +static bool seed_rng() +{ + rng_t *rng = NULL; + char buf[32]; + + while (RAND_status() != 1) + { + if (!rng) + { + rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); + if (!rng) + { + return FALSE; + } + } + rng->get_bytes(rng, sizeof(buf), buf); + RAND_seed(buf, sizeof(buf)); + } + DESTROY_IF(rng); + return TRUE; +} + +/** * cleanup OpenSSL threading locks */ static void threading_cleanup() @@ -166,10 +193,8 @@ static void threading_cleanup() mutex = NULL; } -/** - * Implementation of openssl_plugin_t.destroy - */ -static void destroy(private_openssl_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_openssl_plugin_t *this) { lib->crypto->remove_crypter(lib->crypto, (crypter_constructor_t)openssl_crypter_create); @@ -218,9 +243,15 @@ static void destroy(private_openssl_plugin_t *this) */ plugin_t *openssl_plugin_create() { - private_openssl_plugin_t *this = malloc_thing(private_openssl_plugin_t); + private_openssl_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); threading_init(); @@ -233,6 +264,13 @@ plugin_t *openssl_plugin_create() ENGINE_register_all_complete(); #endif /* OPENSSL_NO_ENGINE */ + if (!seed_rng()) + { + DBG1(DBG_CFG, "no RNG found to seed OpenSSL"); + destroy(this); + return NULL; + } + /* crypter */ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, (crypter_constructor_t)openssl_crypter_create); @@ -312,33 +350,35 @@ plugin_t *openssl_plugin_create() (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_768_BIT, (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, + (dh_constructor_t)openssl_diffie_hellman_create); /* rsa */ - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE, (builder_function_t)openssl_rsa_private_key_load); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, (builder_function_t)openssl_rsa_private_key_gen); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE, (builder_function_t)openssl_rsa_private_key_connect); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE, (builder_function_t)openssl_rsa_public_key_load); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)openssl_rsa_public_key_load); #ifndef OPENSSL_NO_EC /* ecdsa */ - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, TRUE, (builder_function_t)openssl_ec_private_key_load); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, FALSE, (builder_function_t)openssl_ec_private_key_gen); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, TRUE, (builder_function_t)openssl_ec_public_key_load); #endif /* OPENSSL_NO_EC */ /* X509 certificates */ - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, TRUE, (builder_function_t)openssl_x509_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, TRUE, (builder_function_t)openssl_crl_load); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index 5817ade9e..0b607c386 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -131,19 +131,16 @@ error: return success; } -/** - * Implementation of openssl_rsa_private_key.get_type. - */ -static key_type_t get_type(private_openssl_rsa_private_key_t *this) + +METHOD(private_key_t, get_type, key_type_t, + private_openssl_rsa_private_key_t *this) { return KEY_RSA; } -/** - * Implementation of openssl_rsa_private_key.sign. - */ -static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) +METHOD(private_key_t, sign, bool, + private_openssl_rsa_private_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t *signature) { switch (scheme) { @@ -168,28 +165,47 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch } } -/** - * Implementation of openssl_rsa_private_key.decrypt. - */ -static bool decrypt(private_openssl_rsa_private_key_t *this, - chunk_t crypto, chunk_t *plain) +METHOD(private_key_t, decrypt, bool, + private_openssl_rsa_private_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) { - DBG1(DBG_LIB, "RSA private key decryption not implemented"); - return FALSE; + int padding, len; + char *decrypted; + + switch (scheme) + { + case ENCRYPT_RSA_PKCS1: + padding = RSA_PKCS1_PADDING; + break; + case ENCRYPT_RSA_OAEP_SHA1: + padding = RSA_PKCS1_OAEP_PADDING; + break; + default: + DBG1(DBG_LIB, "encryption scheme %N not supported via openssl", + encryption_scheme_names, scheme); + return FALSE; + } + decrypted = malloc(RSA_size(this->rsa)); + len = RSA_private_decrypt(crypto.len, crypto.ptr, decrypted, + this->rsa, padding); + if (len < 0) + { + DBG1(DBG_LIB, "RSA decryption failed"); + free(decrypted); + return FALSE; + } + *plain = chunk_create(decrypted, len); + return TRUE; } -/** - * Implementation of openssl_rsa_private_key.get_keysize. - */ -static size_t get_keysize(private_openssl_rsa_private_key_t *this) +METHOD(private_key_t, get_keysize, int, + private_openssl_rsa_private_key_t *this) { - return RSA_size(this->rsa); + return RSA_size(this->rsa) * 8; } -/** - * Implementation of openssl_rsa_private_key.get_public_key. - */ -static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this) +METHOD(private_key_t, get_public_key, public_key_t*, + private_openssl_rsa_private_key_t *this) { chunk_t enc; public_key_t *key; @@ -204,20 +220,16 @@ static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this) return key; } -/** - * Implementation of public_key_t.get_fingerprint. - */ -static bool get_fingerprint(private_openssl_rsa_private_key_t *this, - cred_encoding_type_t type, chunk_t *fingerprint) +METHOD(private_key_t, get_fingerprint, bool, + private_openssl_rsa_private_key_t *this, cred_encoding_type_t type, + chunk_t *fingerprint) { return openssl_rsa_fingerprint(this->rsa, type, fingerprint); } -/* - * Implementation of public_key_t.get_encoding. - */ -static bool get_encoding(private_openssl_rsa_private_key_t *this, - cred_encoding_type_t type, chunk_t *encoding) +METHOD(private_key_t, get_encoding, bool, + private_openssl_rsa_private_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) { u_char *p; @@ -252,19 +264,15 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this, } } -/** - * Implementation of openssl_rsa_private_key.get_ref. - */ -static private_openssl_rsa_private_key_t* get_ref(private_openssl_rsa_private_key_t *this) +METHOD(private_key_t, get_ref, private_key_t*, + private_openssl_rsa_private_key_t *this) { ref_get(&this->ref); - return this; + return &this->public.key; } -/** - * Implementation of openssl_rsa_private_key.destroy. - */ -static void destroy(private_openssl_rsa_private_key_t *this) +METHOD(private_key_t, destroy, void, + private_openssl_rsa_private_key_t *this) { if (ref_put(&this->ref)) { @@ -280,25 +288,29 @@ static void destroy(private_openssl_rsa_private_key_t *this) /** * Internal generic constructor */ -static private_openssl_rsa_private_key_t *create_empty(void) +static private_openssl_rsa_private_key_t *create_empty() { - private_openssl_rsa_private_key_t *this = malloc_thing(private_openssl_rsa_private_key_t); - - this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type; - this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign; - this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt; - this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize; - this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key; - this->public.interface.equals = private_key_equals; - this->public.interface.belongs_to = private_key_belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; - this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; - this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref; - this->public.interface.destroy = (void (*) (private_key_t*))destroy; - - this->engine = FALSE; - this->ref = 1; + private_openssl_rsa_private_key_t *this; + + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .sign = _sign, + .decrypt = _decrypt, + .get_keysize = _get_keysize, + .get_public_key = _get_public_key, + .equals = private_key_equals, + .belongs_to = private_key_belongs_to, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = private_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); return this; } @@ -444,6 +456,48 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, } /** + * Login to engine with a PIN specified for a keyid + */ +static bool login(ENGINE *engine, chunk_t keyid) +{ + enumerator_t *enumerator; + shared_key_t *shared; + identification_t *id; + chunk_t key; + char pin[64]; + bool found = FALSE, success = FALSE; + + id = identification_create_from_encoding(ID_KEY_ID, keyid); + enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, + SHARED_PIN, id, NULL); + while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) + { + found = TRUE; + key = shared->get_key(shared); + if (snprintf(pin, sizeof(pin), "%.*s", key.len, key.ptr) >= sizeof(pin)) + { + continue; + } + if (ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0)) + { + success = TRUE; + break; + } + else + { + DBG1(DBG_CFG, "setting PIN on engine failed"); + } + } + enumerator->destroy(enumerator); + id->destroy(id); + if (!found) + { + DBG1(DBG_CFG, "no PIN found for %#B", &keyid); + } + return success; +} + +/** * See header. */ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, @@ -451,20 +505,25 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, { #ifndef OPENSSL_NO_ENGINE private_openssl_rsa_private_key_t *this; - char *keyid = NULL, *pin = NULL; + char *engine_id = NULL; + char keyname[64]; + chunk_t keyid = chunk_empty;; EVP_PKEY *key; - char *engine_id; ENGINE *engine; + int slot = -1; while (TRUE) { switch (va_arg(args, builder_part_t)) { - case BUILD_SMARTCARD_KEYID: - keyid = va_arg(args, char*); + case BUILD_PKCS11_KEYID: + keyid = va_arg(args, chunk_t); continue; - case BUILD_SMARTCARD_PIN: - pin = va_arg(args, char*); + case BUILD_PKCS11_SLOT: + slot = va_arg(args, int); + continue; + case BUILD_PKCS11_MODULE: + engine_id = va_arg(args, char*); continue; case BUILD_END: break; @@ -473,17 +532,31 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, } break; } - if (!keyid || !pin) + if (!keyid.len || keyid.len > 40) { return NULL; } - engine_id = lib->settings->get_str(lib->settings, + memset(keyname, 0, sizeof(keyname)); + if (slot != -1) + { + snprintf(keyname, sizeof(keyname), "%d:", slot); + } + if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1) + { + return NULL; + } + chunk_to_hex(keyid, keyname + strlen(keyname), FALSE); + + if (!engine_id) + { + engine_id = lib->settings->get_str(lib->settings, "libstrongswan.plugins.openssl.engine_id", "pkcs11"); + } engine = ENGINE_by_id(engine_id); if (!engine) { - DBG1(DBG_LIB, "engine '%s' is not available", engine_id); + DBG2(DBG_LIB, "engine '%s' is not available", engine_id); return NULL; } if (!ENGINE_init(engine)) @@ -492,18 +565,17 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, ENGINE_free(engine); return NULL; } - if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0)) + if (!login(engine, keyid)) { - DBG1(DBG_LIB, "failed to set PIN on engine '%s'", engine_id); + DBG1(DBG_LIB, "login to engine '%s' failed", engine_id); ENGINE_free(engine); return NULL; } - - key = ENGINE_load_private_key(engine, keyid, NULL, NULL); + key = ENGINE_load_private_key(engine, keyname, NULL, NULL); if (!key) { DBG1(DBG_LIB, "failed to load private key with ID '%s' from " - "engine '%s'", keyid, engine_id); + "engine '%s'", keyname, engine_id); ENGINE_free(engine); return NULL; } @@ -512,6 +584,11 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, this = create_empty(); this->rsa = EVP_PKEY_get1_RSA(key); this->engine = TRUE; + if (!this->rsa) + { + destroy(this); + return NULL; + } return &this->public; #else /* OPENSSL_NO_ENGINE */ diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h index 079dfa46a..60889d651 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h @@ -34,7 +34,7 @@ struct openssl_rsa_private_key_t { /** * Implements private_key_t interface */ - private_key_t interface; + private_key_t key; }; /** diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index 6ac61a65c..422e31521 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -114,19 +114,15 @@ error: return valid; } -/** - * Implementation of public_key_t.get_type. - */ -static key_type_t get_type(private_openssl_rsa_public_key_t *this) +METHOD(public_key_t, get_type, key_type_t, + private_openssl_rsa_public_key_t *this) { return KEY_RSA; } -/** - * Implementation of public_key_t.verify. - */ -static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t signature) +METHOD(public_key_t, verify, bool, + private_openssl_rsa_public_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t signature) { switch (scheme) { @@ -151,22 +147,43 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc } } -/** - * Implementation of public_key_t.get_keysize. - */ -static bool encrypt_(private_openssl_rsa_public_key_t *this, - chunk_t crypto, chunk_t *plain) +METHOD(public_key_t, encrypt, bool, + private_openssl_rsa_public_key_t *this, encryption_scheme_t scheme, + chunk_t plain, chunk_t *crypto) { - DBG1(DBG_LIB, "RSA public key encryption not implemented"); - return FALSE; + int padding, len; + char *encrypted; + + switch (scheme) + { + case ENCRYPT_RSA_PKCS1: + padding = RSA_PKCS1_PADDING; + break; + case ENCRYPT_RSA_OAEP_SHA1: + padding = RSA_PKCS1_OAEP_PADDING; + break; + default: + DBG1(DBG_LIB, "decryption scheme %N not supported via openssl", + encryption_scheme_names, scheme); + return FALSE; + } + encrypted = malloc(RSA_size(this->rsa)); + len = RSA_public_encrypt(plain.len, plain.ptr, encrypted, + this->rsa, padding); + if (len < 0) + { + DBG1(DBG_LIB, "RSA decryption failed"); + free(encrypted); + return FALSE; + } + *crypto = chunk_create(encrypted, len); + return TRUE; } -/** - * Implementation of public_key_t.get_keysize. - */ -static size_t get_keysize(private_openssl_rsa_public_key_t *this) +METHOD(public_key_t, get_keysize, int, + private_openssl_rsa_public_key_t *this) { - return RSA_size(this->rsa); + return RSA_size(this->rsa) * 8; } /** @@ -211,20 +228,16 @@ bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp) return TRUE; } -/** - * Implementation of public_key_t.get_fingerprint. - */ -static bool get_fingerprint(private_openssl_rsa_public_key_t *this, - cred_encoding_type_t type, chunk_t *fingerprint) +METHOD(public_key_t, get_fingerprint, bool, + private_openssl_rsa_public_key_t *this, cred_encoding_type_t type, + chunk_t *fingerprint) { return openssl_rsa_fingerprint(this->rsa, type, fingerprint); } -/* - * Implementation of public_key_t.get_encoding. - */ -static bool get_encoding(private_openssl_rsa_public_key_t *this, - cred_encoding_type_t type, chunk_t *encoding) +METHOD(public_key_t, get_encoding, bool, + private_openssl_rsa_public_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) { u_char *p; @@ -262,19 +275,15 @@ static bool get_encoding(private_openssl_rsa_public_key_t *this, } } -/** - * Implementation of public_key_t.get_ref. - */ -static public_key_t* get_ref(private_openssl_rsa_public_key_t *this) +METHOD(public_key_t, get_ref, public_key_t*, + private_openssl_rsa_public_key_t *this) { ref_get(&this->ref); - return &this->public.interface; + return &this->public.key; } -/** - * Implementation of openssl_rsa_public_key.destroy. - */ -static void destroy(private_openssl_rsa_public_key_t *this) +METHOD(public_key_t, destroy, void, + private_openssl_rsa_public_key_t *this) { if (ref_put(&this->ref)) { @@ -292,21 +301,25 @@ static void destroy(private_openssl_rsa_public_key_t *this) */ static private_openssl_rsa_public_key_t *create_empty() { - private_openssl_rsa_public_key_t *this = malloc_thing(private_openssl_rsa_public_key_t); - - this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type; - this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify; - this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; - this->public.interface.equals = public_key_equals; - this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; - this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; - this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref; - this->public.interface.destroy = (void (*)(public_key_t *this))destroy; - - this->rsa = NULL; - this->ref = 1; + private_openssl_rsa_public_key_t *this; + + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .verify = _verify, + .encrypt = _encrypt, + .equals = public_key_equals, + .get_keysize = _get_keysize, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = public_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); return this; } diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h index 620aa51ce..021257d3c 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h @@ -33,7 +33,7 @@ struct openssl_rsa_public_key_t { /** * Implements the public_key_t interface */ - public_key_t interface; + public_key_t key; }; /** diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c index b65388010..20f2fa984 100644 --- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c +++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c @@ -124,13 +124,15 @@ openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo) } INIT(this, - .public.prf = { - .get_block_size = _get_block_size, - .get_bytes = _get_bytes, - .allocate_bytes = _allocate_bytes, - .get_key_size = _get_key_size, - .set_key = _set_key, - .destroy = _destroy, + .public = { + .prf = { + .get_block_size = _get_block_size, + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, }, ); diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index 1c9bb699e..aa39bc93d 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -187,6 +187,15 @@ static identification_t *general_name2id(GENERAL_NAME *name) } case GEN_DIRNAME : return openssl_x509_name2id(name->d.directoryName); + case GEN_OTHERNAME: + if (OBJ_obj2nid(name->d.otherName->type_id) == NID_ms_upn && + name->d.otherName->value->type == V_ASN1_UTF8STRING) + { + return identification_create_from_encoding(ID_RFC822_ADDR, + openssl_asn1_str2chunk( + name->d.otherName->value->value.utf8string)); + } + return NULL; default: return NULL; } @@ -286,10 +295,23 @@ METHOD(certificate_t, has_subject, id_match_t, identification_t *current; enumerator_t *enumerator; id_match_t match, best; + chunk_t encoding; if (subject->get_type(subject) == ID_KEY_ID) { - if (chunk_equals(this->hash, subject->get_encoding(subject))) + encoding = subject->get_encoding(subject); + + if (chunk_equals(this->hash, encoding)) + { + return ID_MATCH_PERFECT; + } + if (this->subjectKeyIdentifier.len && + chunk_equals(this->subjectKeyIdentifier, encoding)) + { + return ID_MATCH_PERFECT; + } + if (this->pubkey && + this->pubkey->has_fingerprint(this->pubkey, encoding)) { return ID_MATCH_PERFECT; } @@ -756,6 +778,38 @@ static bool parse_extensions(private_openssl_x509_t *this) } /** + * Parse ExtendedKeyUsage + */ +static void parse_extKeyUsage(private_openssl_x509_t *this) +{ + EXTENDED_KEY_USAGE *usage; + int i; + + usage = X509_get_ext_d2i(this->x509, NID_ext_key_usage, NULL, NULL); + if (usage) + { + for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++) + { + switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i))) + { + case NID_server_auth: + this->flags |= X509_SERVER_AUTH; + break; + case NID_client_auth: + this->flags |= X509_CLIENT_AUTH; + break; + case NID_OCSP_sign: + this->flags |= X509_OCSP_SIGNER; + break; + default: + break; + } + } + sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free); + } +} + +/** * Parse a DER encoded x509 certificate */ static bool parse_certificate(private_openssl_x509_t *this) @@ -814,6 +868,7 @@ static bool parse_certificate(private_openssl_x509_t *this) { return TRUE; } + parse_extKeyUsage(this); hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (!hasher) diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index adb8f08d1..46953f681 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c index 9edea4bd3..06c20292f 100644 --- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c +++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c @@ -78,8 +78,8 @@ static void padlock_crypt(void *key, void *ctrl, void *src, void *dst, : "eax", "ecx", "edx", "esi", "edi"); } -/* - * Implementation of crypter_t.crypt +/** + * Do encryption/decryption operation using Padlock control word */ static void crypt(private_padlock_aes_crypter_t *this, char *iv, chunk_t src, chunk_t *dst, bool enc) @@ -107,53 +107,44 @@ static void crypt(private_padlock_aes_crypter_t *this, char *iv, src.len / AES_BLOCK_SIZE, iv_aligned); } -/** - * Implementation of crypter_t.decrypt. - */ -static void decrypt(private_padlock_aes_crypter_t *this, chunk_t data, - chunk_t iv, chunk_t *dst) +METHOD(crypter_t, decrypt, void, + private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) { crypt(this, iv.ptr, data, dst, TRUE); } - -/** - * Implementation of crypter_t.encrypt. - */ -static void encrypt (private_padlock_aes_crypter_t *this, chunk_t data, - chunk_t iv, chunk_t *dst) +METHOD(crypter_t, encrypt, void, + private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) { crypt(this, iv.ptr, data, dst, FALSE); } -/** - * Implementation of crypter_t.get_block_size. - */ -static size_t get_block_size(private_padlock_aes_crypter_t *this) +METHOD(crypter_t, get_block_size, size_t, + private_padlock_aes_crypter_t *this) { return AES_BLOCK_SIZE; } -/** - * Implementation of crypter_t.get_key_size. - */ -static size_t get_key_size(private_padlock_aes_crypter_t *this) +METHOD(crypter_t, get_iv_size, size_t, + private_padlock_aes_crypter_t *this) +{ + return AES_BLOCK_SIZE; +} + +METHOD(crypter_t, get_key_size, size_t, + private_padlock_aes_crypter_t *this) { return this->key.len; } -/** - * Implementation of crypter_t.set_key. - */ -static void set_key(private_padlock_aes_crypter_t *this, chunk_t key) +METHOD(crypter_t, set_key, void, + private_padlock_aes_crypter_t *this, chunk_t key) { memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len)); } -/** - * Implementation of crypter_t.destroy and aes_crypter_t.destroy. - */ -static void destroy (private_padlock_aes_crypter_t *this) +METHOD(crypter_t, destroy, void, + private_padlock_aes_crypter_t *this) { free(this->key.ptr); free(this); @@ -171,29 +162,33 @@ padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo, { return NULL; } - - this = malloc_thing(private_padlock_aes_crypter_t); - switch (key_size) { + case 0: + key_size = 16; + /* FALL */ case 16: /* AES 128 */ break; case 24: /* AES-192 */ case 32: /* AES-256 */ /* These need an expanded key, currently not supported, FALL */ default: - free(this); return NULL; } - this->key = chunk_alloc(key_size); - - this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt; - this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt; - this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size; - this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size; - this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key; - this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy; - + INIT(this, + .public = { + .crypter = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .key = chunk_alloc(key_size), + ); return &this->public; } diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h index d4c7a7577..1c804860c 100644 --- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h +++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h @@ -32,9 +32,9 @@ typedef struct padlock_aes_crypter_t padlock_aes_crypter_t; struct padlock_aes_crypter_t { /** - * The crypter_t interface. + * Implements crypter_t interface. */ - crypter_t crypter_interface; + crypter_t crypter; }; /** diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c index c9606ae15..027c53c7b 100644 --- a/src/libstrongswan/plugins/padlock/padlock_plugin.c +++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c @@ -101,10 +101,8 @@ static padlock_feature_t get_padlock_features() return 0; } -/** - * Implementation of aes_plugin_t.destroy - */ -static void destroy(private_padlock_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_padlock_plugin_t *this) { if (this->features & PADLOCK_RNG_ENABLED) { @@ -133,11 +131,17 @@ static void destroy(private_padlock_plugin_t *this) */ plugin_t *padlock_plugin_create() { - private_padlock_plugin_t *this = malloc_thing(private_padlock_plugin_t); + private_padlock_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .features = get_padlock_features(), + ); - this->features = get_padlock_features(); if (!this->features) { free(this); diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.c b/src/libstrongswan/plugins/padlock/padlock_rng.c index 8ff46081b..3d805df9d 100644 --- a/src/libstrongswan/plugins/padlock/padlock_rng.c +++ b/src/libstrongswan/plugins/padlock/padlock_rng.c @@ -53,15 +53,15 @@ struct private_padlock_rng_t { */ static void rng(char *buf, int len, int quality) { - while (len > 0)
+ while (len > 0) { int status; /* run XSTORE until we have all bytes needed. We do not use REP, as * this should not be performance critical and it's easier this way. */ asm volatile ( - ".byte 0x0F,0xA7,0xC0 \n\t"
- : "=D"(buf), "=a"(status)
+ ".byte 0x0F,0xA7,0xC0 \n\t" + : "=D"(buf), "=a"(status) : "d"(quality), "D"(buf)); /* bits[0..4] of status word contains the number of bytes read */ @@ -69,11 +69,8 @@ static void rng(char *buf, int len, int quality) } } -/** - * Implementation of padlock_rng_t.allocate_bytes. - */ -static void allocate_bytes(private_padlock_rng_t *this, size_t bytes, - chunk_t *chunk) +METHOD(rng_t, allocate_bytes, void, + private_padlock_rng_t *this, size_t bytes, chunk_t *chunk) { chunk->len = bytes; /* padlock requires some additional bytes */ @@ -82,11 +79,8 @@ static void allocate_bytes(private_padlock_rng_t *this, size_t bytes, rng(chunk->ptr, chunk->len, this->quality); } -/** - * Implementation of padlock_rng_t.get_bytes. - */ -static void get_bytes(private_padlock_rng_t *this, size_t bytes, - u_int8_t *buffer) +METHOD(rng_t, get_bytes, void, + private_padlock_rng_t *this, size_t bytes, u_int8_t *buffer) { chunk_t chunk; @@ -96,10 +90,8 @@ static void get_bytes(private_padlock_rng_t *this, size_t bytes, chunk_clear(&chunk); } -/** - * Implementation of padlock_rng_t.destroy. - */ -static void destroy(private_padlock_rng_t *this) +METHOD(rng_t, destroy, void, + private_padlock_rng_t *this) { free(this); } @@ -109,11 +101,17 @@ static void destroy(private_padlock_rng_t *this) */ padlock_rng_t *padlock_rng_create(rng_quality_t quality) { - private_padlock_rng_t *this = malloc_thing(private_padlock_rng_t); - - this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes; - this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes; - this->public.rng.destroy = (void (*) (rng_t *))destroy; + private_padlock_rng_t *this; + + INIT(this, + .public = { + .rng = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .destroy = _destroy, + }, + }, + ); /* map RNG quality to Padlock quality factor */ switch (quality) @@ -127,8 +125,10 @@ padlock_rng_t *padlock_rng_create(rng_quality_t quality) case RNG_TRUE: this->quality = PADLOCK_QF3; break; + default: + free(this); + return NULL; } - return &this->public; } diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c index 60b516675..66a077353 100644 --- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c +++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c @@ -83,19 +83,14 @@ static void append_data(private_padlock_sha1_hasher_t *this, chunk_t data) this->data.len += data.len; } -/** - * Implementation of hasher_t.reset. - */ -static void reset(private_padlock_sha1_hasher_t *this) +METHOD(hasher_t, reset, void, + private_padlock_sha1_hasher_t *this) { chunk_free(&this->data); } -/** - * Implementation of hasher_t.get_hash. - */ -static void get_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk, - u_int8_t *hash) +METHOD(hasher_t, get_hash, void, + private_padlock_sha1_hasher_t *this, chunk_t chunk, u_int8_t *hash) { if (hash) { @@ -116,11 +111,8 @@ static void get_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk, } } -/** - * Implementation of hasher_t.allocate_hash. - */ -static void allocate_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk, - chunk_t *hash) +METHOD(hasher_t, allocate_hash, void, + private_padlock_sha1_hasher_t *this, chunk_t chunk, chunk_t *hash) { if (hash) { @@ -133,18 +125,14 @@ static void allocate_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk, } } -/** - * Implementation of hasher_t.get_hash_size. - */ -static size_t get_hash_size(private_padlock_sha1_hasher_t *this) +METHOD(hasher_t, get_hash_size, size_t, + private_padlock_sha1_hasher_t *this) { return HASH_SIZE_SHA1; } -/** - * Implementation of hasher_t.destroy. - */ -static void destroy(private_padlock_sha1_hasher_t *this) +METHOD(hasher_t, destroy, void, + private_padlock_sha1_hasher_t *this) { free(this->data.ptr); free(this); @@ -161,15 +149,16 @@ padlock_sha1_hasher_t *padlock_sha1_hasher_create(hash_algorithm_t algo) { return NULL; } - - this = malloc_thing(private_padlock_sha1_hasher_t); - this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash; - this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash; - this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size; - this->public.hasher_interface.reset = (void (*) (hasher_t*))reset; - this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy; - - this->data = chunk_empty; - - return &(this->public); + INIT(this, + .public = { + .hasher = { + .get_hash = _get_hash, + .allocate_hash = _allocate_hash, + .get_hash_size = _get_hash_size, + .reset = _reset, + .destroy = _destroy, + }, + }, + ); + return &this->public; } diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h index 740bdfe98..2d2b2b45d 100644 --- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h +++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h @@ -34,7 +34,7 @@ struct padlock_sha1_hasher_t { /** * Implements hasher_t interface. */ - hasher_t hasher_interface; + hasher_t hasher; }; /** diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index e19a66fa5..cf5acdd1c 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c index a15c3f258..b760adda9 100644 --- a/src/libstrongswan/plugins/pem/pem_builder.c +++ b/src/libstrongswan/plugins/pem/pem_builder.c @@ -127,8 +127,8 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, } crypter->set_key(crypter, key); - if (iv.len != crypter->get_block_size(crypter) || - blob->len % iv.len) + if (iv.len != crypter->get_iv_size(crypter) || + blob->len % crypter->get_block_size(crypter)) { crypter->destroy(crypter); DBG1(DBG_LIB, " data size is not multiple of block size"); @@ -167,8 +167,7 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, /** * Converts a PEM encoded file into its binary form (RFC 1421, RFC 934) */ -static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data, - bool *pgp) +static status_t pem_to_bin(chunk_t *blob, bool *pgp) { typedef enum { PEM_PRE = 0, @@ -187,9 +186,10 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data chunk_t dst = *blob; chunk_t line = chunk_empty; chunk_t iv = chunk_empty; - chunk_t passphrase; - int try = 0; u_char iv_buf[HASH_SIZE_MD5]; + status_t status = NOT_FOUND; + enumerator_t *enumerator; + shared_key_t *shared; dst.len = 0; iv.ptr = iv_buf; @@ -326,36 +326,35 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data { return SUCCESS; } - if (!cb) - { - DBG1(DBG_LIB, " missing passphrase"); - return INVALID_ARG; - } - while (TRUE) + + enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, + SHARED_PRIVATE_KEY_PASS, NULL, NULL); + while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { - passphrase = cb(cb_data, ++try); - if (!passphrase.len || !passphrase.ptr) + chunk_t passphrase, chunk; + + passphrase = shared->get_key(shared); + chunk = chunk_clone(*blob); + status = pem_decrypt(&chunk, alg, key_size, iv, passphrase); + if (status == SUCCESS) { - return INVALID_ARG; + memcpy(blob->ptr, chunk.ptr, chunk.len); + blob->len = chunk.len; } - switch (pem_decrypt(blob, alg, key_size, iv, passphrase)) - { - case INVALID_ARG: - /* bad passphrase, retry */ - continue; - case SUCCESS: - return SUCCESS; - default: - return FAILED; + free(chunk.ptr); + if (status != INVALID_ARG) + { /* try again only if passphrase invalid */ + break; } } + enumerator->destroy(enumerator); + return status; } /** * load the credential from a blob */ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype, - chunk_t(*cb)(void*,int), void *cb_data, x509_flag_t flags) { void *cred = NULL; @@ -364,7 +363,7 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype, blob = chunk_clone(blob); if (!is_asn1(blob)) { - if (pem_to_bin(&blob, cb, cb_data, &pgp) != SUCCESS) + if (pem_to_bin(&blob, &pgp) != SUCCESS) { chunk_clear(&blob); return NULL; @@ -394,7 +393,6 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype, * load the credential from a file */ static void *load_from_file(char *file, credential_type_t type, int subtype, - chunk_t(*cb)(void*,int), void *cb_data, x509_flag_t flags) { void *cred = NULL; @@ -425,8 +423,7 @@ static void *load_from_file(char *file, credential_type_t type, int subtype, return NULL; } - cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype, - cb, cb_data, flags); + cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype, flags); munmap(addr, sb.st_size); close(fd); @@ -437,7 +434,6 @@ static void *load_from_file(char *file, credential_type_t type, int subtype, * load the credential from a file descriptor */ static void *load_from_fd(int fd, credential_type_t type, int subtype, - chunk_t(*cb)(void*,int), void *cb_data, x509_flag_t flags) { char buf[8096]; @@ -464,20 +460,7 @@ static void *load_from_fd(int fd, credential_type_t type, int subtype, return NULL; } } - return load_from_blob(chunk_create(buf, total), type, subtype, - cb, cb_data, flags); -} - -/** - * passphrase callback to use if passphrase given - */ -static chunk_t given_passphrase_cb(chunk_t *passphrase, int try) -{ - if (try > 1) - { /* try only once for given passphrases */ - return chunk_empty; - } - return *passphrase; + return load_from_blob(chunk_create(buf, total), type, subtype, flags); } /** @@ -487,9 +470,7 @@ static void *pem_load(credential_type_t type, int subtype, va_list args) { char *file = NULL; int fd = -1; - chunk_t pem = chunk_empty, passphrase = chunk_empty; - chunk_t (*cb)(void *data, int try) = NULL; - void *cb_data = NULL; + chunk_t pem = chunk_empty; int flags = 0; while (TRUE) @@ -505,18 +486,6 @@ static void *pem_load(credential_type_t type, int subtype, va_list args) case BUILD_BLOB_PEM: pem = va_arg(args, chunk_t); continue; - case BUILD_PASSPHRASE: - passphrase = va_arg(args, chunk_t); - if (passphrase.len && passphrase.ptr) - { - cb = (void*)given_passphrase_cb; - cb_data = &passphrase; - } - continue; - case BUILD_PASSPHRASE_CALLBACK: - cb = va_arg(args, chunk_t(*)(void*,int)); - cb_data = va_arg(args, void*); - continue; case BUILD_X509_FLAG: flags = va_arg(args, int); continue; @@ -530,15 +499,15 @@ static void *pem_load(credential_type_t type, int subtype, va_list args) if (pem.len) { - return load_from_blob(pem, type, subtype, cb, cb_data, flags); + return load_from_blob(pem, type, subtype, flags); } if (file) { - return load_from_file(file, type, subtype, cb, cb_data, flags); + return load_from_file(file, type, subtype, flags); } if (fd != -1) { - return load_from_fd(fd, type, subtype, cb, cb_data, flags); + return load_from_fd(fd, type, subtype, flags); } return NULL; } diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c index 810901b7a..83efb155b 100644 --- a/src/libstrongswan/plugins/pem/pem_plugin.c +++ b/src/libstrongswan/plugins/pem/pem_plugin.c @@ -57,49 +57,49 @@ plugin_t *pem_plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; /* register private key PEM decoding builders */ - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE, (builder_function_t)pem_private_key_load); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, (builder_function_t)pem_private_key_load); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, FALSE, (builder_function_t)pem_private_key_load); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_DSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_DSA, FALSE, (builder_function_t)pem_private_key_load); /* register public key PEM decoding builders */ - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)pem_public_key_load); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE, (builder_function_t)pem_public_key_load); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, FALSE, (builder_function_t)pem_public_key_load); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_DSA, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_DSA, FALSE, (builder_function_t)pem_public_key_load); /* register certificate PEM decoding builders */ - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_ANY, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_ANY, FALSE, (builder_function_t)pem_certificate_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE, (builder_function_t)pem_certificate_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, FALSE, (builder_function_t)pem_certificate_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, FALSE, (builder_function_t)pem_certificate_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, FALSE, (builder_function_t)pem_certificate_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, FALSE, (builder_function_t)pem_certificate_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, FALSE, (builder_function_t)pem_certificate_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE, (builder_function_t)pem_certificate_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE, (builder_function_t)pem_certificate_load); /* register pluto specific certificate formats */ - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, FALSE, (builder_function_t)pem_certificate_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, FALSE, (builder_function_t)pem_certificate_load); /* register PEM encoder */ diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index a5bc5eb39..0098147a9 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c index 84c9bfddd..440e70a18 100644 --- a/src/libstrongswan/plugins/pgp/pgp_builder.c +++ b/src/libstrongswan/plugins/pgp/pgp_builder.c @@ -129,7 +129,7 @@ static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme, /** * Implementation of private_key_t.decrypt for signature-only keys */ -static bool decrypt_not_allowed(private_key_t *this, +static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t scheme, chunk_t crypto, chunk_t *plain) { DBG1(DBG_LIB, "decryption failed - signature only key"); diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c index 3ed1faf01..41e0a5df6 100644 --- a/src/libstrongswan/plugins/pgp/pgp_plugin.c +++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c @@ -60,16 +60,16 @@ plugin_t *pgp_plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)pgp_public_key_load); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE, (builder_function_t)pgp_public_key_load); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE, (builder_function_t)pgp_private_key_load); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, (builder_function_t)pgp_private_key_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE, (builder_function_t)pgp_cert_load); lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode); diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index 947f52d82..8b41499a7 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c index 35ec2d2bf..d3afb5c67 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c @@ -56,11 +56,11 @@ plugin_t *pkcs1_plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)pkcs1_public_key_load); - lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE, (builder_function_t)pkcs1_public_key_load); - lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, (builder_function_t)pkcs1_private_key_load); lib->encoding->add_encoder(lib->encoding, pkcs1_encoder_encode); diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.am b/src/libstrongswan/plugins/pkcs11/Makefile.am new file mode 100644 index 000000000..199039d95 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/Makefile.am @@ -0,0 +1,21 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-pkcs11.la +else +plugin_LTLIBRARIES = libstrongswan-pkcs11.la +endif + +libstrongswan_pkcs11_la_SOURCES = \ + pkcs11_plugin.h pkcs11_plugin.c pkcs11.h \ + pkcs11_library.h pkcs11_library.c \ + pkcs11_creds.h pkcs11_creds.c \ + pkcs11_private_key.h pkcs11_private_key.c \ + pkcs11_public_key.h pkcs11_public_key.c \ + pkcs11_hasher.h pkcs11_hasher.c \ + pkcs11_manager.h pkcs11_manager.c + +libstrongswan_pkcs11_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in new file mode 100644 index 000000000..c27310910 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/Makefile.in @@ -0,0 +1,614 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/pkcs11 +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_pkcs11_la_LIBADD = +am_libstrongswan_pkcs11_la_OBJECTS = pkcs11_plugin.lo \ + pkcs11_library.lo pkcs11_creds.lo pkcs11_private_key.lo \ + pkcs11_public_key.lo pkcs11_hasher.lo pkcs11_manager.lo +libstrongswan_pkcs11_la_OBJECTS = \ + $(am_libstrongswan_pkcs11_la_OBJECTS) +libstrongswan_pkcs11_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_pkcs11_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_pkcs11_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_pkcs11_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_pkcs11_la_SOURCES) +DIST_SOURCES = $(libstrongswan_pkcs11_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs11.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs11.la +libstrongswan_pkcs11_la_SOURCES = \ + pkcs11_plugin.h pkcs11_plugin.c pkcs11.h \ + pkcs11_library.h pkcs11_library.c \ + pkcs11_creds.h pkcs11_creds.c \ + pkcs11_private_key.h pkcs11_private_key.c \ + pkcs11_public_key.h pkcs11_public_key.c \ + pkcs11_hasher.h pkcs11_hasher.c \ + pkcs11_manager.h pkcs11_manager.c + +libstrongswan_pkcs11_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs11/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs11/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) + $(libstrongswan_pkcs11_la_LINK) $(am_libstrongswan_pkcs11_la_rpath) $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_creds.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_hasher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_library.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_manager.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_private_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_public_key.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11.h b/src/libstrongswan/plugins/pkcs11/pkcs11.h new file mode 100644 index 000000000..2e6a1e3ed --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11.h @@ -0,0 +1,1357 @@ +/* pkcs11.h + Copyright 2006, 2007 g10 Code GmbH + Copyright 2006 Andreas Jellinghaus + + This file is free software; as a special exception the author gives + unlimited permission to copy and/or distribute it, with or without + modifications, as long as this notice is preserved. + + This file is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY, to the extent permitted by law; without even + the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. */ + +/* Please submit changes back to the Scute project at + http://www.scute.org/ (or send them to marcus@g10code.com), so that + they can be picked up by other projects from there as well. */ + +/* This file is a modified implementation of the PKCS #11 standard by + RSA Security Inc. It is mostly a drop-in replacement, with the + following change: + + This header file does not require any macro definitions by the user + (like CK_DEFINE_FUNCTION etc). In fact, it defines those macros + for you (if useful, some are missing, let me know if you need + more). + + There is an additional API available that does comply better to the + GNU coding standard. It can be switched on by defining + CRYPTOKI_GNU before including this header file. For this, the + following changes are made to the specification: + + All structure types are changed to a "struct ck_foo" where CK_FOO + is the type name in PKCS #11. + + All non-structure types are changed to ck_foo_t where CK_FOO is the + lowercase version of the type name in PKCS #11. The basic types + (CK_ULONG et al.) are removed without substitute. + + All members of structures are modified in the following way: Type + indication prefixes are removed, and underscore characters are + inserted before words. Then the result is lowercased. + + Note that function names are still in the original case, as they + need for ABI compatibility. + + CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute. Use + <stdbool.h>. + + If CRYPTOKI_COMPAT is defined before including this header file, + then none of the API changes above take place, and the API is the + one defined by the PKCS #11 standard. */ + +#ifndef PKCS11_H +#define PKCS11_H 1 + +#if defined(__cplusplus) +extern "C" { +#endif + + +/* The version of cryptoki we implement. The revision is changed with + each modification of this file. If you do not use the "official" + version of this file, please consider deleting the revision macro + (you may use a macro with a different name to keep track of your + versions). */ +#define CRYPTOKI_VERSION_MAJOR 2 +#define CRYPTOKI_VERSION_MINOR 20 +#define CRYPTOKI_VERSION_REVISION 6 + + +/* Compatibility interface is default, unless CRYPTOKI_GNU is + given. */ +#ifndef CRYPTOKI_GNU +#ifndef CRYPTOKI_COMPAT +#define CRYPTOKI_COMPAT 1 +#endif +#endif + +/* System dependencies. */ + +#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) + +/* There is a matching pop below. */ +#pragma pack(push, cryptoki, 1) + +#ifdef CRYPTOKI_EXPORTS +#define CK_SPEC __declspec(dllexport) +#else +#define CK_SPEC __declspec(dllimport) +#endif + +#else + +#define CK_SPEC + +#endif + + +#ifdef CRYPTOKI_COMPAT + /* If we are in compatibility mode, switch all exposed names to the + PKCS #11 variant. There are corresponding #undefs below. */ + +#define ck_flags_t CK_FLAGS +#define ck_version _CK_VERSION + +#define ck_info _CK_INFO +#define cryptoki_version cryptokiVersion +#define manufacturer_id manufacturerID +#define library_description libraryDescription +#define library_version libraryVersion + +#define ck_notification_t CK_NOTIFICATION +#define ck_slot_id_t CK_SLOT_ID + +#define ck_slot_info _CK_SLOT_INFO +#define slot_description slotDescription +#define hardware_version hardwareVersion +#define firmware_version firmwareVersion + +#define ck_token_info _CK_TOKEN_INFO +#define serial_number serialNumber +#define max_session_count ulMaxSessionCount +#define session_count ulSessionCount +#define max_rw_session_count ulMaxRwSessionCount +#define rw_session_count ulRwSessionCount +#define max_pin_len ulMaxPinLen +#define min_pin_len ulMinPinLen +#define total_public_memory ulTotalPublicMemory +#define free_public_memory ulFreePublicMemory +#define total_private_memory ulTotalPrivateMemory +#define free_private_memory ulFreePrivateMemory +#define utc_time utcTime + +#define ck_session_handle_t CK_SESSION_HANDLE +#define ck_user_type_t CK_USER_TYPE +#define ck_state_t CK_STATE + +#define ck_session_info _CK_SESSION_INFO +#define slot_id slotID +#define device_error ulDeviceError + +#define ck_object_handle_t CK_OBJECT_HANDLE +#define ck_object_class_t CK_OBJECT_CLASS +#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE +#define ck_key_type_t CK_KEY_TYPE +#define ck_certificate_type_t CK_CERTIFICATE_TYPE +#define ck_attribute_type_t CK_ATTRIBUTE_TYPE + +#define ck_attribute _CK_ATTRIBUTE +#define value pValue +#define value_len ulValueLen + +#define ck_date _CK_DATE + +#define ck_mechanism_type_t CK_MECHANISM_TYPE + +#define ck_mechanism _CK_MECHANISM +#define parameter pParameter +#define parameter_len ulParameterLen + +#define ck_mechanism_info _CK_MECHANISM_INFO +#define min_key_size ulMinKeySize +#define max_key_size ulMaxKeySize + +#define ck_rv_t CK_RV +#define ck_notify_t CK_NOTIFY + +#define ck_function_list _CK_FUNCTION_LIST + +#define ck_createmutex_t CK_CREATEMUTEX +#define ck_destroymutex_t CK_DESTROYMUTEX +#define ck_lockmutex_t CK_LOCKMUTEX +#define ck_unlockmutex_t CK_UNLOCKMUTEX + +#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS +#define create_mutex CreateMutex +#define destroy_mutex DestroyMutex +#define lock_mutex LockMutex +#define unlock_mutex UnlockMutex +#define reserved pReserved + +#endif /* CRYPTOKI_COMPAT */ + + + +typedef unsigned long ck_flags_t; + +struct ck_version +{ + unsigned char major; + unsigned char minor; +}; + + +struct ck_info +{ + struct ck_version cryptoki_version; + unsigned char manufacturer_id[32]; + ck_flags_t flags; + unsigned char library_description[32]; + struct ck_version library_version; +}; + + +typedef unsigned long ck_notification_t; + +#define CKN_SURRENDER (0) + + +typedef unsigned long ck_slot_id_t; + + +struct ck_slot_info +{ + unsigned char slot_description[64]; + unsigned char manufacturer_id[32]; + ck_flags_t flags; + struct ck_version hardware_version; + struct ck_version firmware_version; +}; + + +#define CKF_TOKEN_PRESENT (1 << 0) +#define CKF_REMOVABLE_DEVICE (1 << 1) +#define CKF_HW_SLOT (1 << 2) +#define CKF_ARRAY_ATTRIBUTE (1 << 30) + + +struct ck_token_info +{ + unsigned char label[32]; + unsigned char manufacturer_id[32]; + unsigned char model[16]; + unsigned char serial_number[16]; + ck_flags_t flags; + unsigned long max_session_count; + unsigned long session_count; + unsigned long max_rw_session_count; + unsigned long rw_session_count; + unsigned long max_pin_len; + unsigned long min_pin_len; + unsigned long total_public_memory; + unsigned long free_public_memory; + unsigned long total_private_memory; + unsigned long free_private_memory; + struct ck_version hardware_version; + struct ck_version firmware_version; + unsigned char utc_time[16]; +}; + + +#define CKF_RNG (1 << 0) +#define CKF_WRITE_PROTECTED (1 << 1) +#define CKF_LOGIN_REQUIRED (1 << 2) +#define CKF_USER_PIN_INITIALIZED (1 << 3) +#define CKF_RESTORE_KEY_NOT_NEEDED (1 << 5) +#define CKF_CLOCK_ON_TOKEN (1 << 6) +#define CKF_PROTECTED_AUTHENTICATION_PATH (1 << 8) +#define CKF_DUAL_CRYPTO_OPERATIONS (1 << 9) +#define CKF_TOKEN_INITIALIZED (1 << 10) +#define CKF_SECONDARY_AUTHENTICATION (1 << 11) +#define CKF_USER_PIN_COUNT_LOW (1 << 16) +#define CKF_USER_PIN_FINAL_TRY (1 << 17) +#define CKF_USER_PIN_LOCKED (1 << 18) +#define CKF_USER_PIN_TO_BE_CHANGED (1 << 19) +#define CKF_SO_PIN_COUNT_LOW (1 << 20) +#define CKF_SO_PIN_FINAL_TRY (1 << 21) +#define CKF_SO_PIN_LOCKED (1 << 22) +#define CKF_SO_PIN_TO_BE_CHANGED (1 << 23) + +#define CK_UNAVAILABLE_INFORMATION ((unsigned long) -1) +#define CK_EFFECTIVELY_INFINITE (0) + + +typedef unsigned long ck_session_handle_t; + +#define CK_INVALID_HANDLE (0) + + +typedef unsigned long ck_user_type_t; + +#define CKU_SO (0) +#define CKU_USER (1) +#define CKU_CONTEXT_SPECIFIC (2) + + +typedef unsigned long ck_state_t; + +#define CKS_RO_PUBLIC_SESSION (0) +#define CKS_RO_USER_FUNCTIONS (1) +#define CKS_RW_PUBLIC_SESSION (2) +#define CKS_RW_USER_FUNCTIONS (3) +#define CKS_RW_SO_FUNCTIONS (4) + + +struct ck_session_info +{ + ck_slot_id_t slot_id; + ck_state_t state; + ck_flags_t flags; + unsigned long device_error; +}; + +#define CKF_RW_SESSION (1 << 1) +#define CKF_SERIAL_SESSION (1 << 2) + + +typedef unsigned long ck_object_handle_t; + + +typedef unsigned long ck_object_class_t; + +#define CKO_DATA (0) +#define CKO_CERTIFICATE (1) +#define CKO_PUBLIC_KEY (2) +#define CKO_PRIVATE_KEY (3) +#define CKO_SECRET_KEY (4) +#define CKO_HW_FEATURE (5) +#define CKO_DOMAIN_PARAMETERS (6) +#define CKO_MECHANISM (7) +#define CKO_VENDOR_DEFINED ((unsigned long) (1 << 31)) + + +typedef unsigned long ck_hw_feature_type_t; + +#define CKH_MONOTONIC_COUNTER (1) +#define CKH_CLOCK (2) +#define CKH_USER_INTERFACE (3) +#define CKH_VENDOR_DEFINED ((unsigned long) (1 << 31)) + + +typedef unsigned long ck_key_type_t; + +#define CKK_RSA (0) +#define CKK_DSA (1) +#define CKK_DH (2) +#define CKK_ECDSA (3) +#define CKK_EC (3) +#define CKK_X9_42_DH (4) +#define CKK_KEA (5) +#define CKK_GENERIC_SECRET (0x10) +#define CKK_RC2 (0x11) +#define CKK_RC4 (0x12) +#define CKK_DES (0x13) +#define CKK_DES2 (0x14) +#define CKK_DES3 (0x15) +#define CKK_CAST (0x16) +#define CKK_CAST3 (0x17) +#define CKK_CAST128 (0x18) +#define CKK_RC5 (0x19) +#define CKK_IDEA (0x1a) +#define CKK_SKIPJACK (0x1b) +#define CKK_BATON (0x1c) +#define CKK_JUNIPER (0x1d) +#define CKK_CDMF (0x1e) +#define CKK_AES (0x1f) +#define CKK_BLOWFISH (0x20) +#define CKK_TWOFISH (0x21) +#define CKK_VENDOR_DEFINED ((unsigned long) (1 << 31)) + + +typedef unsigned long ck_certificate_type_t; + +#define CKC_X_509 (0) +#define CKC_X_509_ATTR_CERT (1) +#define CKC_WTLS (2) +#define CKC_VENDOR_DEFINED ((unsigned long) (1 << 31)) + + +typedef unsigned long ck_attribute_type_t; + +#define CKA_CLASS (0) +#define CKA_TOKEN (1) +#define CKA_PRIVATE (2) +#define CKA_LABEL (3) +#define CKA_APPLICATION (0x10) +#define CKA_VALUE (0x11) +#define CKA_OBJECT_ID (0x12) +#define CKA_CERTIFICATE_TYPE (0x80) +#define CKA_ISSUER (0x81) +#define CKA_SERIAL_NUMBER (0x82) +#define CKA_AC_ISSUER (0x83) +#define CKA_OWNER (0x84) +#define CKA_ATTR_TYPES (0x85) +#define CKA_TRUSTED (0x86) +#define CKA_CERTIFICATE_CATEGORY (0x87) +#define CKA_JAVA_MIDP_SECURITY_DOMAIN (0x88) +#define CKA_URL (0x89) +#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8a) +#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8b) +#define CKA_CHECK_VALUE (0x90) +#define CKA_KEY_TYPE (0x100) +#define CKA_SUBJECT (0x101) +#define CKA_ID (0x102) +#define CKA_SENSITIVE (0x103) +#define CKA_ENCRYPT (0x104) +#define CKA_DECRYPT (0x105) +#define CKA_WRAP (0x106) +#define CKA_UNWRAP (0x107) +#define CKA_SIGN (0x108) +#define CKA_SIGN_RECOVER (0x109) +#define CKA_VERIFY (0x10a) +#define CKA_VERIFY_RECOVER (0x10b) +#define CKA_DERIVE (0x10c) +#define CKA_START_DATE (0x110) +#define CKA_END_DATE (0x111) +#define CKA_MODULUS (0x120) +#define CKA_MODULUS_BITS (0x121) +#define CKA_PUBLIC_EXPONENT (0x122) +#define CKA_PRIVATE_EXPONENT (0x123) +#define CKA_PRIME_1 (0x124) +#define CKA_PRIME_2 (0x125) +#define CKA_EXPONENT_1 (0x126) +#define CKA_EXPONENT_2 (0x127) +#define CKA_COEFFICIENT (0x128) +#define CKA_PRIME (0x130) +#define CKA_SUBPRIME (0x131) +#define CKA_BASE (0x132) +#define CKA_PRIME_BITS (0x133) +#define CKA_SUB_PRIME_BITS (0x134) +#define CKA_VALUE_BITS (0x160) +#define CKA_VALUE_LEN (0x161) +#define CKA_EXTRACTABLE (0x162) +#define CKA_LOCAL (0x163) +#define CKA_NEVER_EXTRACTABLE (0x164) +#define CKA_ALWAYS_SENSITIVE (0x165) +#define CKA_KEY_GEN_MECHANISM (0x166) +#define CKA_MODIFIABLE (0x170) +#define CKA_ECDSA_PARAMS (0x180) +#define CKA_EC_PARAMS (0x180) +#define CKA_EC_POINT (0x181) +#define CKA_SECONDARY_AUTH (0x200) +#define CKA_AUTH_PIN_FLAGS (0x201) +#define CKA_ALWAYS_AUTHENTICATE (0x202) +#define CKA_WRAP_WITH_TRUSTED (0x210) +#define CKA_HW_FEATURE_TYPE (0x300) +#define CKA_RESET_ON_INIT (0x301) +#define CKA_HAS_RESET (0x302) +#define CKA_PIXEL_X (0x400) +#define CKA_PIXEL_Y (0x401) +#define CKA_RESOLUTION (0x402) +#define CKA_CHAR_ROWS (0x403) +#define CKA_CHAR_COLUMNS (0x404) +#define CKA_COLOR (0x405) +#define CKA_BITS_PER_PIXEL (0x406) +#define CKA_CHAR_SETS (0x480) +#define CKA_ENCODING_METHODS (0x481) +#define CKA_MIME_TYPES (0x482) +#define CKA_MECHANISM_TYPE (0x500) +#define CKA_REQUIRED_CMS_ATTRIBUTES (0x501) +#define CKA_DEFAULT_CMS_ATTRIBUTES (0x502) +#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503) +#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211) +#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212) +#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600) +#define CKA_VENDOR_DEFINED ((unsigned long) (1 << 31)) + + +struct ck_attribute +{ + ck_attribute_type_t type; + void *value; + unsigned long value_len; +}; + + +struct ck_date +{ + unsigned char year[4]; + unsigned char month[2]; + unsigned char day[2]; +}; + + +typedef unsigned long ck_mechanism_type_t; + +#define CKM_RSA_PKCS_KEY_PAIR_GEN (0) +#define CKM_RSA_PKCS (1) +#define CKM_RSA_9796 (2) +#define CKM_RSA_X_509 (3) +#define CKM_MD2_RSA_PKCS (4) +#define CKM_MD5_RSA_PKCS (5) +#define CKM_SHA1_RSA_PKCS (6) +#define CKM_RIPEMD128_RSA_PKCS (7) +#define CKM_RIPEMD160_RSA_PKCS (8) +#define CKM_RSA_PKCS_OAEP (9) +#define CKM_RSA_X9_31_KEY_PAIR_GEN (0xa) +#define CKM_RSA_X9_31 (0xb) +#define CKM_SHA1_RSA_X9_31 (0xc) +#define CKM_RSA_PKCS_PSS (0xd) +#define CKM_SHA1_RSA_PKCS_PSS (0xe) +#define CKM_DSA_KEY_PAIR_GEN (0x10) +#define CKM_DSA (0x11) +#define CKM_DSA_SHA1 (0x12) +#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20) +#define CKM_DH_PKCS_DERIVE (0x21) +#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30) +#define CKM_X9_42_DH_DERIVE (0x31) +#define CKM_X9_42_DH_HYBRID_DERIVE (0x32) +#define CKM_X9_42_MQV_DERIVE (0x33) +#define CKM_SHA256_RSA_PKCS (0x40) +#define CKM_SHA384_RSA_PKCS (0x41) +#define CKM_SHA512_RSA_PKCS (0x42) +#define CKM_SHA256_RSA_PKCS_PSS (0x43) +#define CKM_SHA384_RSA_PKCS_PSS (0x44) +#define CKM_SHA512_RSA_PKCS_PSS (0x45) +#define CKM_RC2_KEY_GEN (0x100) +#define CKM_RC2_ECB (0x101) +#define CKM_RC2_CBC (0x102) +#define CKM_RC2_MAC (0x103) +#define CKM_RC2_MAC_GENERAL (0x104) +#define CKM_RC2_CBC_PAD (0x105) +#define CKM_RC4_KEY_GEN (0x110) +#define CKM_RC4 (0x111) +#define CKM_DES_KEY_GEN (0x120) +#define CKM_DES_ECB (0x121) +#define CKM_DES_CBC (0x122) +#define CKM_DES_MAC (0x123) +#define CKM_DES_MAC_GENERAL (0x124) +#define CKM_DES_CBC_PAD (0x125) +#define CKM_DES2_KEY_GEN (0x130) +#define CKM_DES3_KEY_GEN (0x131) +#define CKM_DES3_ECB (0x132) +#define CKM_DES3_CBC (0x133) +#define CKM_DES3_MAC (0x134) +#define CKM_DES3_MAC_GENERAL (0x135) +#define CKM_DES3_CBC_PAD (0x136) +#define CKM_CDMF_KEY_GEN (0x140) +#define CKM_CDMF_ECB (0x141) +#define CKM_CDMF_CBC (0x142) +#define CKM_CDMF_MAC (0x143) +#define CKM_CDMF_MAC_GENERAL (0x144) +#define CKM_CDMF_CBC_PAD (0x145) +#define CKM_MD2 (0x200) +#define CKM_MD2_HMAC (0x201) +#define CKM_MD2_HMAC_GENERAL (0x202) +#define CKM_MD5 (0x210) +#define CKM_MD5_HMAC (0x211) +#define CKM_MD5_HMAC_GENERAL (0x212) +#define CKM_SHA_1 (0x220) +#define CKM_SHA_1_HMAC (0x221) +#define CKM_SHA_1_HMAC_GENERAL (0x222) +#define CKM_RIPEMD128 (0x230) +#define CKM_RIPEMD128_HMAC (0x231) +#define CKM_RIPEMD128_HMAC_GENERAL (0x232) +#define CKM_RIPEMD160 (0x240) +#define CKM_RIPEMD160_HMAC (0x241) +#define CKM_RIPEMD160_HMAC_GENERAL (0x242) +#define CKM_SHA256 (0x250) +#define CKM_SHA256_HMAC (0x251) +#define CKM_SHA256_HMAC_GENERAL (0x252) +#define CKM_SHA384 (0x260) +#define CKM_SHA384_HMAC (0x261) +#define CKM_SHA384_HMAC_GENERAL (0x262) +#define CKM_SHA512 (0x270) +#define CKM_SHA512_HMAC (0x271) +#define CKM_SHA512_HMAC_GENERAL (0x272) +#define CKM_CAST_KEY_GEN (0x300) +#define CKM_CAST_ECB (0x301) +#define CKM_CAST_CBC (0x302) +#define CKM_CAST_MAC (0x303) +#define CKM_CAST_MAC_GENERAL (0x304) +#define CKM_CAST_CBC_PAD (0x305) +#define CKM_CAST3_KEY_GEN (0x310) +#define CKM_CAST3_ECB (0x311) +#define CKM_CAST3_CBC (0x312) +#define CKM_CAST3_MAC (0x313) +#define CKM_CAST3_MAC_GENERAL (0x314) +#define CKM_CAST3_CBC_PAD (0x315) +#define CKM_CAST5_KEY_GEN (0x320) +#define CKM_CAST128_KEY_GEN (0x320) +#define CKM_CAST5_ECB (0x321) +#define CKM_CAST128_ECB (0x321) +#define CKM_CAST5_CBC (0x322) +#define CKM_CAST128_CBC (0x322) +#define CKM_CAST5_MAC (0x323) +#define CKM_CAST128_MAC (0x323) +#define CKM_CAST5_MAC_GENERAL (0x324) +#define CKM_CAST128_MAC_GENERAL (0x324) +#define CKM_CAST5_CBC_PAD (0x325) +#define CKM_CAST128_CBC_PAD (0x325) +#define CKM_RC5_KEY_GEN (0x330) +#define CKM_RC5_ECB (0x331) +#define CKM_RC5_CBC (0x332) +#define CKM_RC5_MAC (0x333) +#define CKM_RC5_MAC_GENERAL (0x334) +#define CKM_RC5_CBC_PAD (0x335) +#define CKM_IDEA_KEY_GEN (0x340) +#define CKM_IDEA_ECB (0x341) +#define CKM_IDEA_CBC (0x342) +#define CKM_IDEA_MAC (0x343) +#define CKM_IDEA_MAC_GENERAL (0x344) +#define CKM_IDEA_CBC_PAD (0x345) +#define CKM_GENERIC_SECRET_KEY_GEN (0x350) +#define CKM_CONCATENATE_BASE_AND_KEY (0x360) +#define CKM_CONCATENATE_BASE_AND_DATA (0x362) +#define CKM_CONCATENATE_DATA_AND_BASE (0x363) +#define CKM_XOR_BASE_AND_DATA (0x364) +#define CKM_EXTRACT_KEY_FROM_KEY (0x365) +#define CKM_SSL3_PRE_MASTER_KEY_GEN (0x370) +#define CKM_SSL3_MASTER_KEY_DERIVE (0x371) +#define CKM_SSL3_KEY_AND_MAC_DERIVE (0x372) +#define CKM_SSL3_MASTER_KEY_DERIVE_DH (0x373) +#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374) +#define CKM_TLS_MASTER_KEY_DERIVE (0x375) +#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376) +#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377) +#define CKM_SSL3_MD5_MAC (0x380) +#define CKM_SSL3_SHA1_MAC (0x381) +#define CKM_MD5_KEY_DERIVATION (0x390) +#define CKM_MD2_KEY_DERIVATION (0x391) +#define CKM_SHA1_KEY_DERIVATION (0x392) +#define CKM_PBE_MD2_DES_CBC (0x3a0) +#define CKM_PBE_MD5_DES_CBC (0x3a1) +#define CKM_PBE_MD5_CAST_CBC (0x3a2) +#define CKM_PBE_MD5_CAST3_CBC (0x3a3) +#define CKM_PBE_MD5_CAST5_CBC (0x3a4) +#define CKM_PBE_MD5_CAST128_CBC (0x3a4) +#define CKM_PBE_SHA1_CAST5_CBC (0x3a5) +#define CKM_PBE_SHA1_CAST128_CBC (0x3a5) +#define CKM_PBE_SHA1_RC4_128 (0x3a6) +#define CKM_PBE_SHA1_RC4_40 (0x3a7) +#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8) +#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9) +#define CKM_PBE_SHA1_RC2_128_CBC (0x3aa) +#define CKM_PBE_SHA1_RC2_40_CBC (0x3ab) +#define CKM_PKCS5_PBKD2 (0x3b0) +#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0) +#define CKM_KEY_WRAP_LYNKS (0x400) +#define CKM_KEY_WRAP_SET_OAEP (0x401) +#define CKM_SKIPJACK_KEY_GEN (0x1000) +#define CKM_SKIPJACK_ECB64 (0x1001) +#define CKM_SKIPJACK_CBC64 (0x1002) +#define CKM_SKIPJACK_OFB64 (0x1003) +#define CKM_SKIPJACK_CFB64 (0x1004) +#define CKM_SKIPJACK_CFB32 (0x1005) +#define CKM_SKIPJACK_CFB16 (0x1006) +#define CKM_SKIPJACK_CFB8 (0x1007) +#define CKM_SKIPJACK_WRAP (0x1008) +#define CKM_SKIPJACK_PRIVATE_WRAP (0x1009) +#define CKM_SKIPJACK_RELAYX (0x100a) +#define CKM_KEA_KEY_PAIR_GEN (0x1010) +#define CKM_KEA_KEY_DERIVE (0x1011) +#define CKM_FORTEZZA_TIMESTAMP (0x1020) +#define CKM_BATON_KEY_GEN (0x1030) +#define CKM_BATON_ECB128 (0x1031) +#define CKM_BATON_ECB96 (0x1032) +#define CKM_BATON_CBC128 (0x1033) +#define CKM_BATON_COUNTER (0x1034) +#define CKM_BATON_SHUFFLE (0x1035) +#define CKM_BATON_WRAP (0x1036) +#define CKM_ECDSA_KEY_PAIR_GEN (0x1040) +#define CKM_EC_KEY_PAIR_GEN (0x1040) +#define CKM_ECDSA (0x1041) +#define CKM_ECDSA_SHA1 (0x1042) +#define CKM_ECDH1_DERIVE (0x1050) +#define CKM_ECDH1_COFACTOR_DERIVE (0x1051) +#define CKM_ECMQV_DERIVE (0x1052) +#define CKM_JUNIPER_KEY_GEN (0x1060) +#define CKM_JUNIPER_ECB128 (0x1061) +#define CKM_JUNIPER_CBC128 (0x1062) +#define CKM_JUNIPER_COUNTER (0x1063) +#define CKM_JUNIPER_SHUFFLE (0x1064) +#define CKM_JUNIPER_WRAP (0x1065) +#define CKM_FASTHASH (0x1070) +#define CKM_AES_KEY_GEN (0x1080) +#define CKM_AES_ECB (0x1081) +#define CKM_AES_CBC (0x1082) +#define CKM_AES_MAC (0x1083) +#define CKM_AES_MAC_GENERAL (0x1084) +#define CKM_AES_CBC_PAD (0x1085) +#define CKM_DSA_PARAMETER_GEN (0x2000) +#define CKM_DH_PKCS_PARAMETER_GEN (0x2001) +#define CKM_X9_42_DH_PARAMETER_GEN (0x2002) +#define CKM_VENDOR_DEFINED ((unsigned long) (1 << 31)) + + +struct ck_mechanism +{ + ck_mechanism_type_t mechanism; + void *parameter; + unsigned long parameter_len; +}; + + +struct ck_mechanism_info +{ + unsigned long min_key_size; + unsigned long max_key_size; + ck_flags_t flags; +}; + +#define CKF_HW (1 << 0) +#define CKF_ENCRYPT (1 << 8) +#define CKF_DECRYPT (1 << 9) +#define CKF_DIGEST (1 << 10) +#define CKF_SIGN (1 << 11) +#define CKF_SIGN_RECOVER (1 << 12) +#define CKF_VERIFY (1 << 13) +#define CKF_VERIFY_RECOVER (1 << 14) +#define CKF_GENERATE (1 << 15) +#define CKF_GENERATE_KEY_PAIR (1 << 16) +#define CKF_WRAP (1 << 17) +#define CKF_UNWRAP (1 << 18) +#define CKF_DERIVE (1 << 19) +#define CKF_EXTENSION ((unsigned long) (1 << 31)) + + +/* Flags for C_WaitForSlotEvent. */ +#define CKF_DONT_BLOCK (1) + + +typedef unsigned long ck_rv_t; + + +typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session, + ck_notification_t event, void *application); + +/* Forward reference. */ +struct ck_function_list; + +#define _CK_DECLARE_FUNCTION(name, args) \ +typedef ck_rv_t (*CK_ ## name) args; \ +ck_rv_t CK_SPEC name args + +_CK_DECLARE_FUNCTION (C_Initialize, (void *init_args)); +_CK_DECLARE_FUNCTION (C_Finalize, (void *reserved)); +_CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info *info)); +_CK_DECLARE_FUNCTION (C_GetFunctionList, + (struct ck_function_list **function_list)); + +_CK_DECLARE_FUNCTION (C_GetSlotList, + (unsigned char token_present, ck_slot_id_t *slot_list, + unsigned long *count)); +_CK_DECLARE_FUNCTION (C_GetSlotInfo, + (ck_slot_id_t slot_id, struct ck_slot_info *info)); +_CK_DECLARE_FUNCTION (C_GetTokenInfo, + (ck_slot_id_t slot_id, struct ck_token_info *info)); +_CK_DECLARE_FUNCTION (C_WaitForSlotEvent, + (ck_flags_t flags, ck_slot_id_t *slot, void *reserved)); +_CK_DECLARE_FUNCTION (C_GetMechanismList, + (ck_slot_id_t slot_id, + ck_mechanism_type_t *mechanism_list, + unsigned long *count)); +_CK_DECLARE_FUNCTION (C_GetMechanismInfo, + (ck_slot_id_t slot_id, ck_mechanism_type_t type, + struct ck_mechanism_info *info)); +_CK_DECLARE_FUNCTION (C_InitToken, + (ck_slot_id_t slot_id, unsigned char *pin, + unsigned long pin_len, unsigned char *label)); +_CK_DECLARE_FUNCTION (C_InitPIN, + (ck_session_handle_t session, unsigned char *pin, + unsigned long pin_len)); +_CK_DECLARE_FUNCTION (C_SetPIN, + (ck_session_handle_t session, unsigned char *old_pin, + unsigned long old_len, unsigned char *new_pin, + unsigned long new_len)); + +_CK_DECLARE_FUNCTION (C_OpenSession, + (ck_slot_id_t slot_id, ck_flags_t flags, + void *application, ck_notify_t notify, + ck_session_handle_t *session)); +_CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session)); +_CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id)); +_CK_DECLARE_FUNCTION (C_GetSessionInfo, + (ck_session_handle_t session, + struct ck_session_info *info)); +_CK_DECLARE_FUNCTION (C_GetOperationState, + (ck_session_handle_t session, + unsigned char *operation_state, + unsigned long *operation_state_len)); +_CK_DECLARE_FUNCTION (C_SetOperationState, + (ck_session_handle_t session, + unsigned char *operation_state, + unsigned long operation_state_len, + ck_object_handle_t encryption_key, + ck_object_handle_t authentiation_key)); +_CK_DECLARE_FUNCTION (C_Login, + (ck_session_handle_t session, ck_user_type_t user_type, + unsigned char *pin, unsigned long pin_len)); +_CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session)); + +_CK_DECLARE_FUNCTION (C_CreateObject, + (ck_session_handle_t session, + struct ck_attribute *templ, + unsigned long count, ck_object_handle_t *object)); +_CK_DECLARE_FUNCTION (C_CopyObject, + (ck_session_handle_t session, ck_object_handle_t object, + struct ck_attribute *templ, unsigned long count, + ck_object_handle_t *new_object)); +_CK_DECLARE_FUNCTION (C_DestroyObject, + (ck_session_handle_t session, + ck_object_handle_t object)); +_CK_DECLARE_FUNCTION (C_GetObjectSize, + (ck_session_handle_t session, + ck_object_handle_t object, + unsigned long *size)); +_CK_DECLARE_FUNCTION (C_GetAttributeValue, + (ck_session_handle_t session, + ck_object_handle_t object, + struct ck_attribute *templ, + unsigned long count)); +_CK_DECLARE_FUNCTION (C_SetAttributeValue, + (ck_session_handle_t session, + ck_object_handle_t object, + struct ck_attribute *templ, + unsigned long count)); +_CK_DECLARE_FUNCTION (C_FindObjectsInit, + (ck_session_handle_t session, + struct ck_attribute *templ, + unsigned long count)); +_CK_DECLARE_FUNCTION (C_FindObjects, + (ck_session_handle_t session, + ck_object_handle_t *object, + unsigned long max_object_count, + unsigned long *object_count)); +_CK_DECLARE_FUNCTION (C_FindObjectsFinal, + (ck_session_handle_t session)); + +_CK_DECLARE_FUNCTION (C_EncryptInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); +_CK_DECLARE_FUNCTION (C_Encrypt, + (ck_session_handle_t session, + unsigned char *data, unsigned long data_len, + unsigned char *encrypted_data, + unsigned long *encrypted_data_len)); +_CK_DECLARE_FUNCTION (C_EncryptUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len, + unsigned char *encrypted_part, + unsigned long *encrypted_part_len)); +_CK_DECLARE_FUNCTION (C_EncryptFinal, + (ck_session_handle_t session, + unsigned char *last_encrypted_part, + unsigned long *last_encrypted_part_len)); + +_CK_DECLARE_FUNCTION (C_DecryptInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); +_CK_DECLARE_FUNCTION (C_Decrypt, + (ck_session_handle_t session, + unsigned char *encrypted_data, + unsigned long encrypted_data_len, + unsigned char *data, unsigned long *data_len)); +_CK_DECLARE_FUNCTION (C_DecryptUpdate, + (ck_session_handle_t session, + unsigned char *encrypted_part, + unsigned long encrypted_part_len, + unsigned char *part, unsigned long *part_len)); +_CK_DECLARE_FUNCTION (C_DecryptFinal, + (ck_session_handle_t session, + unsigned char *last_part, + unsigned long *last_part_len)); + +_CK_DECLARE_FUNCTION (C_DigestInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism)); +_CK_DECLARE_FUNCTION (C_Digest, + (ck_session_handle_t session, + unsigned char *data, unsigned long data_len, + unsigned char *digest, + unsigned long *digest_len)); +_CK_DECLARE_FUNCTION (C_DigestUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len)); +_CK_DECLARE_FUNCTION (C_DigestKey, + (ck_session_handle_t session, ck_object_handle_t key)); +_CK_DECLARE_FUNCTION (C_DigestFinal, + (ck_session_handle_t session, + unsigned char *digest, + unsigned long *digest_len)); + +_CK_DECLARE_FUNCTION (C_SignInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); +_CK_DECLARE_FUNCTION (C_Sign, + (ck_session_handle_t session, + unsigned char *data, unsigned long data_len, + unsigned char *signature, + unsigned long *signature_len)); +_CK_DECLARE_FUNCTION (C_SignUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len)); +_CK_DECLARE_FUNCTION (C_SignFinal, + (ck_session_handle_t session, + unsigned char *signature, + unsigned long *signature_len)); +_CK_DECLARE_FUNCTION (C_SignRecoverInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); +_CK_DECLARE_FUNCTION (C_SignRecover, + (ck_session_handle_t session, + unsigned char *data, unsigned long data_len, + unsigned char *signature, + unsigned long *signature_len)); + +_CK_DECLARE_FUNCTION (C_VerifyInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); +_CK_DECLARE_FUNCTION (C_Verify, + (ck_session_handle_t session, + unsigned char *data, unsigned long data_len, + unsigned char *signature, + unsigned long signature_len)); +_CK_DECLARE_FUNCTION (C_VerifyUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len)); +_CK_DECLARE_FUNCTION (C_VerifyFinal, + (ck_session_handle_t session, + unsigned char *signature, + unsigned long signature_len)); +_CK_DECLARE_FUNCTION (C_VerifyRecoverInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); +_CK_DECLARE_FUNCTION (C_VerifyRecover, + (ck_session_handle_t session, + unsigned char *signature, + unsigned long signature_len, + unsigned char *data, + unsigned long *data_len)); + +_CK_DECLARE_FUNCTION (C_DigestEncryptUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len, + unsigned char *encrypted_part, + unsigned long *encrypted_part_len)); +_CK_DECLARE_FUNCTION (C_DecryptDigestUpdate, + (ck_session_handle_t session, + unsigned char *encrypted_part, + unsigned long encrypted_part_len, + unsigned char *part, + unsigned long *part_len)); +_CK_DECLARE_FUNCTION (C_SignEncryptUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len, + unsigned char *encrypted_part, + unsigned long *encrypted_part_len)); +_CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate, + (ck_session_handle_t session, + unsigned char *encrypted_part, + unsigned long encrypted_part_len, + unsigned char *part, + unsigned long *part_len)); + +_CK_DECLARE_FUNCTION (C_GenerateKey, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + struct ck_attribute *templ, + unsigned long count, + ck_object_handle_t *key)); +_CK_DECLARE_FUNCTION (C_GenerateKeyPair, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + struct ck_attribute *public_key_template, + unsigned long public_key_attribute_count, + struct ck_attribute *private_key_template, + unsigned long private_key_attribute_count, + ck_object_handle_t *public_key, + ck_object_handle_t *private_key)); +_CK_DECLARE_FUNCTION (C_WrapKey, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t wrapping_key, + ck_object_handle_t key, + unsigned char *wrapped_key, + unsigned long *wrapped_key_len)); +_CK_DECLARE_FUNCTION (C_UnwrapKey, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t unwrapping_key, + unsigned char *wrapped_key, + unsigned long wrapped_key_len, + struct ck_attribute *templ, + unsigned long attribute_count, + ck_object_handle_t *key)); +_CK_DECLARE_FUNCTION (C_DeriveKey, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t base_key, + struct ck_attribute *templ, + unsigned long attribute_count, + ck_object_handle_t *key)); + +_CK_DECLARE_FUNCTION (C_SeedRandom, + (ck_session_handle_t session, unsigned char *seed, + unsigned long seed_len)); +_CK_DECLARE_FUNCTION (C_GenerateRandom, + (ck_session_handle_t session, + unsigned char *random_data, + unsigned long random_len)); + +_CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session)); +_CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session)); + + +struct ck_function_list +{ + struct ck_version version; + CK_C_Initialize C_Initialize; + CK_C_Finalize C_Finalize; + CK_C_GetInfo C_GetInfo; + CK_C_GetFunctionList C_GetFunctionList; + CK_C_GetSlotList C_GetSlotList; + CK_C_GetSlotInfo C_GetSlotInfo; + CK_C_GetTokenInfo C_GetTokenInfo; + CK_C_GetMechanismList C_GetMechanismList; + CK_C_GetMechanismInfo C_GetMechanismInfo; + CK_C_InitToken C_InitToken; + CK_C_InitPIN C_InitPIN; + CK_C_SetPIN C_SetPIN; + CK_C_OpenSession C_OpenSession; + CK_C_CloseSession C_CloseSession; + CK_C_CloseAllSessions C_CloseAllSessions; + CK_C_GetSessionInfo C_GetSessionInfo; + CK_C_GetOperationState C_GetOperationState; + CK_C_SetOperationState C_SetOperationState; + CK_C_Login C_Login; + CK_C_Logout C_Logout; + CK_C_CreateObject C_CreateObject; + CK_C_CopyObject C_CopyObject; + CK_C_DestroyObject C_DestroyObject; + CK_C_GetObjectSize C_GetObjectSize; + CK_C_GetAttributeValue C_GetAttributeValue; + CK_C_SetAttributeValue C_SetAttributeValue; + CK_C_FindObjectsInit C_FindObjectsInit; + CK_C_FindObjects C_FindObjects; + CK_C_FindObjectsFinal C_FindObjectsFinal; + CK_C_EncryptInit C_EncryptInit; + CK_C_Encrypt C_Encrypt; + CK_C_EncryptUpdate C_EncryptUpdate; + CK_C_EncryptFinal C_EncryptFinal; + CK_C_DecryptInit C_DecryptInit; + CK_C_Decrypt C_Decrypt; + CK_C_DecryptUpdate C_DecryptUpdate; + CK_C_DecryptFinal C_DecryptFinal; + CK_C_DigestInit C_DigestInit; + CK_C_Digest C_Digest; + CK_C_DigestUpdate C_DigestUpdate; + CK_C_DigestKey C_DigestKey; + CK_C_DigestFinal C_DigestFinal; + CK_C_SignInit C_SignInit; + CK_C_Sign C_Sign; + CK_C_SignUpdate C_SignUpdate; + CK_C_SignFinal C_SignFinal; + CK_C_SignRecoverInit C_SignRecoverInit; + CK_C_SignRecover C_SignRecover; + CK_C_VerifyInit C_VerifyInit; + CK_C_Verify C_Verify; + CK_C_VerifyUpdate C_VerifyUpdate; + CK_C_VerifyFinal C_VerifyFinal; + CK_C_VerifyRecoverInit C_VerifyRecoverInit; + CK_C_VerifyRecover C_VerifyRecover; + CK_C_DigestEncryptUpdate C_DigestEncryptUpdate; + CK_C_DecryptDigestUpdate C_DecryptDigestUpdate; + CK_C_SignEncryptUpdate C_SignEncryptUpdate; + CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate; + CK_C_GenerateKey C_GenerateKey; + CK_C_GenerateKeyPair C_GenerateKeyPair; + CK_C_WrapKey C_WrapKey; + CK_C_UnwrapKey C_UnwrapKey; + CK_C_DeriveKey C_DeriveKey; + CK_C_SeedRandom C_SeedRandom; + CK_C_GenerateRandom C_GenerateRandom; + CK_C_GetFunctionStatus C_GetFunctionStatus; + CK_C_CancelFunction C_CancelFunction; + CK_C_WaitForSlotEvent C_WaitForSlotEvent; +}; + + +typedef ck_rv_t (*ck_createmutex_t) (void **mutex); +typedef ck_rv_t (*ck_destroymutex_t) (void *mutex); +typedef ck_rv_t (*ck_lockmutex_t) (void *mutex); +typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex); + + +struct ck_c_initialize_args +{ + ck_createmutex_t create_mutex; + ck_destroymutex_t destroy_mutex; + ck_lockmutex_t lock_mutex; + ck_unlockmutex_t unlock_mutex; + ck_flags_t flags; + void *reserved; +}; + + +#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1 << 0) +#define CKF_OS_LOCKING_OK (1 << 1) + +#define CKR_OK (0) +#define CKR_CANCEL (1) +#define CKR_HOST_MEMORY (2) +#define CKR_SLOT_ID_INVALID (3) +#define CKR_GENERAL_ERROR (5) +#define CKR_FUNCTION_FAILED (6) +#define CKR_ARGUMENTS_BAD (7) +#define CKR_NO_EVENT (8) +#define CKR_NEED_TO_CREATE_THREADS (9) +#define CKR_CANT_LOCK (0xa) +#define CKR_ATTRIBUTE_READ_ONLY (0x10) +#define CKR_ATTRIBUTE_SENSITIVE (0x11) +#define CKR_ATTRIBUTE_TYPE_INVALID (0x12) +#define CKR_ATTRIBUTE_VALUE_INVALID (0x13) +#define CKR_DATA_INVALID (0x20) +#define CKR_DATA_LEN_RANGE (0x21) +#define CKR_DEVICE_ERROR (0x30) +#define CKR_DEVICE_MEMORY (0x31) +#define CKR_DEVICE_REMOVED (0x32) +#define CKR_ENCRYPTED_DATA_INVALID (0x40) +#define CKR_ENCRYPTED_DATA_LEN_RANGE (0x41) +#define CKR_FUNCTION_CANCELED (0x50) +#define CKR_FUNCTION_NOT_PARALLEL (0x51) +#define CKR_FUNCTION_NOT_SUPPORTED (0x54) +#define CKR_KEY_HANDLE_INVALID (0x60) +#define CKR_KEY_SIZE_RANGE (0x62) +#define CKR_KEY_TYPE_INCONSISTENT (0x63) +#define CKR_KEY_NOT_NEEDED (0x64) +#define CKR_KEY_CHANGED (0x65) +#define CKR_KEY_NEEDED (0x66) +#define CKR_KEY_INDIGESTIBLE (0x67) +#define CKR_KEY_FUNCTION_NOT_PERMITTED (0x68) +#define CKR_KEY_NOT_WRAPPABLE (0x69) +#define CKR_KEY_UNEXTRACTABLE (0x6a) +#define CKR_MECHANISM_INVALID (0x70) +#define CKR_MECHANISM_PARAM_INVALID (0x71) +#define CKR_OBJECT_HANDLE_INVALID (0x82) +#define CKR_OPERATION_ACTIVE (0x90) +#define CKR_OPERATION_NOT_INITIALIZED (0x91) +#define CKR_PIN_INCORRECT (0xa0) +#define CKR_PIN_INVALID (0xa1) +#define CKR_PIN_LEN_RANGE (0xa2) +#define CKR_PIN_EXPIRED (0xa3) +#define CKR_PIN_LOCKED (0xa4) +#define CKR_SESSION_CLOSED (0xb0) +#define CKR_SESSION_COUNT (0xb1) +#define CKR_SESSION_HANDLE_INVALID (0xb3) +#define CKR_SESSION_PARALLEL_NOT_SUPPORTED (0xb4) +#define CKR_SESSION_READ_ONLY (0xb5) +#define CKR_SESSION_EXISTS (0xb6) +#define CKR_SESSION_READ_ONLY_EXISTS (0xb7) +#define CKR_SESSION_READ_WRITE_SO_EXISTS (0xb8) +#define CKR_SIGNATURE_INVALID (0xc0) +#define CKR_SIGNATURE_LEN_RANGE (0xc1) +#define CKR_TEMPLATE_INCOMPLETE (0xd0) +#define CKR_TEMPLATE_INCONSISTENT (0xd1) +#define CKR_TOKEN_NOT_PRESENT (0xe0) +#define CKR_TOKEN_NOT_RECOGNIZED (0xe1) +#define CKR_TOKEN_WRITE_PROTECTED (0xe2) +#define CKR_UNWRAPPING_KEY_HANDLE_INVALID (0xf0) +#define CKR_UNWRAPPING_KEY_SIZE_RANGE (0xf1) +#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2) +#define CKR_USER_ALREADY_LOGGED_IN (0x100) +#define CKR_USER_NOT_LOGGED_IN (0x101) +#define CKR_USER_PIN_NOT_INITIALIZED (0x102) +#define CKR_USER_TYPE_INVALID (0x103) +#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN (0x104) +#define CKR_USER_TOO_MANY_TYPES (0x105) +#define CKR_WRAPPED_KEY_INVALID (0x110) +#define CKR_WRAPPED_KEY_LEN_RANGE (0x112) +#define CKR_WRAPPING_KEY_HANDLE_INVALID (0x113) +#define CKR_WRAPPING_KEY_SIZE_RANGE (0x114) +#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT (0x115) +#define CKR_RANDOM_SEED_NOT_SUPPORTED (0x120) +#define CKR_RANDOM_NO_RNG (0x121) +#define CKR_DOMAIN_PARAMS_INVALID (0x130) +#define CKR_BUFFER_TOO_SMALL (0x150) +#define CKR_SAVED_STATE_INVALID (0x160) +#define CKR_INFORMATION_SENSITIVE (0x170) +#define CKR_STATE_UNSAVEABLE (0x180) +#define CKR_CRYPTOKI_NOT_INITIALIZED (0x190) +#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191) +#define CKR_MUTEX_BAD (0x1a0) +#define CKR_MUTEX_NOT_LOCKED (0x1a1) +#define CKR_FUNCTION_REJECTED (0x200) +#define CKR_VENDOR_DEFINED ((unsigned long) (1 << 31)) + + + +/* Compatibility layer. */ + +#ifdef CRYPTOKI_COMPAT + +#undef CK_DEFINE_FUNCTION +#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name + +/* For NULL. */ +#include <stddef.h> + +typedef unsigned char CK_BYTE; +typedef unsigned char CK_CHAR; +typedef unsigned char CK_UTF8CHAR; +typedef unsigned char CK_BBOOL; +typedef unsigned long int CK_ULONG; +typedef long int CK_LONG; +typedef CK_BYTE *CK_BYTE_PTR; +typedef CK_CHAR *CK_CHAR_PTR; +typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR; +typedef CK_ULONG *CK_ULONG_PTR; +typedef void *CK_VOID_PTR; +typedef void **CK_VOID_PTR_PTR; +#define CK_FALSE 0 +#define CK_TRUE 1 +#ifndef CK_DISABLE_TRUE_FALSE +#ifndef FALSE +#define FALSE 0 +#endif +#ifndef TRUE +#define TRUE 1 +#endif +#endif + +typedef struct ck_version CK_VERSION; +typedef struct ck_version *CK_VERSION_PTR; + +typedef struct ck_info CK_INFO; +typedef struct ck_info *CK_INFO_PTR; + +typedef ck_slot_id_t *CK_SLOT_ID_PTR; + +typedef struct ck_slot_info CK_SLOT_INFO; +typedef struct ck_slot_info *CK_SLOT_INFO_PTR; + +typedef struct ck_token_info CK_TOKEN_INFO; +typedef struct ck_token_info *CK_TOKEN_INFO_PTR; + +typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR; + +typedef struct ck_session_info CK_SESSION_INFO; +typedef struct ck_session_info *CK_SESSION_INFO_PTR; + +typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR; + +typedef ck_object_class_t *CK_OBJECT_CLASS_PTR; + +typedef struct ck_attribute CK_ATTRIBUTE; +typedef struct ck_attribute *CK_ATTRIBUTE_PTR; + +typedef struct ck_date CK_DATE; +typedef struct ck_date *CK_DATE_PTR; + +typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR; + +typedef struct ck_mechanism CK_MECHANISM; +typedef struct ck_mechanism *CK_MECHANISM_PTR; + +typedef struct ck_mechanism_info CK_MECHANISM_INFO; +typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR; + +typedef struct ck_function_list CK_FUNCTION_LIST; +typedef struct ck_function_list *CK_FUNCTION_LIST_PTR; +typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR; + +typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS; +typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR; + +#define NULL_PTR NULL + +/* Delete the helper macros defined at the top of the file. */ +#undef ck_flags_t +#undef ck_version + +#undef ck_info +#undef cryptoki_version +#undef manufacturer_id +#undef library_description +#undef library_version + +#undef ck_notification_t +#undef ck_slot_id_t + +#undef ck_slot_info +#undef slot_description +#undef hardware_version +#undef firmware_version + +#undef ck_token_info +#undef serial_number +#undef max_session_count +#undef session_count +#undef max_rw_session_count +#undef rw_session_count +#undef max_pin_len +#undef min_pin_len +#undef total_public_memory +#undef free_public_memory +#undef total_private_memory +#undef free_private_memory +#undef utc_time + +#undef ck_session_handle_t +#undef ck_user_type_t +#undef ck_state_t + +#undef ck_session_info +#undef slot_id +#undef device_error + +#undef ck_object_handle_t +#undef ck_object_class_t +#undef ck_hw_feature_type_t +#undef ck_key_type_t +#undef ck_certificate_type_t +#undef ck_attribute_type_t + +#undef ck_attribute +#undef value +#undef value_len + +#undef ck_date + +#undef ck_mechanism_type_t + +#undef ck_mechanism +#undef parameter +#undef parameter_len + +#undef ck_mechanism_info +#undef min_key_size +#undef max_key_size + +#undef ck_rv_t +#undef ck_notify_t + +#undef ck_function_list + +#undef ck_createmutex_t +#undef ck_destroymutex_t +#undef ck_lockmutex_t +#undef ck_unlockmutex_t + +#undef ck_c_initialize_args +#undef create_mutex +#undef destroy_mutex +#undef lock_mutex +#undef unlock_mutex +#undef reserved + +#endif /* CRYPTOKI_COMPAT */ + + +/* System dependencies. */ +#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) +#pragma pack(pop, cryptoki) +#endif + +#if defined(__cplusplus) +} +#endif + +#endif /* PKCS11_H */ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c new file mode 100644 index 000000000..1b1448c6a --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c @@ -0,0 +1,249 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pkcs11_creds.h" + +#include <debug.h> +#include <utils/linked_list.h> + +typedef struct private_pkcs11_creds_t private_pkcs11_creds_t; + +/** + * Private data of an pkcs11_creds_t object. + */ +struct private_pkcs11_creds_t { + + /** + * Public pkcs11_creds_t interface. + */ + pkcs11_creds_t public; + + /** + * PKCS# library + */ + pkcs11_library_t *lib; + + /** + * Token slot + */ + CK_SLOT_ID slot; + + /** + * List of trusted certificates + */ + linked_list_t *trusted; + + /** + * List of untrusted certificates + */ + linked_list_t *untrusted; +}; + +/** + * Find certificates, optionally trusted + */ +static void find_certificates(private_pkcs11_creds_t *this, + CK_SESSION_HANDLE session, CK_BBOOL trusted) +{ + CK_OBJECT_CLASS class = CKO_CERTIFICATE; + CK_CERTIFICATE_TYPE type = CKC_X_509; + CK_ATTRIBUTE tmpl[] = { + {CKA_CLASS, &class, sizeof(class)}, + {CKA_CERTIFICATE_TYPE, &type, sizeof(type)}, + {CKA_TRUSTED, &trusted, sizeof(trusted)}, + }; + CK_OBJECT_HANDLE object; + CK_ATTRIBUTE attr[] = { + {CKA_VALUE, NULL, 0}, + {CKA_LABEL, NULL, 0}, + }; + enumerator_t *enumerator; + linked_list_t *raw; + certificate_t *cert; + struct { + chunk_t value; + chunk_t label; + } *entry; + + raw = linked_list_create(); + enumerator = this->lib->create_object_enumerator(this->lib, + session, tmpl, countof(tmpl), attr, countof(attr)); + while (enumerator->enumerate(enumerator, &object)) + { + entry = malloc(sizeof(*entry)); + entry->value = chunk_clone( + chunk_create(attr[0].pValue, attr[0].ulValueLen)); + entry->label = chunk_clone( + chunk_create(attr[1].pValue, attr[1].ulValueLen)); + raw->insert_last(raw, entry); + } + enumerator->destroy(enumerator); + + while (raw->remove_first(raw, (void**)&entry) == SUCCESS) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, entry->value, + BUILD_END); + if (cert) + { + DBG1(DBG_CFG, " loaded %strusted cert '%.*s'", + trusted ? "" : "un", entry->label.len, entry->label.ptr); + /* trusted certificates are also returned as untrusted */ + this->untrusted->insert_last(this->untrusted, cert); + if (trusted) + { + this->trusted->insert_last(this->trusted, cert->get_ref(cert)); + } + } + else + { + DBG1(DBG_CFG, " loading cert '%.*s' failed", + entry->label.len, entry->label.ptr); + } + free(entry->value.ptr); + free(entry->label.ptr); + free(entry); + } + raw->destroy(raw); +} + +/** + * Load in the certificates from the token + */ +static bool load_certificates(private_pkcs11_creds_t *this) +{ + CK_SESSION_HANDLE session; + CK_RV rv; + + rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, + NULL, NULL, &session); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "opening session failed: %N", ck_rv_names, rv); + return FALSE; + } + + find_certificates(this, session, CK_TRUE); + find_certificates(this, session, CK_FALSE); + + this->lib->f->C_CloseSession(session); + return TRUE; +} + +/** + * filter function for certs enumerator + */ +static bool certs_filter(identification_t *id, + certificate_t **in, certificate_t **out) +{ + public_key_t *public; + certificate_t *cert = *in; + + if (id == NULL || cert->has_subject(cert, id)) + { + *out = *in; + return TRUE; + } + public = cert->get_public_key(cert); + if (public) + { + if (public->has_fingerprint(public, id->get_encoding(id))) + { + public->destroy(public); + *out = *in; + return TRUE; + } + public->destroy(public); + } + return FALSE; +} + +METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, + private_pkcs11_creds_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + enumerator_t *inner; + + if (cert != CERT_X509 && cert != CERT_ANY) + { + return NULL; + } + if (trusted) + { + inner = this->trusted->create_enumerator(this->trusted); + } + else + { + inner = this->untrusted->create_enumerator(this->untrusted); + } + return enumerator_create_filter(inner, (void*)certs_filter, id, NULL); +} + +METHOD(pkcs11_creds_t, get_library, pkcs11_library_t*, + private_pkcs11_creds_t *this) +{ + return this->lib; +} + +METHOD(pkcs11_creds_t, get_slot, CK_SLOT_ID, + private_pkcs11_creds_t *this) +{ + return this->slot; +} + +METHOD(pkcs11_creds_t, destroy, void, + private_pkcs11_creds_t *this) +{ + this->trusted->destroy_offset(this->trusted, + offsetof(certificate_t, destroy)); + this->untrusted->destroy_offset(this->untrusted, + offsetof(certificate_t, destroy)); + free(this); +} + +/** + * See header + */ +pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot) +{ + private_pkcs11_creds_t *this; + + INIT(this, + .public = { + .set = { + .create_shared_enumerator = (void*)enumerator_create_empty, + .create_private_enumerator = (void*)enumerator_create_empty, + .create_cert_enumerator = _create_cert_enumerator, + .create_cdp_enumerator = (void*)enumerator_create_empty, + .cache_cert = (void*)nop, + }, + .get_library = _get_library, + .get_slot = _get_slot, + .destroy = _destroy, + }, + .lib = p11, + .slot = slot, + .trusted = linked_list_create(), + .untrusted = linked_list_create(), + ); + + if (!load_certificates(this)) + { + destroy(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h new file mode 100644 index 000000000..c40a8dea6 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h @@ -0,0 +1,68 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pkcs11_creds pkcs11_creds + * @{ @ingroup pkcs11 + */ + +#ifndef PKCS11_CREDS_H_ +#define PKCS11_CREDS_H_ + +typedef struct pkcs11_creds_t pkcs11_creds_t; + +#include "pkcs11_library.h" + +#include <credentials/credential_manager.h> + +/** + * Credential set on top on a PKCS#11 token. + */ +struct pkcs11_creds_t { + + /** + * Implements credential_set_t. + */ + credential_set_t set; + + /** + * Get the PKCS#11 library this set uses. + * + * @return library + */ + pkcs11_library_t* (*get_library)(pkcs11_creds_t *this); + + /** + * Get the slot of the token this set uses. + * + * @return slot + */ + CK_SLOT_ID (*get_slot)(pkcs11_creds_t *this); + + /** + * Destroy a pkcs11_creds_t. + */ + void (*destroy)(pkcs11_creds_t *this); +}; + +/** + * Create a pkcs11_creds instance. + * + * @param p11 loaded PKCS#11 library + * @param slot slot of the token we hand out credentials + */ +pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot); + +#endif /** PKCS11_CREDS_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c new file mode 100644 index 000000000..6d327be40 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c @@ -0,0 +1,323 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pkcs11_hasher.h" + +#include <unistd.h> + +#include <debug.h> +#include <threading/mutex.h> + +#include "pkcs11_manager.h" + +typedef struct private_pkcs11_hasher_t private_pkcs11_hasher_t; + +/** + * Private data of an pkcs11_hasher_t object. + */ +struct private_pkcs11_hasher_t { + + /** + * Public pkcs11_hasher_t interface. + */ + pkcs11_hasher_t public; + + /** + * PKCS#11 library + */ + pkcs11_library_t *lib; + + /** + * Mechanism for this hasher + */ + CK_MECHANISM_PTR mech; + + /** + * Token session + */ + CK_SESSION_HANDLE session; + + /** + * size of the hash + */ + size_t size; + + /** + * Mutex to lock the tokens hashing engine + */ + mutex_t *mutex; + + /** + * do we have an initialized state? + */ + bool have_state; + + /** + * state buffer + */ + CK_BYTE_PTR state; + + /** + * Length of the state buffer + */ + CK_ULONG state_len; +}; + +METHOD(hasher_t, get_hash_size, size_t, + private_pkcs11_hasher_t *this) +{ + return this->size; +} + +/** + * Save the Operation state to host memory + */ +static void save_state(private_pkcs11_hasher_t *this) +{ + CK_RV rv; + + while (TRUE) + { + if (!this->state) + { + rv = this->lib->f->C_GetOperationState(this->session, NULL, + &this->state_len); + if (rv != CKR_OK) + { + break; + } + this->state = malloc(this->state_len); + } + rv = this->lib->f->C_GetOperationState(this->session, this->state, + &this->state_len); + switch (rv) + { + case CKR_BUFFER_TOO_SMALL: + free(this->state); + this->state = NULL; + continue; + case CKR_OK: + this->have_state = TRUE; + return; + default: + break; + } + break; + } + DBG1(DBG_CFG, "C_GetOperationState() failed: %N", ck_rv_names, rv); + abort(); +} + +/** + * Load the Operation state from host memory + */ +static void load_state(private_pkcs11_hasher_t *this) +{ + CK_RV rv; + + rv = this->lib->f->C_SetOperationState(this->session, this->state, + this->state_len, CK_INVALID_HANDLE, CK_INVALID_HANDLE); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_SetOperationState() failed: %N", ck_rv_names, rv); + abort(); + } + this->have_state = FALSE; +} + +METHOD(hasher_t, reset, void, + private_pkcs11_hasher_t *this) +{ + this->have_state = FALSE; +} + +METHOD(hasher_t, get_hash, void, + private_pkcs11_hasher_t *this, chunk_t chunk, u_int8_t *hash) +{ + CK_RV rv; + CK_ULONG len; + + this->mutex->lock(this->mutex); + if (this->have_state) + { + load_state(this); + } + else + { + rv = this->lib->f->C_DigestInit(this->session, this->mech); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_DigestInit() failed: %N", ck_rv_names, rv); + abort(); + } + } + if (chunk.len) + { + rv = this->lib->f->C_DigestUpdate(this->session, chunk.ptr, chunk.len); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_DigestUpdate() failed: %N", ck_rv_names, rv); + abort(); + } + } + if (hash) + { + len = this->size; + rv = this->lib->f->C_DigestFinal(this->session, + hash, &len); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_DigestFinal() failed: %N", ck_rv_names, rv); + abort(); + } + } + else + { + save_state(this); + } + this->mutex->unlock(this->mutex); +} + +METHOD(hasher_t, allocate_hash, void, + private_pkcs11_hasher_t *this, chunk_t chunk, chunk_t *hash) +{ + if (hash) + { + *hash = chunk_alloc(this->size); + get_hash(this, chunk, hash->ptr); + } + else + { + get_hash(this, chunk, NULL); + } +} + +METHOD(hasher_t, destroy, void, + private_pkcs11_hasher_t *this) +{ + this->lib->f->C_CloseSession(this->session); + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * Get the Cryptoki mechanism for a hash algorithm + */ +static CK_MECHANISM_PTR algo_to_mechanism(hash_algorithm_t algo, size_t *size) +{ + static struct { + hash_algorithm_t algo; + CK_MECHANISM mechanism; + size_t size; + } mappings[] = { + {HASH_MD2, {CKM_MD2, NULL, 0}, HASH_SIZE_MD2}, + {HASH_MD5, {CKM_MD5, NULL, 0}, HASH_SIZE_MD5}, + {HASH_SHA1, {CKM_SHA_1, NULL, 0}, HASH_SIZE_SHA1}, + {HASH_SHA256, {CKM_SHA256, NULL, 0}, HASH_SIZE_SHA256}, + {HASH_SHA384, {CKM_SHA384, NULL, 0}, HASH_SIZE_SHA384}, + {HASH_SHA512, {CKM_SHA512, NULL, 0}, HASH_SIZE_SHA512}, + }; + int i; + + for (i = 0; i < countof(mappings); i++) + { + if (mappings[i].algo == algo) + { + *size = mappings[i].size; + return &mappings[i].mechanism; + } + } + return NULL; +} + +/** + * Find a token we can use for a hash algorithm + */ +static pkcs11_library_t* find_token(hash_algorithm_t algo, + CK_SESSION_HANDLE *session, CK_MECHANISM_PTR *mout, size_t *size) +{ + enumerator_t *tokens, *mechs; + pkcs11_manager_t *manager; + pkcs11_library_t *current, *found = NULL; + CK_MECHANISM_TYPE type; + CK_MECHANISM_PTR mech; + CK_SLOT_ID slot; + + mech = algo_to_mechanism(algo, size); + if (!mech) + { + return NULL; + } + manager = pkcs11_manager_get(); + if (!manager) + { + return NULL; + } + tokens = manager->create_token_enumerator(manager); + while (tokens->enumerate(tokens, ¤t, &slot)) + { + mechs = current->create_mechanism_enumerator(current, slot); + while (mechs->enumerate(mechs, &type, NULL)) + { + if (type == mech->mechanism) + { + if (current->f->C_OpenSession(slot, CKF_SERIAL_SESSION, + NULL, NULL, session) == CKR_OK) + { + found = current; + *mout = mech; + break; + } + } + } + mechs->destroy(mechs); + if (found) + { + break; + } + } + tokens->destroy(tokens); + return found; +} + +/** + * See header + */ +pkcs11_hasher_t *pkcs11_hasher_create(hash_algorithm_t algo) +{ + private_pkcs11_hasher_t *this; + + INIT(this, + .public = { + .hasher = { + .get_hash_size = _get_hash_size, + .reset = _reset, + .get_hash = _get_hash, + .allocate_hash = _allocate_hash, + .destroy = _destroy, + }, + }, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + this->lib = find_token(algo, &this->session, &this->mech, &this->size); + if (!this->lib) + { + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h new file mode 100644 index 000000000..9c55d463e --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pkcs11_hasher pkcs11_hasher + * @{ @ingroup pkcs11 + */ + +#ifndef PKCS11_HASHER_H_ +#define PKCS11_HASHER_H_ + +#include <crypto/hashers/hasher.h> + +typedef struct pkcs11_hasher_t pkcs11_hasher_t; + +/** + * Hash implementation using a PKCS#11 token. + */ +struct pkcs11_hasher_t { + + /** + * Implements hasher_t interface. + */ + hasher_t hasher; +}; + +/** + * Creates a PKCS#11 based hasher. + * + * @param algo hash algorithm + * @return hasher, NULL if not supported + */ +pkcs11_hasher_t *pkcs11_hasher_create(hash_algorithm_t algo); + +#endif /** PKCS11_HASHER_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c new file mode 100644 index 000000000..9fb1b7769 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c @@ -0,0 +1,869 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pkcs11_library.h" + +#include <dlfcn.h> + +#include <library.h> +#include <debug.h> +#include <threading/mutex.h> +#include <utils/linked_list.h> + +typedef struct private_pkcs11_library_t private_pkcs11_library_t; + + +ENUM_BEGIN(ck_rv_names, CKR_OK, CKR_CANT_LOCK, + "OK", + "CANCEL", + "HOST_MEMORY", + "SLOT_ID_INVALID", + "(0x04)", + "GENERAL_ERROR", + "FUNCTION_FAILED", + "ARGUMENTS_BAD", + "NO_EVENT", + "NEED_TO_CREATE_THREADS", + "CANT_LOCK"); +ENUM_NEXT(ck_rv_names, CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID, + CKR_CANT_LOCK, + "ATTRIBUTE_READ_ONLY", + "ATTRIBUTE_SENSITIVE", + "ATTRIBUTE_TYPE_INVALID", + "ATTRIBUTE_VALUE_INVALID"); +ENUM_NEXT(ck_rv_names, CKR_DATA_INVALID, CKR_DATA_LEN_RANGE, + CKR_ATTRIBUTE_VALUE_INVALID, + "DATA_INVALID" + "DATA_LEN_RANGE"); +ENUM_NEXT(ck_rv_names, CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED, + CKR_DATA_LEN_RANGE, + "DEVICE_ERROR", + "DEVICE_MEMORY", + "DEVICE_REMOVED"); +ENUM_NEXT(ck_rv_names, CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE, + CKR_DEVICE_REMOVED, + "ENCRYPTED_DATA_INVALID", + "ENCRYPTED_DATA_LEN_RANGE"); +ENUM_NEXT(ck_rv_names, CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED, + CKR_ENCRYPTED_DATA_LEN_RANGE, + "FUNCTION_CANCELED", + "FUNCTION_NOT_PARALLEL", + "(0x52)", + "(0x53)", + "FUNCTION_NOT_SUPPORTED"); +ENUM_NEXT(ck_rv_names, CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE, + CKR_FUNCTION_NOT_SUPPORTED, + "KEY_HANDLE_INVALID", + "(0x61)", + "KEY_SIZE_RANGE", + "KEY_TYPE_INCONSISTENT", + "KEY_NOT_NEEDED", + "KEY_CHANGED", + "KEY_NEEDED", + "KEY_INDIGESTIBLE", + "KEY_FUNCTION_NOT_PERMITTED", + "KEY_NOT_WRAPPABLE", + "KEY_UNEXTRACTABLE"); +ENUM_NEXT(ck_rv_names, CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID, + CKR_KEY_UNEXTRACTABLE, + "MECHANISM_INVALID", + "MECHANISM_PARAM_INVALID"); +ENUM_NEXT(ck_rv_names, CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID, + CKR_MECHANISM_PARAM_INVALID, + "OBJECT_HANDLE_INVALID"); +ENUM_NEXT(ck_rv_names, CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED, + CKR_OBJECT_HANDLE_INVALID, + "OPERATION_ACTIVE", + "OPERATION_NOT_INITIALIZED"); +ENUM_NEXT(ck_rv_names, CKR_PIN_INCORRECT, CKR_PIN_LOCKED, + CKR_OPERATION_NOT_INITIALIZED, + "PIN_INCORRECT", + "PIN_INVALID", + "PIN_LEN_RANGE", + "PIN_EXPIRED", + "PIN_LOCKED"); +ENUM_NEXT(ck_rv_names, CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS, + CKR_PIN_LOCKED, + "SESSION_CLOSED", + "SESSION_COUNT", + "(0xb2)", + "SESSION_HANDLE_INVALID", + "SESSION_PARALLEL_NOT_SUPPORTED", + "SESSION_READ_ONLY", + "SESSION_EXISTS", + "SESSION_READ_ONLY_EXISTS", + "SESSION_READ_WRITE_SO_EXISTS"); +ENUM_NEXT(ck_rv_names, CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE, + CKR_SESSION_READ_WRITE_SO_EXISTS, + "SIGNATURE_INVALID", + "SIGNATURE_LEN_RANGE"); +ENUM_NEXT(ck_rv_names, CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT, + CKR_SIGNATURE_LEN_RANGE, + "TEMPLATE_INCOMPLETE", + "TEMPLATE_INCONSISTENT", +); +ENUM_NEXT(ck_rv_names, CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED, + CKR_TEMPLATE_INCONSISTENT, + "TOKEN_NOT_PRESENT", + "TOKEN_NOT_RECOGNIZED", + "TOKEN_WRITE_PROTECTED"); +ENUM_NEXT(ck_rv_names, CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, + CKR_TOKEN_WRITE_PROTECTED, + "UNWRAPPING_KEY_HANDLE_INVALID", + "UNWRAPPING_KEY_SIZE_RANGE", + "UNWRAPPING_KEY_TYPE_INCONSISTENT"); +ENUM_NEXT(ck_rv_names, CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES, + CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, + "USER_ALREADY_LOGGED_IN", + "USER_NOT_LOGGED_IN", + "USER_PIN_NOT_INITIALIZED", + "USER_TYPE_INVALID", + "USER_ANOTHER_ALREADY_LOGGED_IN", + "USER_TOO_MANY_TYPES"); +ENUM_NEXT(ck_rv_names, CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT, + CKR_USER_TOO_MANY_TYPES, + "WRAPPED_KEY_INVALID", + "(0x111)", + "WRAPPED_KEY_LEN_RANGE", + "WRAPPING_KEY_HANDLE_INVALID", + "WRAPPING_KEY_SIZE_RANGE", + "WRAPPING_KEY_TYPE_INCONSISTENT"); +ENUM_NEXT(ck_rv_names, CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG, + CKR_WRAPPING_KEY_TYPE_INCONSISTENT, + "RANDOM_SEED_NOT_SUPPORTED", + "RANDOM_NO_RNG"); +ENUM_NEXT(ck_rv_names, CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID, + CKR_RANDOM_NO_RNG, + "DOMAIN_PARAMS_INVALID"); +ENUM_NEXT(ck_rv_names, CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL, + CKR_DOMAIN_PARAMS_INVALID, + "BUFFER_TOO_SMALL"); +ENUM_NEXT(ck_rv_names, CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID, + CKR_BUFFER_TOO_SMALL, + "SAVED_STATE_INVALID"); +ENUM_NEXT(ck_rv_names, CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE, + CKR_SAVED_STATE_INVALID, + "INFORMATION_SENSITIVE"); +ENUM_NEXT(ck_rv_names, CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE, + CKR_INFORMATION_SENSITIVE, + "STATE_UNSAVEABLE"); +ENUM_NEXT(ck_rv_names, CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED, + CKR_STATE_UNSAVEABLE, + "CRYPTOKI_NOT_INITIALIZED", + "CRYPTOKI_ALREADY_INITIALIZED"); +ENUM_NEXT(ck_rv_names, CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED, + CKR_CRYPTOKI_ALREADY_INITIALIZED, + "MUTEX_BAD", + "MUTEX_NOT_LOCKED"); +ENUM_NEXT(ck_rv_names, CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED, + CKR_MUTEX_NOT_LOCKED, + "FUNCTION_REJECTED"); +ENUM_END(ck_rv_names, CKR_FUNCTION_REJECTED); + + +ENUM_BEGIN(ck_mech_names, CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_DSA_SHA1, + "RSA_PKCS_KEY_PAIR_GEN", + "RSA_PKCS", + "RSA_9796", + "RSA_X_509", + "MD2_RSA_PKCS", + "MD5_RSA_PKCS", + "SHA1_RSA_PKCS", + "RIPEMD128_RSA_PKCS", + "RIPEMD160_RSA_PKCS", + "RSA_PKCS_OAEP", + "RSA_X9_31_KEY_PAIR_GEN", + "RSA_X9_31", + "SHA1_RSA_X9_31", + "RSA_PKCS_PSS", + "SHA1_RSA_PKCS_PSS", + "(0xf)", + "DSA_KEY_PAIR_GEN", + "DSA", + "DSA_SHA1"); +ENUM_NEXT(ck_mech_names, CKM_DH_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_DERIVE, + CKM_DSA_SHA1, + "DH_PKCS_KEY_PAIR_GEN", + "DH_PKCS_DERIVE"); +ENUM_NEXT(ck_mech_names, CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_MQV_DERIVE, + CKM_DH_PKCS_DERIVE, + "X9_42_DH_KEY_PAIR_GEN", + "X9_42_DH_DERIVE", + "X9_42_DH_HYBRID_DERIVE", + "X9_42_MQV_DERIVE"); +ENUM_NEXT(ck_mech_names, CKM_SHA256_RSA_PKCS, CKM_SHA512_RSA_PKCS_PSS, + CKM_X9_42_MQV_DERIVE, + "SHA256_RSA_PKCS", + "SHA384_RSA_PKCS", + "SHA512_RSA_PKCS", + "SHA256_RSA_PKCS_PSS", + "SHA384_RSA_PKCS_PSS", + "SHA512_RSA_PKCS_PSS"); +ENUM_NEXT(ck_mech_names, CKM_RC2_KEY_GEN, CKM_RC2_CBC_PAD, + CKM_SHA512_RSA_PKCS_PSS, + "RC2_KEY_GEN", + "RC2_ECB", + "RC2_CBC", + "RC2_MAC", + "RC2_MAC_GENERAL", + "RC2_CBC_PAD"); +ENUM_NEXT(ck_mech_names, CKM_RC4_KEY_GEN, CKM_RC4, + CKM_RC2_CBC_PAD, + "RC4_KEY_GEN", + "RC4"); +ENUM_NEXT(ck_mech_names, CKM_DES_KEY_GEN, CKM_DES_CBC_PAD, + CKM_RC4, + "DES_KEY_GEN", + "DES_ECB", + "DES_CBC", + "DES_MAC", + "DES_MAC_GENERAL", + "DES_CBC_PAD"); +ENUM_NEXT(ck_mech_names, CKM_DES2_KEY_GEN, CKM_DES3_CBC_PAD, + CKM_DES_CBC_PAD, + "DES2_KEY_GEN", + "DES3_KEY_GEN", + "DES3_ECB", + "DES3_CBC", + "DES3_MAC", + "DES3_MAC_GENERAL", + "DES3_CBC_PAD"); +ENUM_NEXT(ck_mech_names, CKM_CDMF_KEY_GEN, CKM_CDMF_CBC_PAD, + CKM_DES3_CBC_PAD, + "CDMF_KEY_GEN", + "CDMF_ECB", + "CDMF_CBC", + "CDMF_MAC", + "CDMF_MAC_GENERAL", + "CDMF_CBC_PAD"); +ENUM_NEXT(ck_mech_names, CKM_MD2, CKM_MD2_HMAC_GENERAL, + CKM_CDMF_CBC_PAD, + "MD2", + "MD2_HMAC", + "MD2_HMAC_GENERAL"); +ENUM_NEXT(ck_mech_names, CKM_MD5, CKM_MD5_HMAC_GENERAL, + CKM_MD2_HMAC_GENERAL, + "MD5", + "MD5_HMAC", + "MD5_HMAC_GENERAL"); +ENUM_NEXT(ck_mech_names, CKM_SHA_1, CKM_SHA_1_HMAC_GENERAL, + CKM_MD5_HMAC_GENERAL, + "SHA_1", + "SHA_1_HMAC", + "SHA_1_HMAC_GENERAL"); +ENUM_NEXT(ck_mech_names, CKM_RIPEMD128, CKM_RIPEMD128_HMAC_GENERAL, + CKM_SHA_1_HMAC_GENERAL, + "RIPEMD128", + "RIPEMD128_HMAC", + "RIPEMD128_HMAC_GENERAL"); +ENUM_NEXT(ck_mech_names, CKM_RIPEMD160, CKM_RIPEMD160_HMAC_GENERAL, + CKM_RIPEMD128_HMAC_GENERAL, + "RIPEMD160", + "RIPEMD160_HMAC", + "RIPEMD160_HMAC_GENERAL"); +ENUM_NEXT(ck_mech_names, CKM_SHA256, CKM_SHA256_HMAC_GENERAL, + CKM_RIPEMD160_HMAC_GENERAL, + "SHA256", + "SHA256_HMAC", + "SHA256_HMAC_GENERAL"); +ENUM_NEXT(ck_mech_names, CKM_SHA384, CKM_SHA384_HMAC_GENERAL, + CKM_SHA256_HMAC_GENERAL, + "SHA384", + "SHA384_HMAC", + "SHA384_HMAC_GENERAL"); +ENUM_NEXT(ck_mech_names, CKM_SHA512, CKM_SHA512_HMAC_GENERAL, + CKM_SHA384_HMAC_GENERAL , + "SHA512", + "SHA512_HMAC", + "SHA512_HMAC_GENERAL"); +ENUM_NEXT(ck_mech_names, CKM_CAST_KEY_GEN, CKM_CAST_CBC_PAD, + CKM_SHA512_HMAC_GENERAL, + "CAST_KEY_GEN", + "CAST_ECB", + "CAST_CBC", + "CAST_MAC", + "CAST_MAC_GENERAL", + "CAST_CBC_PAD"); +ENUM_NEXT(ck_mech_names, CKM_CAST3_KEY_GEN, CKM_CAST3_CBC_PAD, + CKM_CAST_CBC_PAD, + "CAST3_KEY_GEN", + "CAST3_ECB", + "CAST3_CBC", + "CAST3_MAC", + "CAST3_MAC_GENERAL", + "CAST3_CBC_PAD"); +ENUM_NEXT(ck_mech_names, CKM_CAST128_KEY_GEN, CKM_CAST128_CBC_PAD, + CKM_CAST3_CBC_PAD, + "CAST128_KEY_GEN", + "CAST128_ECB", + "CAST128_CBC", + "CAST128_MAC", + "CAST128_MAC_GENERAL", + "CAST128_CBC_PAD"); +ENUM_NEXT(ck_mech_names, CKM_RC5_KEY_GEN, CKM_RC5_CBC_PAD, + CKM_CAST128_CBC_PAD, + "RC5_KEY_GEN", + "RC5_ECB", + "RC5_CBC", + "RC5_MAC", + "RC5_MAC_GENERAL", + "RC5_CBC_PAD"); +ENUM_NEXT(ck_mech_names, CKM_IDEA_KEY_GEN, CKM_IDEA_CBC_PAD, + CKM_RC5_CBC_PAD, + "IDEA_KEY_GEN", + "IDEA_ECB", + "IDEA_CBC", + "IDEA_MAC", + "IDEA_MAC_GENERAL", + "IDEA_CBC_PAD"); +ENUM_NEXT(ck_mech_names, CKM_GENERIC_SECRET_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN, + CKM_IDEA_CBC_PAD, + "GENERIC_SECRET_KEY_GEN"); +ENUM_NEXT(ck_mech_names, CKM_CONCATENATE_BASE_AND_KEY, CKM_EXTRACT_KEY_FROM_KEY, + CKM_GENERIC_SECRET_KEY_GEN, + "CONCATENATE_BASE_AND_KEY", + "(0x361)", + "CONCATENATE_BASE_AND_DATA", + "CONCATENATE_DATA_AND_BASE", + "XOR_BASE_AND_DATA", + "EXTRACT_KEY_FROM_KEY"); +ENUM_NEXT(ck_mech_names, CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_MASTER_KEY_DERIVE_DH, + CKM_EXTRACT_KEY_FROM_KEY, + "SSL3_PRE_MASTER_KEY_GEN", + "SSL3_MASTER_KEY_DERIVE", + "SSL3_KEY_AND_MAC_DERIVE", + "SSL3_MASTER_KEY_DERIVE_DH", + "TLS_PRE_MASTER_KEY_GEN", + "TLS_MASTER_KEY_DERIVE", + "TLS_KEY_AND_MAC_DERIVE", + "TLS_MASTER_KEY_DERIVE_DH"); +ENUM_NEXT(ck_mech_names, CKM_SSL3_MD5_MAC, CKM_SSL3_SHA1_MAC, + CKM_TLS_MASTER_KEY_DERIVE_DH, + "SSL3_MD5_MAC", + "SSL3_SHA1_MAC"); +ENUM_NEXT(ck_mech_names, CKM_MD5_KEY_DERIVATION, CKM_SHA1_KEY_DERIVATION, + CKM_SSL3_SHA1_MAC, + "MD5_KEY_DERIVATION", + "MD2_KEY_DERIVATION", + "SHA1_KEY_DERIVATION"); +ENUM_NEXT(ck_mech_names, CKM_PBE_MD2_DES_CBC, CKM_PBE_SHA1_RC2_40_CBC, + CKM_SHA1_KEY_DERIVATION, + "PBE_MD2_DES_CBC", + "PBE_MD5_DES_CBC", + "PBE_MD5_CAST_CBC", + "PBE_MD5_CAST3_CBC", + "PBE_MD5_CAST128_CBC", + "PBE_SHA1_CAST128_CBC", + "PBE_SHA1_RC4_128", + "PBE_SHA1_RC4_40", + "PBE_SHA1_DES3_EDE_CBC", + "PBE_SHA1_DES2_EDE_CBC", + "PBE_SHA1_RC2_128_CBC", + "PBE_SHA1_RC2_40_CBC"); +ENUM_NEXT(ck_mech_names, CKM_PKCS5_PBKD2, CKM_PKCS5_PBKD2, + CKM_PBE_SHA1_RC2_40_CBC, + "PKCS5_PBKD2"); +ENUM_NEXT(ck_mech_names, CKM_PBA_SHA1_WITH_SHA1_HMAC, CKM_PBA_SHA1_WITH_SHA1_HMAC, + CKM_PKCS5_PBKD2, + "PBA_SHA1_WITH_SHA1_HMAC"); +ENUM_NEXT(ck_mech_names, CKM_KEY_WRAP_LYNKS, CKM_KEY_WRAP_SET_OAEP, + CKM_PBA_SHA1_WITH_SHA1_HMAC, + "KEY_WRAP_LYNKS", + "KEY_WRAP_SET_OAEP"); +ENUM_NEXT(ck_mech_names, CKM_SKIPJACK_KEY_GEN, CKM_SKIPJACK_RELAYX, + CKM_KEY_WRAP_SET_OAEP, + "SKIPJACK_KEY_GEN", + "SKIPJACK_ECB64", + "SKIPJACK_CBC64", + "SKIPJACK_OFB64", + "SKIPJACK_CFB64", + "SKIPJACK_CFB32", + "SKIPJACK_CFB16", + "SKIPJACK_CFB8", + "SKIPJACK_WRAP", + "SKIPJACK_PRIVATE_WRAP", + "SKIPJACK_RELAYX"); +ENUM_NEXT(ck_mech_names, CKM_KEA_KEY_PAIR_GEN, CKM_KEA_KEY_DERIVE, + CKM_SKIPJACK_RELAYX, + "KEA_KEY_PAIR_GEN", + "KEA_KEY_DERIVE"); +ENUM_NEXT(ck_mech_names, CKM_FORTEZZA_TIMESTAMP, CKM_FORTEZZA_TIMESTAMP, + CKM_KEA_KEY_DERIVE, + "FORTEZZA_TIMESTAMP"); +ENUM_NEXT(ck_mech_names, CKM_BATON_KEY_GEN, CKM_BATON_WRAP, + CKM_FORTEZZA_TIMESTAMP, + "BATON_KEY_GEN", + "BATON_ECB128", + "BATON_ECB96", + "BATON_CBC128", + "BATON_COUNTER", + "BATON_SHUFFLE", + "BATON_WRAP"); +ENUM_NEXT(ck_mech_names, CKM_ECDSA_KEY_PAIR_GEN, CKM_ECDSA_SHA1, + CKM_BATON_WRAP, + "ECDSA_KEY_PAIR_GEN", + "ECDSA", + "ECDSA_SHA1"); +ENUM_NEXT(ck_mech_names, CKM_ECDH1_DERIVE, CKM_ECMQV_DERIVE, + CKM_ECDSA_SHA1, + "ECDH1_DERIVE", + "ECDH1_COFACTOR_DERIVE", + "ECMQV_DERIVE"); +ENUM_NEXT(ck_mech_names, CKM_JUNIPER_KEY_GEN, CKM_JUNIPER_WRAP, + CKM_ECMQV_DERIVE, + "JUNIPER_KEY_GEN", + "JUNIPER_ECB128", + "JUNIPER_CBC128", + "JUNIPER_COUNTER", + "JUNIPER_SHUFFLE", + "JUNIPER_WRAP"); +ENUM_NEXT(ck_mech_names, CKM_FASTHASH, CKM_FASTHASH, + CKM_JUNIPER_WRAP, + "FASTHASH"); +ENUM_NEXT(ck_mech_names, CKM_AES_KEY_GEN, CKM_AES_CBC_PAD, + CKM_FASTHASH, + "AES_KEY_GEN", + "AES_ECB", + "AES_CBC", + "AES_MAC", + "AES_MAC_GENERAL", + "AES_CBC_PAD"); +ENUM_NEXT(ck_mech_names, CKM_DSA_PARAMETER_GEN, CKM_X9_42_DH_PARAMETER_GEN, + CKM_AES_CBC_PAD, + "DSA_PARAMETER_GEN", + "DH_PKCS_PARAMETER_GEN", + "X9_42_DH_PARAMETER_GEN"); +ENUM_END(ck_mech_names, CKM_X9_42_DH_PARAMETER_GEN); + +/** + * Private data of an pkcs11_library_t object. + */ +struct private_pkcs11_library_t { + + /** + * Public pkcs11_library_t interface. + */ + pkcs11_library_t public; + + /** + * dlopen() handle + */ + void *handle; + + /** + * Name as passed to the constructor + */ + char *name; +}; + +METHOD(pkcs11_library_t, get_name, char*, + private_pkcs11_library_t *this) +{ + return this->name; +} + +/** + * Object enumerator + */ +typedef struct { + /* implements enumerator_t */ + enumerator_t public; + /* session */ + CK_SESSION_HANDLE session; + /* pkcs11 library */ + pkcs11_library_t *lib; + /* attributes to retreive */ + CK_ATTRIBUTE_PTR attr; + /* number of attributes */ + CK_ULONG count; + /* currently allocated attributes, to free */ + linked_list_t *freelist; +} object_enumerator_t; + +/** + * Free contents of attributes in a list + */ +static void free_attrs(object_enumerator_t *this) +{ + CK_ATTRIBUTE_PTR attr; + + while (this->freelist->remove_last(this->freelist, (void**)&attr) == SUCCESS) + { + free(attr->pValue); + attr->pValue = NULL; + attr->ulValueLen = 0; + } +} + +/** + * Get attributes for a given object during enumeration + */ +static bool get_attributes(object_enumerator_t *this, CK_OBJECT_HANDLE object) +{ + CK_RV rv; + int i; + + free_attrs(this); + + /* get length of objects first */ + rv = this->lib->f->C_GetAttributeValue(this->session, object, + this->attr, this->count); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetAttributeValue(NULL) error: %N", ck_rv_names, rv); + return FALSE; + } + /* allocate required chunks */ + for (i = 0; i < this->count; i++) + { + if (this->attr[i].pValue == NULL && + this->attr[i].ulValueLen != 0 && this->attr[i].ulValueLen != -1) + { + this->attr[i].pValue = malloc(this->attr[i].ulValueLen); + this->freelist->insert_last(this->freelist, &this->attr[i]); + } + } + /* get the data */ + rv = this->lib->f->C_GetAttributeValue(this->session, object, + this->attr, this->count); + if (rv != CKR_OK) + { + free_attrs(this); + DBG1(DBG_CFG, "C_GetAttributeValue(NULL) error: %N", ck_rv_names, rv); + return FALSE; + } + return TRUE; +} + +METHOD(enumerator_t, object_enumerate, bool, + object_enumerator_t *this, CK_OBJECT_HANDLE *out) +{ + CK_OBJECT_HANDLE object; + CK_ULONG found; + CK_RV rv; + + rv = this->lib->f->C_FindObjects(this->session, &object, 1, &found); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_FindObjects() failed: %N", ck_rv_names, rv); + return FALSE; + } + if (found) + { + if (this->attr) + { + if (!get_attributes(this, object)) + { + return FALSE; + } + } + *out = object; + return TRUE; + } + return FALSE; +} + +METHOD(enumerator_t, object_destroy, void, + object_enumerator_t *this) +{ + this->lib->f->C_FindObjectsFinal(this->session); + free_attrs(this); + this->freelist->destroy(this->freelist); + free(this); +} + +METHOD(pkcs11_library_t, create_object_enumerator, enumerator_t*, + private_pkcs11_library_t *this, CK_SESSION_HANDLE session, + CK_ATTRIBUTE_PTR tmpl, CK_ULONG tcount, + CK_ATTRIBUTE_PTR attr, CK_ULONG acount) +{ + object_enumerator_t *enumerator; + CK_RV rv; + + rv = this->public.f->C_FindObjectsInit(session, tmpl, tcount); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_FindObjectsInit() failed: %N", ck_rv_names, rv); + return enumerator_create_empty(); + } + + INIT(enumerator, + .public = { + .enumerate = (void*)_object_enumerate, + .destroy = _object_destroy, + }, + .session = session, + .lib = &this->public, + .attr = attr, + .count = acount, + .freelist = linked_list_create(), + ); + return &enumerator->public; +} + +/** + * Enumerator over mechanisms + */ +typedef struct { + /* implements enumerator_t */ + enumerator_t public; + /* PKCS#11 library */ + pkcs11_library_t *lib; + /* slot of token */ + CK_SLOT_ID slot; + /* mechanism type list */ + CK_MECHANISM_TYPE_PTR mechs; + /* number of mechanism types */ + CK_ULONG count; + /* current mechanism */ + CK_ULONG current; +} mechanism_enumerator_t; + +METHOD(enumerator_t, enumerate_mech, bool, + mechanism_enumerator_t *this, CK_MECHANISM_TYPE* type, + CK_MECHANISM_INFO *info) +{ + CK_RV rv; + + if (this->current >= this->count) + { + return FALSE; + } + if (info) + { + rv = this->lib->f->C_GetMechanismInfo(this->slot, + this->mechs[this->current], info); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetMechanismInfo() failed: %N", ck_rv_names, rv); + return FALSE; + } + } + *type = this->mechs[this->current++]; + return TRUE; +} + +METHOD(enumerator_t, destroy_mech, void, + mechanism_enumerator_t *this) +{ + free(this->mechs); + free(this); +} + +METHOD(pkcs11_library_t, create_mechanism_enumerator, enumerator_t*, + private_pkcs11_library_t *this, CK_SLOT_ID slot) +{ + mechanism_enumerator_t *enumerator; + CK_RV rv; + + INIT(enumerator, + .public = { + .enumerate = (void*)_enumerate_mech, + .destroy = _destroy_mech, + }, + .lib = &this->public, + .slot = slot, + ); + + rv = enumerator->lib->f->C_GetMechanismList(slot, NULL, &enumerator->count); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetMechanismList() failed: %N", ck_rv_names, rv); + free(enumerator); + return enumerator_create_empty(); + } + enumerator->mechs = malloc(sizeof(CK_MECHANISM_TYPE) * enumerator->count); + enumerator->lib->f->C_GetMechanismList(slot, enumerator->mechs, + &enumerator->count); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetMechanismList() failed: %N", ck_rv_names, rv); + destroy_mech(enumerator); + return enumerator_create_empty(); + } + return &enumerator->public; +} + +METHOD(pkcs11_library_t, destroy, void, + private_pkcs11_library_t *this) +{ + this->public.f->C_Finalize(NULL); + dlclose(this->handle); + free(this); +} + +/** + * See header + */ +void pkcs11_library_trim(char *str, int len) +{ + int i; + + str[len - 1] = '\0'; + for (i = len - 2; i > 0; i--) + { + if (str[i] == ' ') + { + str[i] = '\0'; + continue; + } + break; + } +} + +/** + * Mutex creation callback + */ +static CK_RV CreateMutex(CK_VOID_PTR_PTR data) +{ + *data = mutex_create(MUTEX_TYPE_DEFAULT); + return CKR_OK; +} + +/** + * Mutex destruction callback + */ +static CK_RV DestroyMutex(CK_VOID_PTR data) +{ + mutex_t *mutex = (mutex_t*)data; + + mutex->destroy(mutex); + return CKR_OK; +} + +/** + * Mutex lock callback + */ +static CK_RV LockMutex(CK_VOID_PTR data) +{ + mutex_t *mutex = (mutex_t*)data; + + mutex->lock(mutex); + return CKR_OK; +} + +/** + * Mutex unlock callback + */ +static CK_RV UnlockMutex(CK_VOID_PTR data) +{ + mutex_t *mutex = (mutex_t*)data; + + mutex->unlock(mutex); + return CKR_OK; +} + +/** + * Initialize a PKCS#11 library + */ +static bool initialize(private_pkcs11_library_t *this, char *name, char *file) +{ + CK_C_GetFunctionList pC_GetFunctionList; + CK_INFO info; + CK_RV rv; + CK_C_INITIALIZE_ARGS args = { + .CreateMutex = CreateMutex, + .DestroyMutex = DestroyMutex, + .LockMutex = LockMutex, + .UnlockMutex = UnlockMutex, + }; + + pC_GetFunctionList = dlsym(this->handle, "C_GetFunctionList"); + if (!pC_GetFunctionList) + { + DBG1(DBG_CFG, "C_GetFunctionList not found for '%s': %s", name, dlerror()); + return FALSE; + } + rv = pC_GetFunctionList(&this->public.f); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetFunctionList() error for '%s': %N", + name, ck_rv_names, rv); + return FALSE; + } + + rv = this->public.f->C_Initialize(&args); + if (rv == CKR_CANT_LOCK) + { /* try OS locking */ + memset(&args, 0, sizeof(args)); + args.flags = CKF_OS_LOCKING_OK; + rv = this->public.f->C_Initialize(&args); + } + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_Initialize() error for '%s': %N", + name, ck_rv_names, rv); + return FALSE; + } + rv = this->public.f->C_GetInfo(&info); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetInfo() error for '%s': %N", + name, ck_rv_names, rv); + this->public.f->C_Finalize(NULL); + return FALSE; + } + + pkcs11_library_trim(info.manufacturerID, + strnlen(info.manufacturerID, sizeof(info.manufacturerID))); + pkcs11_library_trim(info.libraryDescription, + strnlen(info.libraryDescription, sizeof(info.libraryDescription))); + + DBG1(DBG_CFG, "loaded PKCS#11 v%d.%d library '%s' (%s)", + info.cryptokiVersion.major, info.cryptokiVersion.minor, name, file); + DBG1(DBG_CFG, " %s: %s v%d.%d", + info.manufacturerID, info.libraryDescription, + info.libraryVersion.major, info.libraryVersion.minor); + if (args.flags & CKF_OS_LOCKING_OK) + { + DBG1(DBG_CFG, " uses OS locking functions"); + } + return TRUE; +} + +/** + * See header + */ +pkcs11_library_t *pkcs11_library_create(char *name, char *file) +{ + private_pkcs11_library_t *this; + + INIT(this, + .public = { + .get_name = _get_name, + .create_object_enumerator = _create_object_enumerator, + .create_mechanism_enumerator = _create_mechanism_enumerator, + .destroy = _destroy, + }, + .name = name, + .handle = dlopen(file, RTLD_LAZY), + ); + + if (!this->handle) + { + DBG1(DBG_CFG, "opening PKCS#11 library failed: %s", dlerror()); + free(this); + return NULL; + } + + if (!initialize(this, name, file)) + { + dlclose(this->handle); + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h new file mode 100644 index 000000000..1457d24d4 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pkcs11_library pkcs11_library + * @{ @ingroup pkcs11 + */ + +#ifndef PKCS11_LIBRARY_H_ +#define PKCS11_LIBRARY_H_ + +typedef struct pkcs11_library_t pkcs11_library_t; + +#include "pkcs11.h" + +#include <enum.h> +#include <utils/enumerator.h> + +/** + * A loaded and initialized PKCS#11 library. + */ +struct pkcs11_library_t { + + /** + * PKCS#11 function list, as returned by C_GetFunctionList + */ + CK_FUNCTION_LIST_PTR f; + + /** + * Get the name this instance was created with. + * + * @return name, as passed to constructor + */ + char* (*get_name)(pkcs11_library_t *this); + + /** + * Create an enumerator over CK_OBJECT_HANDLE using a search template. + * + * An optional attribute array is automatically filled in with the + * objects associated attributes. If the value of an output attribute + * is NULL, the value gets allocated/freed during enumeration. + * + * @param session session to use + * @param tmpl search template + * @param tcount number of attributes in the search template + * @param attr attributes to read from object + * @param acount number of attributes to read + */ + enumerator_t* (*create_object_enumerator)(pkcs11_library_t *this, + CK_SESSION_HANDLE session, CK_ATTRIBUTE_PTR tmpl, CK_ULONG tcount, + CK_ATTRIBUTE_PTR attr, CK_ULONG acount); + + /** + * Create an enumerator over supported mechanisms of a token. + * + * The resulting enumerator enumerates over the mechanism type, and if + * a non-NULL pointer is given, over the mechanism info details. + * + * @param slot slot of the token + * @return enumerator over (CK_MECHANISM_TYPE, CK_MECHANISM_INFO) + */ + enumerator_t* (*create_mechanism_enumerator)(pkcs11_library_t *this, + CK_SLOT_ID slot); + + /** + * Destroy a pkcs11_library_t. + */ + void (*destroy)(pkcs11_library_t *this); +}; + +/** + * Enum names for CK_RV return values + */ +extern enum_name_t *ck_rv_names; + +/** + * Enum names for CK_MECHANISM_TYPE values + */ +extern enum_name_t *ck_mech_names; + +/** + * Trim/null terminate a string returned by the varius PKCS#11 functions. + * + * @param str string to trim + * @param len max length of the string + */ +void pkcs11_library_trim(char *str, int len); + +/** + * Create a pkcs11_library instance. + * + * @param name an arbitrary name, for debugging + * @param file pkcs11 library file to dlopen() + * @return library abstraction + */ +pkcs11_library_t *pkcs11_library_create(char *name, char *file); + +#endif /** PKCS11_LIBRARY_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c new file mode 100644 index 000000000..0c27600a6 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c @@ -0,0 +1,407 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pkcs11_manager.h" + +#include <debug.h> +#include <utils/linked_list.h> +#include <threading/thread.h> + +#include "pkcs11_library.h" + +#include <processing/jobs/callback_job.h> + +typedef struct private_pkcs11_manager_t private_pkcs11_manager_t; + +/** + * Private data of an pkcs11_manager_t object. + */ +struct private_pkcs11_manager_t { + + /** + * Public pkcs11_manager_t interface. + */ + pkcs11_manager_t public; + + /** + * List of loaded libraries, as lib_entry_t + */ + linked_list_t *libs; + + /** + * Slot event callback function + */ + pkcs11_manager_token_event_t cb; + + /** + * Slot event user data + */ + void *data; +}; + +/** + * Entry for a loaded library + */ +typedef struct { + /* back reference to this */ + private_pkcs11_manager_t *this; + /* associated library path */ + char *path; + /* loaded library */ + pkcs11_library_t *lib; + /* event dispatcher job */ + callback_job_t *job; +} lib_entry_t; + +/** + * Destroy a lib_entry_t + */ +static void lib_entry_destroy(lib_entry_t *entry) +{ + if (entry->job) + { + entry->job->cancel(entry->job); + } + entry->lib->destroy(entry->lib); + free(entry); +} + +/** + * Print supported mechanisms of a token in a slot + */ +static void print_mechs(lib_entry_t *entry, CK_SLOT_ID slot) +{ + enumerator_t *enumerator; + CK_MECHANISM_TYPE type; + CK_MECHANISM_INFO info; + + enumerator = entry->lib->create_mechanism_enumerator(entry->lib, slot); + while (enumerator->enumerate(enumerator, &type, &info)) + { + DBG2(DBG_CFG, " %N %lu-%lu [ %s%s%s%s%s%s%s%s%s%s%s%s%s]", + ck_mech_names, type, + info.ulMinKeySize, info.ulMaxKeySize, + info.flags & CKF_HW ? "HW " : "", + info.flags & CKF_ENCRYPT ? "ENCR " : "", + info.flags & CKF_DECRYPT ? "DECR " : "", + info.flags & CKF_DIGEST ? "DGST " : "", + info.flags & CKF_SIGN ? "SIGN " : "", + info.flags & CKF_SIGN_RECOVER ? "SIGN_RCVR " : "", + info.flags & CKF_VERIFY ? "VRFY " : "", + info.flags & CKF_VERIFY_RECOVER ? "VRFY_RCVR " : "", + info.flags & CKF_GENERATE ? "GEN " : "", + info.flags & CKF_GENERATE_KEY_PAIR ? "GEN_KEY_PAIR " : "", + info.flags & CKF_WRAP ? "WRAP " : "", + info.flags & CKF_UNWRAP ? "UNWRAP " : "", + info.flags & CKF_DERIVE ? "DERIVE " : ""); + } + enumerator->destroy(enumerator); +} + +/** + * Handle a token + */ +static void handle_token(lib_entry_t *entry, CK_SLOT_ID slot) +{ + CK_TOKEN_INFO info; + CK_RV rv; + + rv = entry->lib->f->C_GetTokenInfo(slot, &info); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetTokenInfo failed: %N", ck_rv_names, rv); + return; + } + pkcs11_library_trim(info.label, sizeof(info.label)); + pkcs11_library_trim(info.manufacturerID, sizeof(info.manufacturerID)); + pkcs11_library_trim(info.model, sizeof(info.model)); + DBG1(DBG_CFG, " %s (%s: %s)", + info.label, info.manufacturerID, info.model); + + print_mechs(entry, slot); +} + +/** + * Handle slot changes + */ +static void handle_slot(lib_entry_t *entry, CK_SLOT_ID slot, bool hot) +{ + CK_SLOT_INFO info; + CK_RV rv; + + rv = entry->lib->f->C_GetSlotInfo(slot, &info); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetSlotInfo failed: %N", ck_rv_names, rv); + return; + } + + pkcs11_library_trim(info.slotDescription, sizeof(info.slotDescription)); + if (info.flags & CKF_TOKEN_PRESENT) + { + DBG1(DBG_CFG, " found token in slot '%s':%lu (%s)", + entry->lib->get_name(entry->lib), slot, info.slotDescription); + handle_token(entry, slot); + if (hot) + { + entry->this->cb(entry->this->data, entry->lib, slot, TRUE); + } + } + else + { + DBG1(DBG_CFG, "token removed from slot '%s':%lu (%s)", + entry->lib->get_name(entry->lib), slot, info.slotDescription); + if (hot) + { + entry->this->cb(entry->this->data, entry->lib, slot, FALSE); + } + } +} + +/** + * Dispatch slot events + */ +static job_requeue_t dispatch_slot_events(lib_entry_t *entry) +{ + CK_SLOT_ID slot; + CK_RV rv; + bool old; + + old = thread_cancelability(TRUE); + rv = entry->lib->f->C_WaitForSlotEvent(0, &slot, NULL); + thread_cancelability(old); + if (rv == CKR_FUNCTION_NOT_SUPPORTED || rv == CKR_NO_EVENT) + { + DBG1(DBG_CFG, "module '%s' does not support hot-plugging, cancelled", + entry->lib->get_name(entry->lib)); + return JOB_REQUEUE_NONE; + } + if (rv == CKR_CRYPTOKI_NOT_INITIALIZED) + { /* C_Finalize called, abort */ + return JOB_REQUEUE_NONE; + } + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "error in C_WaitForSlotEvent: %N", ck_rv_names, rv); + } + handle_slot(entry, slot, TRUE); + + return JOB_REQUEUE_DIRECT; +} + +/** + * End dispatching, unset job + */ +static void end_dispatch(lib_entry_t *entry) +{ + entry->job = NULL; +} + +/** + * Get the slot list of a library + */ +static CK_SLOT_ID_PTR get_slot_list(pkcs11_library_t *p11, CK_ULONG *out) +{ + CK_SLOT_ID_PTR slots; + CK_ULONG count; + CK_RV rv; + + rv = p11->f->C_GetSlotList(TRUE, NULL, &count); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetSlotList() failed: %N", ck_rv_names, rv); + return NULL; + } + if (count == 0) + { + return NULL; + } + slots = malloc(sizeof(CK_SLOT_ID) * count); + rv = p11->f->C_GetSlotList(TRUE, slots, &count); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetSlotList() failed: %N", ck_rv_names, rv); + free(slots); + return NULL; + } + *out = count; + return slots; +} + +/** + * Query the slots for tokens + */ +static void query_slots(lib_entry_t *entry) +{ + CK_ULONG count; + CK_SLOT_ID_PTR slots; + int i; + + slots = get_slot_list(entry->lib, &count); + if (slots) + { + for (i = 0; i < count; i++) + { + handle_slot(entry, slots[i], FALSE); + } + free(slots); + } +} + +/** + * Token enumerator + */ +typedef struct { + /* implements enumerator */ + enumerator_t public; + /* inner enumerator over PKCS#11 libraries */ + enumerator_t *inner; + /* active library entry */ + lib_entry_t *entry; + /* slot list with tokens */ + CK_SLOT_ID_PTR slots; + /* number of slots */ + CK_ULONG count; + /* current slot */ + int current; +} token_enumerator_t; + +METHOD(enumerator_t, enumerate_token, bool, + token_enumerator_t *this, pkcs11_library_t **out, CK_SLOT_ID *slot) +{ + if (this->current >= this->count) + { + free(this->slots); + this->slots = NULL; + this->current = 0; + } + while (!this->slots) + { + if (!this->inner->enumerate(this->inner, &this->entry)) + { + return FALSE; + } + this->slots = get_slot_list(this->entry->lib, &this->count); + } + *out = this->entry->lib; + *slot = this->slots[this->current++]; + return TRUE; +} + +METHOD(enumerator_t, destroy_token, void, + token_enumerator_t *this) +{ + this->inner->destroy(this->inner); + free(this->slots); + free(this); +} + +METHOD(pkcs11_manager_t, create_token_enumerator, enumerator_t*, + private_pkcs11_manager_t *this) +{ + token_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_enumerate_token, + .destroy = _destroy_token, + }, + .inner = this->libs->create_enumerator(this->libs), + ); + return &enumerator->public; +} + +/** + * Singleton instance + */ +static private_pkcs11_manager_t *singleton = NULL; + +METHOD(pkcs11_manager_t, destroy, void, + private_pkcs11_manager_t *this) +{ + this->libs->destroy_function(this->libs, (void*)lib_entry_destroy); + free(this); + singleton = NULL; +} + +/** + * See header + */ +pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb, + void *data) +{ + private_pkcs11_manager_t *this; + enumerator_t *enumerator; + lib_entry_t *entry; + char *module; + + INIT(this, + .public = { + .create_token_enumerator = _create_token_enumerator, + .destroy = _destroy, + }, + .libs = linked_list_create(), + .cb = cb, + .data = data, + ); + + enumerator = lib->settings->create_section_enumerator(lib->settings, + "libstrongswan.plugins.pkcs11.modules"); + while (enumerator->enumerate(enumerator, &module)) + { + INIT(entry, + .this = this, + ); + + entry->path = lib->settings->get_str(lib->settings, + "libstrongswan.plugins.pkcs11.modules.%s.path", NULL, module); + if (!entry->path) + { + DBG1(DBG_CFG, "PKCS11 module '%s' misses library path", module); + free(entry); + continue; + } + entry->lib = pkcs11_library_create(module, entry->path); + if (!entry->lib) + { + free(entry); + continue; + } + this->libs->insert_last(this->libs, entry); + } + enumerator->destroy(enumerator); + + singleton = this; + + enumerator = this->libs->create_enumerator(this->libs); + while (enumerator->enumerate(enumerator, &entry)) + { + query_slots(entry); + entry->job = callback_job_create((void*)dispatch_slot_events, + entry, (void*)end_dispatch, NULL); + lib->processor->queue_job(lib->processor, (job_t*)entry->job); + } + enumerator->destroy(enumerator); + + return &this->public; +} + +/** + * See header + */ +pkcs11_manager_t *pkcs11_manager_get() +{ + return (pkcs11_manager_t*)singleton; +} diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h new file mode 100644 index 000000000..b80d67324 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h @@ -0,0 +1,78 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pkcs11_manager pkcs11_manager + * @{ @ingroup pkcs11 + */ + +#ifndef PKCS11_MANAGER_H_ +#define PKCS11_MANAGER_H_ + +typedef struct pkcs11_manager_t pkcs11_manager_t; + +#include <library.h> + +#include "pkcs11_library.h" + +/** + * Token event callback function. + * + * @param data user supplied data, as passed to pkcs11_manager_create() + * @param p11 loaded PKCS#11 library token belongs to + * @param slot slot number the event occured in + * @param add TRUE if token was added to the slot, FALSE if removed + */ +typedef void (*pkcs11_manager_token_event_t)(void *data, pkcs11_library_t *p11, + CK_SLOT_ID slot, bool add); + + +/** + * Manages multiple PKCS#11 libraries with hot pluggable slots + */ +struct pkcs11_manager_t { + + /** + * Create an enumerator over all tokens. + * + * @return enumerator over (pkcs11_library_t*,CK_SLOT_ID) + */ + enumerator_t* (*create_token_enumerator)(pkcs11_manager_t *this); + + /** + * Destroy a pkcs11_manager_t. + */ + void (*destroy)(pkcs11_manager_t *this); +}; + +/** + * Create a pkcs11_manager instance. + * + * @param cb token event callback function + * @param data user data to pass to token event callback + * @return instance + */ +pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb, + void *data); + + +/** + * Get the singleton instance of the manager + * + * @return instance, NULL if none available + */ +pkcs11_manager_t *pkcs11_manager_get(); + +#endif /** PKCS11_MANAGER_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c new file mode 100644 index 000000000..ace405c23 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c @@ -0,0 +1,176 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pkcs11_plugin.h" + +#include <library.h> +#include <debug.h> +#include <utils/linked_list.h> +#include <threading/mutex.h> + +#include "pkcs11_manager.h" +#include "pkcs11_creds.h" +#include "pkcs11_private_key.h" +#include "pkcs11_public_key.h" +#include "pkcs11_hasher.h" + +typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t; + +/** + * private data of pkcs11_plugin + */ +struct private_pkcs11_plugin_t { + + /** + * public functions + */ + pkcs11_plugin_t public; + + /** + * PKCS#11 library/slot manager + */ + pkcs11_manager_t *manager; + + /** + * List of credential sets, pkcs11_creds_t + */ + linked_list_t *creds; + + /** + * mutex to lock list + */ + mutex_t *mutex; +}; + +/** + * Token event callback function + */ +static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11, + CK_SLOT_ID slot, bool add) +{ + enumerator_t *enumerator; + pkcs11_creds_t *creds, *found = NULL;; + + if (add) + { + creds = pkcs11_creds_create(p11, slot); + if (creds) + { + this->mutex->lock(this->mutex); + this->creds->insert_last(this->creds, creds); + this->mutex->unlock(this->mutex); + lib->credmgr->add_set(lib->credmgr, &creds->set); + } + } + else + { + this->mutex->lock(this->mutex); + enumerator = this->creds->create_enumerator(this->creds); + while (enumerator->enumerate(enumerator, &creds)) + { + if (creds->get_library(creds) == p11 && + creds->get_slot(creds) == slot) + { + found = creds; + this->creds->remove_at(this->creds, enumerator); + break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + if (found) + { + lib->credmgr->remove_set(lib->credmgr, &found->set); + found->destroy(found); + /* flush the cache after a token is gone */ + lib->credmgr->flush_cache(lib->credmgr, CERT_X509); + } + } +} + +METHOD(plugin_t, destroy, void, + private_pkcs11_plugin_t *this) +{ + pkcs11_creds_t *creds; + + lib->creds->remove_builder(lib->creds, + (builder_function_t)pkcs11_private_key_connect); + while (this->creds->remove_last(this->creds, (void**)&creds) == SUCCESS) + { + lib->credmgr->remove_set(lib->credmgr, &creds->set); + creds->destroy(creds); + } + lib->crypto->remove_hasher(lib->crypto, + (hasher_constructor_t)pkcs11_hasher_create); + this->creds->destroy(this->creds); + this->manager->destroy(this->manager); + this->mutex->destroy(this->mutex); + free(this); +} + +/* + * see header file + */ +plugin_t *pkcs11_plugin_create() +{ + private_pkcs11_plugin_t *this; + enumerator_t *enumerator; + pkcs11_library_t *p11; + CK_SLOT_ID slot; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .creds = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + this->manager = pkcs11_manager_create((void*)token_event_cb, this); + + if (lib->settings->get_bool(lib->settings, + "libstrongswan.plugins.pkcs11.use_hasher", FALSE)) + { + lib->crypto->add_hasher(lib->crypto, HASH_MD2, + (hasher_constructor_t)pkcs11_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_MD5, + (hasher_constructor_t)pkcs11_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + (hasher_constructor_t)pkcs11_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + (hasher_constructor_t)pkcs11_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + (hasher_constructor_t)pkcs11_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + (hasher_constructor_t)pkcs11_hasher_create); + } + + lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE, + (builder_function_t)pkcs11_private_key_connect); + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE, + (builder_function_t)pkcs11_public_key_load); + + enumerator = this->manager->create_token_enumerator(this->manager); + while (enumerator->enumerate(enumerator, &p11, &slot)) + { + token_event_cb(this, p11, slot, TRUE); + } + enumerator->destroy(enumerator); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h new file mode 100644 index 000000000..432e2173a --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pkcs11 pkcs11 + * @ingroup plugins + * + * @defgroup pkcs11_plugin pkcs11_plugin + * @{ @ingroup pkcs11 + */ + +#ifndef PKCS11_PLUGIN_H_ +#define PKCS11_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct pkcs11_plugin_t pkcs11_plugin_t; + +/** + * Plugin providing PKCS#11 token support. + */ +struct pkcs11_plugin_t { + + /** + * Implements plugin interface, + */ + plugin_t plugin; +}; + +#endif /** PKCS11_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c new file mode 100644 index 000000000..cabca3f54 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -0,0 +1,600 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pkcs11_private_key.h" + +#include "pkcs11_library.h" +#include "pkcs11_manager.h" + +#include <debug.h> +#include <threading/mutex.h> + +typedef struct private_pkcs11_private_key_t private_pkcs11_private_key_t; + +/** + * Private data of an pkcs11_private_key_t object. + */ +struct private_pkcs11_private_key_t { + + /** + * Public pkcs11_private_key_t interface. + */ + pkcs11_private_key_t public; + + /** + * PKCS#11 module + */ + pkcs11_library_t *lib; + + /** + * Token session + */ + CK_SESSION_HANDLE session; + + /** + * Mutex to lock session + */ + mutex_t *mutex; + + /** + * Key object on the token + */ + CK_OBJECT_HANDLE object; + + /** + * Key requires reauthentication for each signature/decryption + */ + CK_BBOOL reauth; + + /** + * Keyid of the key we use + */ + identification_t *keyid; + + /** + * Associated public key + */ + public_key_t *pubkey; + + /** + * References to this key + */ + refcount_t ref; +}; + +METHOD(private_key_t, get_type, key_type_t, + private_pkcs11_private_key_t *this) +{ + return this->pubkey->get_type(this->pubkey); +} + +METHOD(private_key_t, get_keysize, int, + private_pkcs11_private_key_t *this) +{ + return this->pubkey->get_keysize(this->pubkey); +} + +/** + * See header. + */ +CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme) +{ + static struct { + signature_scheme_t scheme; + CK_MECHANISM mechanism; + } mappings[] = { + {SIGN_RSA_EMSA_PKCS1_NULL, {CKM_RSA_PKCS, NULL, 0}}, + {SIGN_RSA_EMSA_PKCS1_SHA1, {CKM_SHA1_RSA_PKCS, NULL, 0}}, + {SIGN_RSA_EMSA_PKCS1_SHA256, {CKM_SHA256_RSA_PKCS, NULL, 0}}, + {SIGN_RSA_EMSA_PKCS1_SHA384, {CKM_SHA384_RSA_PKCS, NULL, 0}}, + {SIGN_RSA_EMSA_PKCS1_SHA512, {CKM_SHA512_RSA_PKCS, NULL, 0}}, + {SIGN_RSA_EMSA_PKCS1_MD5, {CKM_MD5_RSA_PKCS, NULL, 0}}, + }; + int i; + + for (i = 0; i < countof(mappings); i++) + { + if (mappings[i].scheme == scheme) + { + return &mappings[i].mechanism; + } + } + return NULL; +} + +/** + * See header. + */ +CK_MECHANISM_PTR pkcs11_encryption_scheme_to_mech(encryption_scheme_t scheme) +{ + static struct { + encryption_scheme_t scheme; + CK_MECHANISM mechanism; + } mappings[] = { + {ENCRYPT_RSA_PKCS1, {CKM_RSA_PKCS, NULL, 0}}, + {ENCRYPT_RSA_OAEP_SHA1, {CKM_RSA_PKCS_OAEP, NULL, 0}}, + }; + int i; + + for (i = 0; i < countof(mappings); i++) + { + if (mappings[i].scheme == scheme) + { + return &mappings[i].mechanism; + } + } + return NULL; +} + +/** + * Reauthenticate to do a signature + */ +static bool reauth(private_pkcs11_private_key_t *this) +{ + enumerator_t *enumerator; + shared_key_t *shared; + chunk_t pin; + CK_RV rv; + bool found = FALSE, success = FALSE; + + enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, + SHARED_PIN, this->keyid, NULL); + while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) + { + found = TRUE; + pin = shared->get_key(shared); + rv = this->lib->f->C_Login(this->session, CKU_CONTEXT_SPECIFIC, + pin.ptr, pin.len); + if (rv == CKR_OK) + { + success = TRUE; + break; + } + DBG1(DBG_CFG, "reauthentication login failed: %N", ck_rv_names, rv); + } + enumerator->destroy(enumerator); + + if (!found) + { + DBG1(DBG_CFG, "private key requires reauthentication, but no PIN found"); + return FALSE; + } + return success; +} + +METHOD(private_key_t, sign, bool, + private_pkcs11_private_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t *signature) +{ + CK_MECHANISM_PTR mechanism; + CK_BYTE_PTR buf; + CK_ULONG len; + CK_RV rv; + + mechanism = pkcs11_signature_scheme_to_mech(scheme); + if (!mechanism) + { + DBG1(DBG_LIB, "signature scheme %N not supported", + signature_scheme_names, scheme); + return FALSE; + } + this->mutex->lock(this->mutex); + rv = this->lib->f->C_SignInit(this->session, mechanism, this->object); + if (this->reauth && !reauth(this)) + { + return FALSE; + } + if (rv != CKR_OK) + { + this->mutex->unlock(this->mutex); + DBG1(DBG_LIB, "C_SignInit() failed: %N", ck_rv_names, rv); + return FALSE; + } + len = (get_keysize(this) + 7) / 8; + buf = malloc(len); + rv = this->lib->f->C_Sign(this->session, data.ptr, data.len, buf, &len); + this->mutex->unlock(this->mutex); + if (rv != CKR_OK) + { + DBG1(DBG_LIB, "C_Sign() failed: %N", ck_rv_names, rv); + free(buf); + return FALSE; + } + *signature = chunk_create(buf, len); + return TRUE; +} + +METHOD(private_key_t, decrypt, bool, + private_pkcs11_private_key_t *this, encryption_scheme_t scheme, + chunk_t crypt, chunk_t *plain) +{ + CK_MECHANISM_PTR mechanism; + CK_BYTE_PTR buf; + CK_ULONG len; + CK_RV rv; + + mechanism = pkcs11_encryption_scheme_to_mech(scheme); + if (!mechanism) + { + DBG1(DBG_LIB, "encryption scheme %N not supported", + encryption_scheme_names, scheme); + return FALSE; + } + this->mutex->lock(this->mutex); + rv = this->lib->f->C_DecryptInit(this->session, mechanism, this->object); + if (this->reauth && !reauth(this)) + { + return FALSE; + } + if (rv != CKR_OK) + { + this->mutex->unlock(this->mutex); + DBG1(DBG_LIB, "C_DecryptInit() failed: %N", ck_rv_names, rv); + return FALSE; + } + len = (get_keysize(this) + 7) / 8; + buf = malloc(len); + rv = this->lib->f->C_Decrypt(this->session, crypt.ptr, crypt.len, buf, &len); + this->mutex->unlock(this->mutex); + if (rv != CKR_OK) + { + DBG1(DBG_LIB, "C_Decrypt() failed: %N", ck_rv_names, rv); + free(buf); + return FALSE; + } + *plain = chunk_create(buf, len); + return TRUE; +} + +METHOD(private_key_t, get_public_key, public_key_t*, + private_pkcs11_private_key_t *this) +{ + return this->pubkey->get_ref(this->pubkey); +} + +METHOD(private_key_t, get_fingerprint, bool, + private_pkcs11_private_key_t *this, cred_encoding_type_t type, + chunk_t *fingerprint) +{ + return this->pubkey->get_fingerprint(this->pubkey, type, fingerprint); +} + +METHOD(private_key_t, get_encoding, bool, + private_pkcs11_private_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) +{ + return FALSE; +} + +METHOD(private_key_t, get_ref, private_key_t*, + private_pkcs11_private_key_t *this) +{ + ref_get(&this->ref); + return &this->public.key; +} + +METHOD(private_key_t, destroy, void, + private_pkcs11_private_key_t *this) +{ + if (ref_put(&this->ref)) + { + if (this->pubkey) + { + this->pubkey->destroy(this->pubkey); + } + this->mutex->destroy(this->mutex); + this->keyid->destroy(this->keyid); + this->lib->f->C_CloseSession(this->session); + free(this); + } +} + +/** + * Find the PKCS#11 library by its friendly name + */ +static pkcs11_library_t* find_lib(char *module) +{ + pkcs11_manager_t *manager; + enumerator_t *enumerator; + pkcs11_library_t *p11, *found = NULL; + CK_SLOT_ID slot; + + manager = pkcs11_manager_get(); + if (!manager) + { + return NULL; + } + enumerator = manager->create_token_enumerator(manager); + while (enumerator->enumerate(enumerator, &p11, &slot)) + { + if (streq(module, p11->get_name(p11))) + { + found = p11; + break; + } + } + enumerator->destroy(enumerator); + return found; +} + +/** + * Find the PKCS#11 lib having a keyid, and optionally a slot + */ +static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot) +{ + pkcs11_manager_t *manager; + enumerator_t *enumerator; + pkcs11_library_t *p11, *found = NULL; + CK_SLOT_ID current; + + manager = pkcs11_manager_get(); + if (!manager) + { + return NULL; + } + enumerator = manager->create_token_enumerator(manager); + while (enumerator->enumerate(enumerator, &p11, ¤t)) + { + if (*slot == -1 || *slot == current) + { + /* we look for a public key, it is usually readable without login */ + CK_OBJECT_CLASS class = CKO_PUBLIC_KEY; + CK_ATTRIBUTE tmpl[] = { + {CKA_CLASS, &class, sizeof(class)}, + {CKA_ID, keyid.ptr, keyid.len}, + }; + CK_OBJECT_HANDLE object; + CK_SESSION_HANDLE session; + CK_RV rv; + enumerator_t *keys; + + rv = p11->f->C_OpenSession(current, CKF_SERIAL_SESSION, NULL, NULL, + &session); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", + ck_rv_names, rv); + continue; + } + keys = p11->create_object_enumerator(p11, session, + tmpl, countof(tmpl), NULL, 0); + if (keys->enumerate(keys, &object)) + { + DBG1(DBG_CFG, "found key on PKCS#11 token '%s':%d", + p11->get_name(p11), current); + found = p11; + *slot = current; + } + keys->destroy(keys); + p11->f->C_CloseSession(session); + if (found) + { + break; + } + } + } + enumerator->destroy(enumerator); + return found; +} + +/** + * Find the key on the token + */ +static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid) +{ + CK_OBJECT_CLASS class = CKO_PRIVATE_KEY; + CK_ATTRIBUTE tmpl[] = { + {CKA_CLASS, &class, sizeof(class)}, + {CKA_ID, keyid.ptr, keyid.len}, + }; + CK_OBJECT_HANDLE object; + CK_KEY_TYPE type; + CK_BBOOL reauth; + CK_ATTRIBUTE attr[] = { + {CKA_KEY_TYPE, &type, sizeof(type)}, + {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)}, + {CKA_MODULUS, NULL, 0}, + {CKA_PUBLIC_EXPONENT, NULL, 0}, + }; + enumerator_t *enumerator; + chunk_t modulus, pubexp; + + enumerator = this->lib->create_object_enumerator(this->lib, + this->session, tmpl, countof(tmpl), attr, countof(attr)); + if (enumerator->enumerate(enumerator, &object)) + { + switch (type) + { + case CKK_RSA: + if (attr[2].ulValueLen == -1 || attr[3].ulValueLen == -1) + { + DBG1(DBG_CFG, "reading modulus/exponent from PKCS#1 failed"); + break; + } + modulus = chunk_create(attr[2].pValue, attr[2].ulValueLen); + pubexp = chunk_create(attr[3].pValue, attr[3].ulValueLen); + this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, + KEY_RSA, BUILD_RSA_MODULUS, modulus, + BUILD_RSA_PUB_EXP, pubexp, BUILD_END); + if (!this->pubkey) + { + DBG1(DBG_CFG, "extracting public key from PKCS#11 RSA " + "private key failed"); + } + this->reauth = reauth; + this->object = object; + break; + default: + DBG1(DBG_CFG, "PKCS#11 key type %d not supported", type); + break; + } + } + enumerator->destroy(enumerator); + return this->pubkey != NULL; +} + +/** + * Find a PIN and try to log in + */ +static bool login(private_pkcs11_private_key_t *this, int slot) +{ + enumerator_t *enumerator; + shared_key_t *shared; + chunk_t pin; + CK_RV rv; + CK_SESSION_INFO info; + bool found = FALSE, success = FALSE; + + rv = this->lib->f->C_GetSessionInfo(this->session, &info); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetSessionInfo failed: %N", ck_rv_names, rv); + return FALSE; + } + if (info.state != CKS_RO_PUBLIC_SESSION && + info.state != CKS_RW_PUBLIC_SESSION) + { /* already logged in with another session, skip */ + return TRUE; + } + + enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, + SHARED_PIN, this->keyid, NULL); + while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) + { + found = TRUE; + pin = shared->get_key(shared); + rv = this->lib->f->C_Login(this->session, CKU_USER, pin.ptr, pin.len); + if (rv == CKR_OK) + { + success = TRUE; + break; + } + DBG1(DBG_CFG, "login to '%s':%d failed: %N", + this->lib->get_name(this->lib), slot, ck_rv_names, rv); + } + enumerator->destroy(enumerator); + + if (!found) + { + DBG1(DBG_CFG, "no PIN found for PKCS#11 key %Y", this->keyid); + return FALSE; + } + return success; +} + +/** + * See header. + */ +pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args) +{ + private_pkcs11_private_key_t *this; + char *module = NULL; + chunk_t keyid = chunk_empty; + int slot = -1; + CK_RV rv; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_PKCS11_KEYID: + keyid = va_arg(args, chunk_t); + continue; + case BUILD_PKCS11_SLOT: + slot = va_arg(args, int); + continue; + case BUILD_PKCS11_MODULE: + module = va_arg(args, char*); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + if (!keyid.len) + { + return NULL; + } + + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .sign = _sign, + .decrypt = _decrypt, + .get_keysize = _get_keysize, + .get_public_key = _get_public_key, + .equals = private_key_equals, + .belongs_to = private_key_belongs_to, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = private_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); + + if (module && slot != -1) + { + this->lib = find_lib(module); + if (!this->lib) + { + DBG1(DBG_CFG, "PKCS#11 module '%s' not found", module); + free(this); + return NULL; + } + } + else + { + this->lib = find_lib_by_keyid(keyid, &slot); + if (!this->lib) + { + DBG1(DBG_CFG, "no PKCS#11 module found having a keyid %#B", &keyid); + free(this); + return NULL; + } + } + + rv = this->lib->f->C_OpenSession(slot, CKF_SERIAL_SESSION, + NULL, NULL, &this->session); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "opening private key session on '%s':%d failed: %N", + module, slot, ck_rv_names, rv); + free(this); + return NULL; + } + + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->keyid = identification_create_from_encoding(ID_KEY_ID, keyid); + + if (!login(this, slot)) + { + destroy(this); + return NULL; + } + + if (!find_key(this, keyid)) + { + destroy(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h new file mode 100644 index 000000000..428913f0a --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pkcs11_private_key pkcs11_private_key + * @{ @ingroup pkcs11 + */ + +#ifndef PKCS11_PRIVATE_KEY_H_ +#define PKCS11_PRIVATE_KEY_H_ + +typedef struct pkcs11_private_key_t pkcs11_private_key_t; + +#include <credentials/builder.h> +#include <credentials/keys/private_key.h> + +#include "pkcs11.h" + +/** + * Private Key implementation on top of PKCS#11. + */ +struct pkcs11_private_key_t { + + /** + * Implements private_key_t interface. + */ + private_key_t key; +}; + +/** + * Open a private key on a PKCS#11 device. + * + * Accepts the BUILD_SMARTCARD_KEYID and the BUILD_SMARTCARD_PIN arguments. + * + * @param type type of the key + * @param args builder_part_t argument list + * @return loaded key, NULL on failure + */ +pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args); + +/** + * Get the Cryptoki mechanism for a signature scheme. + */ +CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme); + +/** + * Get the Cryptoki mechanism for a encryption scheme. + */ +CK_MECHANISM_PTR pkcs11_encryption_scheme_to_mech(encryption_scheme_t scheme); + +#endif /** PKCS11_PRIVATE_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c new file mode 100644 index 000000000..8d32d9a3f --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c @@ -0,0 +1,473 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pkcs11_public_key.h" + +#include "pkcs11.h" +#include "pkcs11_private_key.h" +#include "pkcs11_manager.h" + +#include <debug.h> +#include <threading/mutex.h> + +typedef struct private_pkcs11_public_key_t private_pkcs11_public_key_t; + +/** + * Private data of an pkcs11_public_key_t object. + */ +struct private_pkcs11_public_key_t { + + /** + * Public pkcs11_public_key_t interface. + */ + pkcs11_public_key_t public; + + /** + * Type of the key + */ + key_type_t type; + + /** + * Key size in bytes + */ + size_t k; + + /** + * PKCS#11 library this key uses + */ + pkcs11_library_t *lib; + + /** + * Slot the token is in + */ + CK_SLOT_ID slot; + + /** + * Session we use + */ + CK_SESSION_HANDLE session; + + /** + * Object handle to the key + */ + CK_OBJECT_HANDLE object; + + /** + * Mutex to lock session + */ + mutex_t *mutex; + + /** + * References to this key + */ + refcount_t ref; +}; + +METHOD(public_key_t, get_type, key_type_t, + private_pkcs11_public_key_t *this) +{ + return this->type; +} + +METHOD(public_key_t, get_keysize, int, + private_pkcs11_public_key_t *this) +{ + return this->k * 8; +} + +METHOD(public_key_t, verify, bool, + private_pkcs11_public_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t sig) +{ + CK_MECHANISM_PTR mechanism; + CK_RV rv; + + mechanism = pkcs11_signature_scheme_to_mech(scheme); + if (!mechanism) + { + DBG1(DBG_LIB, "signature scheme %N not supported", + signature_scheme_names, scheme); + return FALSE; + } + if (sig.len && sig.ptr[0] == 0) + { /* trim leading zero byte in sig */ + sig = chunk_skip(sig, 1); + } + this->mutex->lock(this->mutex); + rv = this->lib->f->C_VerifyInit(this->session, mechanism, this->object); + if (rv != CKR_OK) + { + this->mutex->unlock(this->mutex); + DBG1(DBG_LIB, "C_VerifyInit() failed: %N", ck_rv_names, rv); + return FALSE; + } + rv = this->lib->f->C_Verify(this->session, data.ptr, data.len, + sig.ptr, sig.len); + this->mutex->unlock(this->mutex); + if (rv != CKR_OK) + { + DBG1(DBG_LIB, "C_Verify() failed: %N", ck_rv_names, rv); + return FALSE; + } + return TRUE; +} + +METHOD(public_key_t, encrypt, bool, + private_pkcs11_public_key_t *this, encryption_scheme_t scheme, + chunk_t plain, chunk_t *crypt) +{ + CK_MECHANISM_PTR mechanism; + CK_BYTE_PTR buf; + CK_ULONG len; + CK_RV rv; + + mechanism = pkcs11_encryption_scheme_to_mech(scheme); + if (!mechanism) + { + DBG1(DBG_LIB, "encryption scheme %N not supported", + encryption_scheme_names, scheme); + return FALSE; + } + this->mutex->lock(this->mutex); + rv = this->lib->f->C_EncryptInit(this->session, mechanism, this->object); + if (rv != CKR_OK) + { + this->mutex->unlock(this->mutex); + DBG1(DBG_LIB, "C_EncryptInit() failed: %N", ck_rv_names, rv); + return FALSE; + } + len = (get_keysize(this) + 7) / 8; + buf = malloc(len); + rv = this->lib->f->C_Encrypt(this->session, plain.ptr, plain.len, buf, &len); + this->mutex->unlock(this->mutex); + if (rv != CKR_OK) + { + DBG1(DBG_LIB, "C_Encrypt() failed: %N", ck_rv_names, rv); + free(buf); + return FALSE; + } + *crypt = chunk_create(buf, len); + return TRUE; +} + +/** + * Encode RSA key using a given encoding type + */ +static bool encode_rsa(private_pkcs11_public_key_t *this, + cred_encoding_type_t type, void *cache, chunk_t *encoding) +{ + CK_RV rv; + bool success = FALSE; + chunk_t n, e; + CK_ATTRIBUTE attr[] = { + {CKA_MODULUS, NULL, 0}, + {CKA_PUBLIC_EXPONENT, NULL, 0}, + }; + + rv = this->lib->f->C_GetAttributeValue(this->session, this->object, + attr, countof(attr)); + if (rv != CKR_OK || + attr[0].ulValueLen == 0 || attr[0].ulValueLen == -1 || + attr[1].ulValueLen == 0 || attr[1].ulValueLen == -1) + { + return FALSE; + } + attr[0].pValue = malloc(attr[0].ulValueLen); + attr[1].pValue = malloc(attr[1].ulValueLen); + rv = this->lib->f->C_GetAttributeValue(this->session, this->object, + attr, countof(attr)); + if (rv == CKR_OK) + { + n = chunk_create(attr[0].pValue, attr[0].ulValueLen); + e = chunk_create(attr[1].pValue, attr[1].ulValueLen); + success = lib->encoding->encode(lib->encoding, type, cache, encoding, + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); + } + free(attr[0].pValue); + free(attr[1].pValue); + return success; +} + +METHOD(public_key_t, get_encoding, bool, + private_pkcs11_public_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) +{ + switch (this->type) + { + case KEY_RSA: + return encode_rsa(this, type, NULL, encoding); + default: + return FALSE; + } +} + +METHOD(public_key_t, get_fingerprint, bool, + private_pkcs11_public_key_t *this, cred_encoding_type_t type, chunk_t *fp) +{ + if (lib->encoding->get_cache(lib->encoding, type, this, fp)) + { + return TRUE; + } + switch (this->type) + { + case KEY_RSA: + return encode_rsa(this, type, this, fp); + default: + return FALSE; + } +} + +METHOD(public_key_t, get_ref, public_key_t*, + private_pkcs11_public_key_t *this) +{ + ref_get(&this->ref); + return &this->public.key; +} + +METHOD(public_key_t, destroy, void, + private_pkcs11_public_key_t *this) +{ + if (ref_put(&this->ref)) + { + lib->encoding->clear_cache(lib->encoding, this); + this->lib->f->C_CloseSession(this->session); + this->mutex->destroy(this->mutex); + free(this); + } +} + +/** + * Create an empty PKCS#11 public key + */ +static private_pkcs11_public_key_t *create(key_type_t type, size_t k, + pkcs11_library_t *p11, CK_SLOT_ID slot, + CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object) +{ + private_pkcs11_public_key_t *this; + + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .verify = _verify, + .encrypt = _encrypt, + .equals = public_key_equals, + .get_keysize = _get_keysize, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = public_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .type = type, + .k = k, + .lib = p11, + .slot = slot, + .session = session, + .object = object, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .ref = 1, + ); + + return this; +} + +/** + * Find a key object, including PKCS11 library and slot + */ +static private_pkcs11_public_key_t* find_rsa_key(chunk_t n, chunk_t e) +{ + private_pkcs11_public_key_t *this = NULL; + pkcs11_manager_t *manager; + enumerator_t *enumerator, *keys; + pkcs11_library_t *p11; + CK_SLOT_ID slot; + + manager = pkcs11_manager_get(); + if (!manager) + { + return NULL; + } + + enumerator = manager->create_token_enumerator(manager); + while (enumerator->enumerate(enumerator, &p11, &slot)) + { + CK_OBJECT_CLASS class = CKO_PUBLIC_KEY; + CK_KEY_TYPE type = CKK_RSA; + CK_ATTRIBUTE tmpl[] = { + {CKA_CLASS, &class, sizeof(class)}, + {CKA_KEY_TYPE, &type, sizeof(type)}, + {CKA_MODULUS, n.ptr, n.len}, + {CKA_PUBLIC_EXPONENT, e.ptr, e.len}, + }; + CK_OBJECT_HANDLE object; + CK_SESSION_HANDLE session; + CK_RV rv; + + rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL, + &session); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv); + continue; + } + keys = p11->create_object_enumerator(p11, session, + tmpl, countof(tmpl), NULL, 0); + if (keys->enumerate(keys, &object)) + { + this = create(KEY_RSA, n.len, p11, slot, session, object); + keys->destroy(keys); + break; + } + keys->destroy(keys); + p11->f->C_CloseSession(session); + } + enumerator->destroy(enumerator); + return this; +} + +/** + * Create a key object in a suitable token session + */ +static private_pkcs11_public_key_t* create_rsa_key(chunk_t n, chunk_t e) +{ + private_pkcs11_public_key_t *this = NULL; + pkcs11_manager_t *manager; + enumerator_t *enumerator, *mechs; + pkcs11_library_t *p11; + CK_SLOT_ID slot; + + manager = pkcs11_manager_get(); + if (!manager) + { + return NULL; + } + + enumerator = manager->create_token_enumerator(manager); + while (enumerator->enumerate(enumerator, &p11, &slot)) + { + CK_MECHANISM_TYPE mech; + CK_MECHANISM_INFO info; + CK_OBJECT_CLASS class = CKO_PUBLIC_KEY; + CK_KEY_TYPE type = CKK_RSA; + CK_ATTRIBUTE tmpl[] = { + {CKA_CLASS, &class, sizeof(class)}, + {CKA_KEY_TYPE, &type, sizeof(type)}, + {CKA_MODULUS, n.ptr, n.len}, + {CKA_PUBLIC_EXPONENT, e.ptr, e.len} + }; + CK_OBJECT_HANDLE object; + CK_SESSION_HANDLE session; + CK_RV rv; + + mechs = p11->create_mechanism_enumerator(p11, slot); + while (mechs->enumerate(mechs, &mech, &info)) + { + if (!(info.flags & CKF_VERIFY)) + { + continue; + } + switch (mech) + { + case CKM_RSA_PKCS: + case CKM_SHA1_RSA_PKCS: + case CKM_SHA256_RSA_PKCS: + case CKM_SHA384_RSA_PKCS: + case CKM_SHA512_RSA_PKCS: + case CKM_MD5_RSA_PKCS: + break; + default: + continue; + } + rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL, + &session); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", + ck_rv_names, rv); + continue; + } + rv = p11->f->C_CreateObject(session, tmpl, countof(tmpl), &object); + if (rv == CKR_OK) + { + this = create(KEY_RSA, n.len, p11, slot, session, object); + DBG2(DBG_CFG, "created RSA public key on token '%s':%d ", + p11->get_name(p11), slot); + break; + } + else + { + DBG1(DBG_CFG, "creating RSA public key on token '%s':%d " + "failed: %N", p11->get_name(p11), slot, ck_rv_names, rv); + p11->f->C_CloseSession(session); + } + } + mechs->destroy(mechs); + if (this) + { + break; + } + } + enumerator->destroy(enumerator); + return this; +} + +/** + * See header + */ +pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args) +{ + private_pkcs11_public_key_t *this; + chunk_t n, e; + + n = e = chunk_empty; + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_RSA_MODULUS: + n = va_arg(args, chunk_t); + continue; + case BUILD_RSA_PUB_EXP: + e = va_arg(args, chunk_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + if (type == KEY_RSA && e.ptr && n.ptr) + { + if (n.len && n.ptr[0] == 0) + { /* trim leading zero byte in modulus */ + n = chunk_skip(n, 1); + } + this = find_rsa_key(n, e); + if (this) + { + return &this->public; + } + this = create_rsa_key(n, e); + if (this) + { + return &this->public; + } + } + return NULL; +} + diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h new file mode 100644 index 000000000..4fd94620e --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pkcs11_public_key pkcs11_public_key + * @{ @ingroup pkcs11 + */ + +#ifndef PKCS11_PUBLIC_KEY_H_ +#define PKCS11_PUBLIC_KEY_H_ + +typedef struct pkcs11_public_key_t pkcs11_public_key_t; + +#include <credentials/builder.h> +#include <credentials/keys/private_key.h> + +/** + * PKCS#11 based public key implementation. + */ +struct pkcs11_public_key_t { + + /** + * Implements public_key_t. + */ + public_key_t key; +}; + +/** + * Create a public key in a PKCS#11 session. + * + * @param type type of the key + * @param args builder_part_t argument list + * @return loaded key, NULL on failure + */ +pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args); + +#endif /** PKCS11_PUBLIC_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index 336d0bc02..e1427bf15 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -189,7 +189,6 @@ static bool load(private_plugin_loader_t *this, char *path, char *list) plugin = load_plugin(this, path, token); if (plugin) { - /* insert in front to destroy them in reverse order */ this->plugins->insert_last(this->plugins, plugin); this->names->insert_last(this->names, token); } @@ -215,12 +214,13 @@ static void unload(private_plugin_loader_t *this) plugin_t *plugin; char *name; - while (this->plugins->remove_first(this->plugins, + /* unload plugins in reverse order */ + while (this->plugins->remove_last(this->plugins, (void**)&plugin) == SUCCESS) { plugin->destroy(plugin); } - while (this->names->remove_first(this->names, (void**)&name) == SUCCESS) + while (this->names->remove_last(this->names, (void**)&name) == SUCCESS) { free(name); } diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 4dc5985cd..495223855 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c index b0eabc9ee..6f41ada2a 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c @@ -50,7 +50,7 @@ plugin_t *pubkey_plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE, (builder_function_t)pubkey_cert_wrap); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index af929080d..efd24c761 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in index 871566e65..16a9d21c5 100644 --- a/src/libstrongswan/plugins/revocation/Makefile.in +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c index d352a9583..02393b907 100644 --- a/src/libstrongswan/plugins/revocation/revocation_plugin.c +++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c @@ -52,7 +52,11 @@ plugin_t *revocation_plugin_create() private_revocation_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, .validator = revocation_validator_create(), ); lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index 703764e5e..1036bedfc 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index 5e490f2e5..579e6f9b0 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -195,14 +198,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -242,7 +255,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index 6d81d0d81..9c9b57f98 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am index 6d3b05d19..049301977 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.am +++ b/src/libstrongswan/plugins/test_vectors/Makefile.am @@ -13,9 +13,14 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \ test_vectors/3des_cbc.c \ test_vectors/aes_cbc.c \ + test_vectors/aes_ctr.c \ test_vectors/aes_xcbc.c \ + test_vectors/aes_ccm.c \ + test_vectors/aes_gcm.c \ test_vectors/blowfish.c \ test_vectors/camellia_cbc.c \ + test_vectors/camellia_ctr.c \ + test_vectors/camellia_xcbc.c \ test_vectors/cast.c \ test_vectors/des.c \ test_vectors/idea.c \ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index 20a6db81e..9be3f825a 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -75,10 +76,11 @@ am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_test_vectors_la_LIBADD = am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \ - 3des_cbc.lo aes_cbc.lo aes_xcbc.lo blowfish.lo camellia_cbc.lo \ - cast.lo des.lo idea.lo null.lo rc5.lo serpent_cbc.lo \ - twofish_cbc.lo md2.lo md4.lo md5.lo md5_hmac.lo sha1.lo \ - sha1_hmac.lo sha2.lo sha2_hmac.lo fips_prf.lo rng.lo + 3des_cbc.lo aes_cbc.lo aes_ctr.lo aes_xcbc.lo aes_ccm.lo \ + aes_gcm.lo blowfish.lo camellia_cbc.lo camellia_ctr.lo \ + camellia_xcbc.lo cast.lo des.lo idea.lo null.lo rc5.lo \ + serpent_cbc.lo twofish_cbc.lo md2.lo md4.lo md5.lo md5_hmac.lo \ + sha1.lo sha1_hmac.lo sha2.lo sha2_hmac.lo fips_prf.lo rng.lo libstrongswan_test_vectors_la_OBJECTS = \ $(am_libstrongswan_test_vectors_la_OBJECTS) libstrongswan_test_vectors_la_LINK = $(LIBTOOL) --tag=CC \ @@ -171,6 +173,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -202,14 +206,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -224,24 +231,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -249,7 +263,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -269,9 +286,14 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \ test_vectors/3des_cbc.c \ test_vectors/aes_cbc.c \ + test_vectors/aes_ctr.c \ test_vectors/aes_xcbc.c \ + test_vectors/aes_ccm.c \ + test_vectors/aes_gcm.c \ test_vectors/blowfish.c \ test_vectors/camellia_cbc.c \ + test_vectors/camellia_ctr.c \ + test_vectors/camellia_xcbc.c \ test_vectors/cast.c \ test_vectors/des.c \ test_vectors/idea.c \ @@ -376,9 +398,14 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/3des_cbc.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_cbc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_ccm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_ctr.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_gcm.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_xcbc.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_cbc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_ctr.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_xcbc.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cast.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf.Plo@am__quote@ @@ -433,6 +460,13 @@ aes_cbc.lo: test_vectors/aes_cbc.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c +aes_ctr.lo: test_vectors/aes_ctr.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ctr.lo -MD -MP -MF $(DEPDIR)/aes_ctr.Tpo -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/aes_ctr.Tpo $(DEPDIR)/aes_ctr.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='test_vectors/aes_ctr.c' object='aes_ctr.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c + aes_xcbc.lo: test_vectors/aes_xcbc.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo @@ -440,6 +474,20 @@ aes_xcbc.lo: test_vectors/aes_xcbc.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c +aes_ccm.lo: test_vectors/aes_ccm.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ccm.lo -MD -MP -MF $(DEPDIR)/aes_ccm.Tpo -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/aes_ccm.Tpo $(DEPDIR)/aes_ccm.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='test_vectors/aes_ccm.c' object='aes_ccm.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c + +aes_gcm.lo: test_vectors/aes_gcm.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_gcm.lo -MD -MP -MF $(DEPDIR)/aes_gcm.Tpo -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/aes_gcm.Tpo $(DEPDIR)/aes_gcm.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='test_vectors/aes_gcm.c' object='aes_gcm.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c + blowfish.lo: test_vectors/blowfish.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo @@ -454,6 +502,20 @@ camellia_cbc.lo: test_vectors/camellia_cbc.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c +camellia_ctr.lo: test_vectors/camellia_ctr.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_ctr.lo -MD -MP -MF $(DEPDIR)/camellia_ctr.Tpo -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/camellia_ctr.Tpo $(DEPDIR)/camellia_ctr.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='test_vectors/camellia_ctr.c' object='camellia_ctr.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c + +camellia_xcbc.lo: test_vectors/camellia_xcbc.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_xcbc.lo -MD -MP -MF $(DEPDIR)/camellia_xcbc.Tpo -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/camellia_xcbc.Tpo $(DEPDIR)/camellia_xcbc.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='test_vectors/camellia_xcbc.c' object='camellia_xcbc.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c + cast.lo: test_vectors/cast.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h index b182dd829..ab4689c1c 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors.h +++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h @@ -19,6 +19,15 @@ TEST_VECTOR_CRYPTER(aes_cbc3) TEST_VECTOR_CRYPTER(aes_cbc4) TEST_VECTOR_CRYPTER(aes_cbc5) TEST_VECTOR_CRYPTER(aes_cbc6) +TEST_VECTOR_CRYPTER(aes_ctr1) +TEST_VECTOR_CRYPTER(aes_ctr2) +TEST_VECTOR_CRYPTER(aes_ctr3) +TEST_VECTOR_CRYPTER(aes_ctr4) +TEST_VECTOR_CRYPTER(aes_ctr5) +TEST_VECTOR_CRYPTER(aes_ctr6) +TEST_VECTOR_CRYPTER(aes_ctr7) +TEST_VECTOR_CRYPTER(aes_ctr8) +TEST_VECTOR_CRYPTER(aes_ctr9) TEST_VECTOR_CRYPTER(blowfish1) TEST_VECTOR_CRYPTER(blowfish2) TEST_VECTOR_CRYPTER(camellia_cbc1) @@ -27,6 +36,15 @@ TEST_VECTOR_CRYPTER(camellia_cbc3) TEST_VECTOR_CRYPTER(camellia_cbc4) TEST_VECTOR_CRYPTER(camellia_cbc5) TEST_VECTOR_CRYPTER(camellia_cbc6) +TEST_VECTOR_CRYPTER(camellia_ctr1) +TEST_VECTOR_CRYPTER(camellia_ctr2) +TEST_VECTOR_CRYPTER(camellia_ctr3) +TEST_VECTOR_CRYPTER(camellia_ctr4) +TEST_VECTOR_CRYPTER(camellia_ctr5) +TEST_VECTOR_CRYPTER(camellia_ctr6) +TEST_VECTOR_CRYPTER(camellia_ctr7) +TEST_VECTOR_CRYPTER(camellia_ctr8) +TEST_VECTOR_CRYPTER(camellia_ctr9) TEST_VECTOR_CRYPTER(cast1) TEST_VECTOR_CRYPTER(des_cbc1) TEST_VECTOR_CRYPTER(des_cbc2) @@ -49,11 +67,31 @@ TEST_VECTOR_CRYPTER(twofish_cbc1) TEST_VECTOR_CRYPTER(twofish_cbc2) TEST_VECTOR_CRYPTER(twofish_cbc3) +TEST_VECTOR_AEAD(aes_ccm1) +TEST_VECTOR_AEAD(aes_ccm2) +TEST_VECTOR_AEAD(aes_ccm3) +TEST_VECTOR_AEAD(aes_ccm4) +TEST_VECTOR_AEAD(aes_ccm5) +TEST_VECTOR_AEAD(aes_ccm6) +TEST_VECTOR_AEAD(aes_ccm7) +TEST_VECTOR_AEAD(aes_ccm8) +TEST_VECTOR_AEAD(aes_ccm9) +TEST_VECTOR_AEAD(aes_ccm10) +TEST_VECTOR_AEAD(aes_ccm11) +TEST_VECTOR_AEAD(aes_gcm1) +TEST_VECTOR_AEAD(aes_gcm2) +TEST_VECTOR_AEAD(aes_gcm3) +TEST_VECTOR_AEAD(aes_gcm4) +TEST_VECTOR_AEAD(aes_gcm5) +TEST_VECTOR_AEAD(aes_gcm6) +TEST_VECTOR_AEAD(aes_gcm7) + TEST_VECTOR_SIGNER(aes_xcbc_s1) TEST_VECTOR_SIGNER(aes_xcbc_s2) TEST_VECTOR_SIGNER(aes_xcbc_s3) TEST_VECTOR_SIGNER(aes_xcbc_s4) TEST_VECTOR_SIGNER(aes_xcbc_s5) +TEST_VECTOR_SIGNER(camellia_xcbc_s1) TEST_VECTOR_SIGNER(md5_hmac_s1) TEST_VECTOR_SIGNER(md5_hmac_s2) TEST_VECTOR_SIGNER(md5_hmac_s3) @@ -118,6 +156,9 @@ TEST_VECTOR_PRF(aes_xcbc_p4) TEST_VECTOR_PRF(aes_xcbc_p5) TEST_VECTOR_PRF(aes_xcbc_p6) TEST_VECTOR_PRF(aes_xcbc_p7) +TEST_VECTOR_PRF(camellia_xcbc_p1) +TEST_VECTOR_PRF(camellia_xcbc_p2) +TEST_VECTOR_PRF(camellia_xcbc_p3) TEST_VECTOR_PRF(md5_hmac_p1) TEST_VECTOR_PRF(md5_hmac_p2) TEST_VECTOR_PRF(md5_hmac_p3) diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c new file mode 100644 index 000000000..8de180ad5 --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c @@ -0,0 +1,157 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <crypto/crypto_tester.h> + +/** + * Test vectors with 11 bytes nonces are hard to find, neither RFC3610 nor + * NIST 800-38C has one. These vectors are taken from the Linux kernel, + * originally from "fips cavs fax files on hand at Red Hat". + */ +aead_test_vector_t aes_ccm1 = { + .alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 0, + .key = "\x83\xac\x54\x66\xc2\xeb\xe5\x05\x2e\x01\xd1\xfc\x5d\x82\x66\x2e" + "\x96\xac\x59", + .iv = "\x30\x07\xa1\xe2\xa2\xc7\x55\x24", + .plain = "\x19\xc8\x81\xf6\xe9\x86\xff\x93\x0b\x78\x67\xe5\xbb\xb7\xfc\x6e" + "\x83\x77\xb3\xa6\x0c\x8c\x9f\x9c\x35\x2e\xad\xe0\x62\xf9\x91\xa1", + .cipher = "\xab\x6f\xe1\x69\x1d\x19\x99\xa8\x92\xa0\xc4\x6f\x7e\xe2\x8b\xb1" + "\x70\xbb\x8c\xa6\x4c\x6e\x97\x8a\x57\x2b\xbe\x5d\x98\xa6\xb1\x32" + "\xda\x24\xea\xd9\xa1\x39\x98\xfd\xa4\xbe\xd9\xf2\x1a\x6d\x22\xa8", +}; + +aead_test_vector_t aes_ccm2 = { + .alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 32, + .key = "\x1e\x2c\x7e\x01\x41\x9a\xef\xc0\x0d\x58\x96\x6e\x5c\xa2\x4b\xd3" + "\x4f\xa3\x19", + .iv = "\xd3\x01\x5a\xd8\x30\x60\x15\x56", + .adata = "\xda\xe6\x28\x9c\x45\x2d\xfd\x63\x5e\xda\x4c\xb6\xe6\xfc\xf9\xb7" + "\x0c\x56\xcb\xe4\xe0\x05\x7a\xe1\x0a\x63\x09\x78\xbc\x2c\x55\xde", + .plain = "\x87\xa3\x36\xfd\x96\xb3\x93\x78\xa9\x28\x63\xba\x12\xa3\x14\x85" + "\x57\x1e\x06\xc9\x7b\x21\xef\x76\x7f\x38\x7e\x8e\x29\xa4\x3e\x7e", + .cipher = "\x8a\x1e\x11\xf0\x02\x6b\xe2\x19\xfc\x70\xc4\x6d\x8e\xb7\x99\xab" + "\xc5\x4b\xa2\xac\xd3\xf3\x48\xff\x3b\xb5\xce\x53\xef\xde\xbb\x02" + "\xa9\x86\x15\x6c\x13\xfe\xda\x0a\x22\xb8\x29\x3d\xd8\x39\x9a\x23", +}; + +aead_test_vector_t aes_ccm3 = { + .alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 0, .alen = 32, + .key = "\xf4\x6b\xc2\x75\x62\xfe\xb4\xe1\xa3\xf0\xff\xdd\x4e\x4b\x12\x75" + "\x53\x14\x73\x66\x8d\x88\xf6\x80\xa0\x20\x35", + .iv = "\x26\xf2\x21\x8d\x50\x20\xda\xe2", + .adata = "\x5b\x9e\x13\x67\x02\x5e\xef\xc1\x6c\xf9\xd7\x1e\x52\x8f\x7a\x47" + "\xe9\xd4\xcf\x20\x14\x6e\xf0\x2d\xd8\x9e\x2b\x56\x10\x23\x56\xe7", + .cipher = "\x36\xea\x7a\x70\x08\xdc\x6a\xbc\xad\x0c\x7a\x63\xf6\x61\xfd\x9b", +}; + +aead_test_vector_t aes_ccm4 = { + .alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 32, .alen = 32, + .key = "\x56\xdf\x5c\x8f\x26\x3f\x0e\x42\xef\x7a\xd3\xce\xfc\x84\x60\x62" + "\xca\xb4\x40\xaf\x5f\xc9\xc9\x01\xd6\x3c\x8c", + .iv = "\x86\x84\xb6\xcd\xef\x09\x2e\x94", + .adata = "\x02\x65\x78\x3c\xe9\x21\x30\x91\xb1\xb9\xda\x76\x9a\x78\x6d\x95" + "\xf2\x88\x32\xa3\xf2\x50\xcb\x4c\xe3\x00\x73\x69\x84\x69\x87\x79", + .plain = "\x9f\xd2\x02\x4b\x52\x49\x31\x3c\x43\x69\x3a\x2d\x8e\x70\xad\x7e" + "\xe0\xe5\x46\x09\x80\x89\x13\xb2\x8c\x8b\xd9\x3f\x86\xfb\xb5\x6b", + .cipher = "\x39\xdf\x7c\x3c\x5a\x29\xb9\x62\x5d\x51\xc2\x16\xd8\xbd\x06\x9f" + "\x9b\x6a\x09\x70\xc1\x51\x83\xc2\x66\x88\x1d\x4f\x9a\xda\xe0\x1e" + "\xc7\x79\x11\x58\xe5\x6b\x20\x40\x7a\xea\x46\x42\x8b\xe4\x6f\xe1", +}; + +aead_test_vector_t aes_ccm5 = { + .alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 32, .alen = 32, + .key = "\xe0\x8d\x99\x71\x60\xd7\x97\x1a\xbd\x01\x99\xd5\x8a\xdf\x71\x3a" + "\xd3\xdf\x24\x4b\x5e\x3d\x4b\x4e\x30\x7a\xb9\xd8\x53\x0a\x5e\x2b" + "\x1e\x29\x91", + .iv = "\xad\x8e\xc1\x53\x0a\xcf\x2d\xbe", + .adata = "\x19\xb6\x1f\x57\xc4\xf3\xf0\x8b\x78\x2b\x94\x02\x29\x0f\x42\x27" + "\x6b\x75\xcb\x98\x34\x08\x7e\x79\xe4\x3e\x49\x0d\x84\x8b\x22\x87", + .plain = "\xe1\xd9\xd8\x13\xeb\x3a\x75\x3f\x9d\xbd\x5f\x66\xbe\xdc\xbb\x66" + "\xbf\x17\x99\x62\x4a\x39\x27\x1f\x1d\xdc\x24\xae\x19\x2f\x98\x4c", + .cipher = "\x19\xb8\x61\x33\x45\x2b\x43\x96\x6f\x51\xd0\x20\x30\x7d\x9b\xc6" + "\x26\x3d\xf8\xc9\x65\x16\xa8\x9f\xf0\x62\x17\x34\xf2\x1e\x8d\x75" + "\x4e\x13\xcc\xc0\xc3\x2a\x54\x2d", +}; + +aead_test_vector_t aes_ccm6 = { + .alg = ENCR_AES_CCM_ICV12, .key_size = 32, .len = 32, .alen = 32, + .key = "\x7c\xc8\x18\x3b\x8d\x99\xe0\x7c\x45\x41\xb8\xbd\x5c\xa7\xc2\x32" + "\x8a\xb8\x02\x59\xa4\xfe\xa9\x2c\x09\x75\x9a\x9b\x3c\x9b\x27\x39" + "\xf9\xd9\x4e", + .iv = "\x63\xb5\x3d\x9d\x43\xf6\x1e\x50", + .adata = "\x57\xf5\x6b\x8b\x57\x5c\x3d\x3b\x13\x02\x01\x0c\x83\x4c\x96\x35" + "\x8e\xd6\x39\xcf\x7d\x14\x9b\x94\xb0\x39\x36\xe6\x8f\x57\xe0\x13", + .plain = "\x3b\x6c\x29\x36\xb6\xef\x07\xa6\x83\x72\x07\x4f\xcf\xfa\x66\x89" + "\x5f\xca\xb1\xba\xd5\x8f\x2c\x27\x30\xdb\x75\x09\x93\xd4\x65\xe4", + .cipher = "\xb0\x88\x5a\x33\xaa\xe5\xc7\x1d\x85\x23\xc7\xc6\x2f\xf4\x1e\x3d" + "\xcc\x63\x44\x25\x07\x78\x4f\x9e\x96\xb8\x88\xeb\xbc\x48\x1f\x06" + "\x39\xaf\x39\xac\xd8\x4a\x80\x39\x7b\x72\x8a\xf7", +}; + +aead_test_vector_t aes_ccm7 = { + .alg = ENCR_AES_CCM_ICV16, .key_size = 32, .len = 32, .alen = 32, + .key = "\xab\xd0\xe9\x33\x07\x26\xe5\x83\x8c\x76\x95\xd4\xb6\xdc\xf3\x46" + "\xf9\x8f\xad\xe3\x02\x13\x83\x77\x3f\xb0\xf1\xa1\xa1\x22\x0f\x2b" + "\x24\xa7\x8b", + .iv = "\x07\xcb\xcc\x0e\xe6\x33\xbf\xf5", + .adata = "\xd4\xdb\x30\x1d\x03\xfe\xfd\x5f\x87\xd4\x8c\xb6\xb6\xf1\x7a\x5d" + "\xab\x90\x65\x8d\x8e\xca\x4d\x4f\x16\x0c\x40\x90\x4b\xc7\x36\x73", + .plain = "\xf5\xc6\x7d\x48\xc1\xb7\xe6\x92\x97\x5a\xca\xc4\xa9\x6d\xf9\x3d" + "\x6c\xde\xbc\xf1\x90\xea\x6a\xb2\x35\x86\x36\xaf\x5c\xfe\x4b\x3a", + .cipher = "\x83\x6f\x40\x87\x72\xcf\xc1\x13\xef\xbb\x80\x21\x04\x6c\x58\x09" + "\x07\x1b\xfc\xdf\xc0\x3f\x5b\xc7\xe0\x79\xa8\x6e\x71\x7c\x3f\xcf" + "\x5c\xda\xb2\x33\xe5\x13\xe2\x0d\x74\xd1\xef\xb5\x0f\x3a\xb5\xf8", +}; + +aead_test_vector_t aes_ccm8 = { + .alg = ENCR_AES_CCM_ICV8, .key_size = 16, .len = 0, .alen = 0, + .key = "\xab\x2f\x8a\x74\xb7\x1c\xd2\xb1\xff\x80\x2e\x48\x7d\x82\xf8\xb9" + "\xaf\x94\x87", + .iv = "\x78\x35\x82\x81\x7f\x88\x94\x68", + .cipher = "\x41\x3c\xb8\x87\x73\xcb\xf3\xf3", +}; + +aead_test_vector_t aes_ccm9 = { + .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 0, .alen = 32, + .key = "\x39\xbb\xa7\xbe\x59\x97\x9e\x73\xa2\xbc\x6b\x98\xd7\x75\x7f\xe3" + "\xa4\x48\x93\x39\x26\x71\x4a\xc6\xee\x49\x83", + .iv = "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e", + .adata = "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64" + "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6\xdb\x00\x56\x36\x61", + .cipher = "\x71\x99\xfa\xf4\x44\x12\x68\x9b", +}; + +aead_test_vector_t aes_ccm10 = { + .alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 0, .alen = 0, + .key = "\xa4\x4b\x54\x29\x0a\xb8\x6d\x01\x5b\x80\x2a\xcf\x25\xc4\xb7\x5c" + "\x20\x2c\xad\x30\xc2\x2b\x41\xfb\x0e\x85\xbc\x33\xad\x0f\x2b\xff" + "\xee\x49\x83", + .iv = "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e", + .cipher = "\x1f\xb8\x8f\xa3\xdd\x54\x00\xf2", +}; + +aead_test_vector_t aes_ccm11 = { + .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 32, .alen = 32, + .key = "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0" + "\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83", + .iv = "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e", + .adata = "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64" + "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6\xdb\x00\x56\x36\x61", + .plain = "\x85\x34\x66\x42\xc8\x92\x0f\x36\x58\xe0\x6b\x91\x3c\x98\x5c\xbb" + "\x0a\x85\xcc\x02\xad\x7a\x96\xe9\x65\x43\xa4\xc3\x0f\xdc\x55\x81", + .cipher = "\xfb\xe5\x5d\x34\xbe\xe5\xe8\xe7\x5a\xef\x2f\xbf\x1f\x7f\xd4\xb2" + "\x66\xca\x61\x1e\x96\x7a\x61\xb3\x1c\x16\x45\x52\xba\x04\x9c\x9f" + "\xb1\xd2\x40\xbc\x52\x7c\x6f\xb1", +}; diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c new file mode 100644 index 000000000..1e5126a70 --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c @@ -0,0 +1,148 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <crypto/crypto_tester.h> + +/** + * Test 1 of RFC3686 + */ +crypter_test_vector_t aes_ctr1 = { + .alg = ENCR_AES_CTR, .key_size = 16, .len = 16, + .key = "\xae\x68\x52\xf8\x12\x10\x67\xcc\x4b\xf7\xa5\x76\x55\x77\xf3\x9e" + "\x00\x00\x00\x30", + .iv = "\x00\x00\x00\x00\x00\x00\x00\x00", + .plain = "Single block msg", + .cipher = "\xe4\x09\x5d\x4f\xb7\xa7\xb3\x79\x2d\x61\x75\xa3\x26\x13\x11\xb8" +}; + +/** + * Test 2 of RFC3686 + */ +crypter_test_vector_t aes_ctr2 = { + .alg = ENCR_AES_CTR, .key_size = 16, .len = 32, + .key = "\x7e\x24\x06\x78\x17\xfa\xe0\xd7\x43\xd6\xce\x1f\x32\x53\x91\x63" + "\x00\x6c\xb6\xdb", + .iv = "\xc0\x54\x3b\x59\xda\x48\xd9\x0b", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f", + .cipher = "\x51\x04\xa1\x06\x16\x8a\x72\xd9\x79\x0d\x41\xee\x8e\xda\xd3\x88" + "\xeb\x2e\x1e\xfc\x46\xda\x57\xc8\xfc\xe6\x30\xdf\x91\x41\xbe\x28" +}; + +/** + * Test 3 of RFC3686 + */ +crypter_test_vector_t aes_ctr3 = { + .alg = ENCR_AES_CTR, .key_size = 16, .len = 36, + .key = "\x76\x91\xbe\x03\x5e\x50\x20\xa8\xac\x6e\x61\x85\x29\xf9\xa0\xdc" + "\x00\xe0\x01\x7b", + .iv = "\x27\x77\x7f\x3f\x4a\x17\x86\xf0", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + "\x20\x21\x22\x23", + .cipher = "\xc1\xcf\x48\xa8\x9f\x2f\xfd\xd9\xcf\x46\x52\xe9\xef\xdb\x72\xd7" + "\x45\x40\xa4\x2b\xde\x6d\x78\x36\xd5\x9a\x5c\xea\xae\xf3\x10\x53" + "\x25\xb2\x07\x2f", +}; + +/** + * Test 4 of RFC3686 + */ +crypter_test_vector_t aes_ctr4 = { + .alg = ENCR_AES_CTR, .key_size = 24, .len = 16, + .key = "\x16\xaf\x5b\x14\x5f\xc9\xf5\x79\xc1\x75\xf9\x3e\x3b\xfb\x0e\xed" + "\x86\x3d\x06\xcc\xfd\xb7\x85\x15" + "\x00\x00\x00\x48", + .iv = "\x36\x73\x3c\x14\x7d\x6d\x93\xcb", + .plain = "Single block msg", + .cipher = "\x4b\x55\x38\x4f\xe2\x59\xc9\xc8\x4e\x79\x35\xa0\x03\xcb\xe9\x28", +}; + +/** + * Test 5 of RFC3686 + */ +crypter_test_vector_t aes_ctr5 = { + .alg = ENCR_AES_CTR, .key_size = 24, .len = 32, + .key = "\x7c\x5c\xb2\x40\x1b\x3d\xc3\x3c\x19\xe7\x34\x08\x19\xe0\xf6\x9c" + "\x67\x8c\x3d\xb8\xe6\xf6\xa9\x1a" + "\x00\x96\xb0\x3b", + .iv = "\x02\x0c\x6e\xad\xc2\xcb\x50\x0d", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f", + .cipher = "\x45\x32\x43\xfc\x60\x9b\x23\x32\x7e\xdf\xaa\xfa\x71\x31\xcd\x9f" + "\x84\x90\x70\x1c\x5a\xd4\xa7\x9c\xfc\x1f\xe0\xff\x42\xf4\xfb\x00", +}; + +/** + * Test 6 of RFC3686 + */ +crypter_test_vector_t aes_ctr6 = { + .alg = ENCR_AES_CTR, .key_size = 24, .len = 36, + .key = "\x02\xbf\x39\x1e\xe8\xec\xb1\x59\xb9\x59\x61\x7b\x09\x65\x27\x9b" + "\xf5\x9b\x60\xa7\x86\xd3\xe0\xfe" + "\x00\x07\xbd\xfd", + .iv = "\x5c\xbd\x60\x27\x8d\xcc\x09\x12", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + "\x20\x21\x22\x23", + .cipher = "\x96\x89\x3f\xc5\x5e\x5c\x72\x2f\x54\x0b\x7d\xd1\xdd\xf7\xe7\x58" + "\xd2\x88\xbc\x95\xc6\x91\x65\x88\x45\x36\xc8\x11\x66\x2f\x21\x88" + "\xab\xee\x09\x35", +}; + +/** + * Test 7 of RFC3686 + */ +crypter_test_vector_t aes_ctr7 = { + .alg = ENCR_AES_CTR, .key_size = 32, .len = 16, + .key = "\x77\x6b\xef\xf2\x85\x1d\xb0\x6f\x4c\x8a\x05\x42\xc8\x69\x6f\x6c" + "\x6a\x81\xaf\x1e\xec\x96\xb4\xd3\x7f\xc1\xd6\x89\xe6\xc1\xc1\x04" + "\x00\x00\x00\x60", + .iv = "\xdb\x56\x72\xc9\x7a\xa8\xf0\xb2", + .plain = "Single block msg", + .cipher = "\x14\x5a\xd0\x1d\xbf\x82\x4e\xc7\x56\x08\x63\xdc\x71\xe3\xe0\xc0", +}; + +/** + * Test 8 of RFC3686 + */ +crypter_test_vector_t aes_ctr8 = { + .alg = ENCR_AES_CTR, .key_size = 32, .len = 32, + .key = "\xf6\xd6\x6d\x6b\xd5\x2d\x59\xbb\x07\x96\x36\x58\x79\xef\xf8\x86" + "\xc6\x6d\xd5\x1a\x5b\x6a\x99\x74\x4b\x50\x59\x0c\x87\xa2\x38\x84" + "\x00\xfa\xac\x24", + .iv = "\xc1\x58\x5e\xf1\x5a\x43\xd8\x75", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f", + .cipher = "\xf0\x5e\x23\x1b\x38\x94\x61\x2c\x49\xee\x00\x0b\x80\x4e\xb2\xa9" + "\xb8\x30\x6b\x50\x8f\x83\x9d\x6a\x55\x30\x83\x1d\x93\x44\xaf\x1c", +}; + +/** + * Test 9 of RFC3686 + */ +crypter_test_vector_t aes_ctr9 = { + .alg = ENCR_AES_CTR, .key_size = 32, .len = 36, + .key = "\xff\x7a\x61\x7c\xe6\x91\x48\xe4\xf1\x72\x6e\x2f\x43\x58\x1d\xe2" + "\xaa\x62\xd9\xf8\x05\x53\x2e\xdf\xf1\xee\xd6\x87\xfb\x54\x15\x3d" + "\x00\x1c\xc5\xb7", + .iv = "\x51\xa5\x1d\x70\xa1\xc1\x11\x48", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + "\x20\x21\x22\x23", + .cipher = "\xeb\x6c\x52\x82\x1d\x0b\xbb\xf7\xce\x75\x94\x46\x2a\xca\x4f\xaa" + "\xb4\x07\xdf\x86\x65\x69\xfd\x07\xf4\x8c\xc0\xb5\x83\xd6\x07\x1f" + "\x1e\xc0\xe6\xb8", +}; diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c new file mode 100644 index 000000000..7534633e1 --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c @@ -0,0 +1,139 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <crypto/crypto_tester.h> + +/** + * From the Linux kernel, those with an IV. Originally from + * McGrew & Viega - http://citeseer.ist.psu.edu/656989.html + */ +aead_test_vector_t aes_gcm1 = { + .alg = ENCR_AES_GCM_ICV8, .key_size = 16, .len = 64, .alen = 0, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55", + .cipher = "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c" + "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e" + "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05" + "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85" + "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6", +}; + +aead_test_vector_t aes_gcm2 = { + .alg = ENCR_AES_GCM_ICV12, .key_size = 16, .len = 64, .alen = 0, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55", + .cipher = "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c" + "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e" + "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05" + "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85" + "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd", +}; + +aead_test_vector_t aes_gcm3 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 64, .alen = 0, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55", + .cipher = "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c" + "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e" + "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05" + "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85" + "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4", +}; + +aead_test_vector_t aes_gcm4 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 60, .alen = 20, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39", + .adata = "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef" + "\xab\xad\xda\xd2", + .cipher = "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c" + "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e" + "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05" + "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x5b\xc9\x4f\xbc" + "\x32\x21\xa5\xdb\x94\xfa\xe9\x5a\xe7\x12\x1a\x47", +}; + +aead_test_vector_t aes_gcm5 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .len = 64, .alen = 0, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55", + .cipher = "\x39\x80\xca\x0b\x3c\x00\xe8\x41\xeb\x06\xfa\xc4\x87\x2a\x27\x57" + "\x85\x9e\x1c\xea\xa6\xef\xd9\x84\x62\x85\x93\xb4\x0c\xa1\xe1\x9c" + "\x7d\x77\x3d\x00\xc1\x44\xc5\x25\xac\x61\x9d\x18\xc8\x4a\x3f\x47" + "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9\xcc\xda\x27\x10\xac\xad\xe2\x56" + "\x99\x24\xa7\xc8\x58\x73\x36\xbf\xb1\x18\x02\x4d\xb8\x67\x4a\x14", +}; + +aead_test_vector_t aes_gcm6 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 64, .alen = 0, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55", + .cipher = "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d" + "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa" + "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38" + "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x89\x80\x15\xad" + "\xb0\x94\xda\xc5\xd9\x34\x71\xbd\xec\x1a\x50\x22\x70\xe3\xcc\x6c", +}; + +aead_test_vector_t aes_gcm7 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 60, .alen = 20, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .adata = "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef" + "\xab\xad\xda\xd2", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39", + .cipher = "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d" + "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa" + "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38" + "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x76\xfc\x6e\xce" + "\x0f\x4e\x17\x68\xcd\xdf\x88\x53\xbb\x2d\x55\x1b", +}; + diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c new file mode 100644 index 000000000..241e6ca7a --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c @@ -0,0 +1,148 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <crypto/crypto_tester.h> + +/** + * Test 1 of RFC5528 + */ +crypter_test_vector_t camellia_ctr1 = { + .alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 16, + .key = "\xae\x68\x52\xf8\x12\x10\x67\xcc\x4b\xf7\xa5\x76\x55\x77\xf3\x9e" + "\x00\x00\x00\x30", + .iv = "\x00\x00\x00\x00\x00\x00\x00\x00", + .plain = "Single block msg", + .cipher = "\xd0\x9d\xc2\x9a\x82\x14\x61\x9a\x20\x87\x7c\x76\xdb\x1f\x0b\x3f" +}; + +/** + * Test 2 of RFC5528 + */ +crypter_test_vector_t camellia_ctr2 = { + .alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 32, + .key = "\x7e\x24\x06\x78\x17\xfa\xe0\xd7\x43\xd6\xce\x1f\x32\x53\x91\x63" + "\x00\x6c\xb6\xdb", + .iv = "\xc0\x54\x3b\x59\xda\x48\xd9\x0b", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f", + .cipher = "\xdb\xf3\xc7\x8d\xc0\x83\x96\xd4\xda\x7c\x90\x77\x65\xbb\xcb\x44" + "\x2b\x8e\x8e\x0f\x31\xf0\xdc\xa7\x2c\x74\x17\xe3\x53\x60\xe0\x48" +}; + +/** + * Test 3 of RFC5528 + */ +crypter_test_vector_t camellia_ctr3 = { + .alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 36, + .key = "\x76\x91\xbe\x03\x5e\x50\x20\xa8\xac\x6e\x61\x85\x29\xf9\xa0\xdc" + "\x00\xe0\x01\x7b", + .iv = "\x27\x77\x7f\x3f\x4a\x17\x86\xf0", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + "\x20\x21\x22\x23", + .cipher = "\xb1\x9d\x1f\xcd\xcb\x75\xeb\x88\x2f\x84\x9c\xe2\x4d\x85\xcf\x73" + "\x9c\xe6\x4b\x2b\x5c\x9d\x73\xf1\x4f\x2d\x5d\x9d\xce\x98\x89\xcd" + "\xdf\x50\x86\x96", +}; + +/** + * Test 4 of RFC5528 + */ +crypter_test_vector_t camellia_ctr4 = { + .alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 16, + .key = "\x16\xaf\x5b\x14\x5f\xc9\xf5\x79\xc1\x75\xf9\x3e\x3b\xfb\x0e\xed" + "\x86\x3d\x06\xcc\xfd\xb7\x85\x15" + "\x00\x00\x00\x48", + .iv = "\x36\x73\x3c\x14\x7d\x6d\x93\xcb", + .plain = "Single block msg", + .cipher = "\x23\x79\x39\x9e\x8a\x8d\x2b\x2b\x16\x70\x2f\xc7\x8b\x9e\x96\x96", +}; + +/** + * Test 5 of RFC5528 + */ +crypter_test_vector_t camellia_ctr5 = { + .alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 32, + .key = "\x7c\x5c\xb2\x40\x1b\x3d\xc3\x3c\x19\xe7\x34\x08\x19\xe0\xf6\x9c" + "\x67\x8c\x3d\xb8\xe6\xf6\xa9\x1a" + "\x00\x96\xb0\x3b", + .iv = "\x02\x0c\x6e\xad\xc2\xcb\x50\x0d", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f", + .cipher = "\x7d\xef\x34\xf7\xa5\xd0\xe4\x15\x67\x4b\x7f\xfc\xae\x67\xc7\x5d" + "\xd0\x18\xb8\x6f\xf2\x30\x51\xe0\x56\x39\x2a\x99\xf3\x5a\x4c\xed", +}; + +/** + * Test 6 of RFC5528 + */ +crypter_test_vector_t camellia_ctr6 = { + .alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 36, + .key = "\x02\xbf\x39\x1e\xe8\xec\xb1\x59\xb9\x59\x61\x7b\x09\x65\x27\x9b" + "\xf5\x9b\x60\xa7\x86\xd3\xe0\xfe" + "\x00\x07\xbd\xfd", + .iv = "\x5c\xbd\x60\x27\x8d\xcc\x09\x12", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + "\x20\x21\x22\x23", + .cipher = "\x57\x10\xe5\x56\xe1\x48\x7a\x20\xb5\xac\x0e\x73\xf1\x9e\x4e\x78" + "\x76\xf3\x7f\xdc\x91\xb1\xef\x4d\x4d\xad\xe8\xe6\x66\xa6\x4d\x0e" + "\xd5\x57\xab\x57", +}; + +/** + * Test 7 of RFC5528 + */ +crypter_test_vector_t camellia_ctr7 = { + .alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 16, + .key = "\x77\x6b\xef\xf2\x85\x1d\xb0\x6f\x4c\x8a\x05\x42\xc8\x69\x6f\x6c" + "\x6a\x81\xaf\x1e\xec\x96\xb4\xd3\x7f\xc1\xd6\x89\xe6\xc1\xc1\x04" + "\x00\x00\x00\x60", + .iv = "\xdb\x56\x72\xc9\x7a\xa8\xf0\xb2", + .plain = "Single block msg", + .cipher = "\x34\x01\xf9\xc8\x24\x7e\xff\xce\xbd\x69\x94\x71\x4c\x1b\xbb\x11", +}; + +/** + * Test 8 of RFC5528 + */ +crypter_test_vector_t camellia_ctr8 = { + .alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 32, + .key = "\xf6\xd6\x6d\x6b\xd5\x2d\x59\xbb\x07\x96\x36\x58\x79\xef\xf8\x86" + "\xc6\x6d\xd5\x1a\x5b\x6a\x99\x74\x4b\x50\x59\x0c\x87\xa2\x38\x84" + "\x00\xfa\xac\x24", + .iv = "\xc1\x58\x5e\xf1\x5a\x43\xd8\x75", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f", + .cipher = "\xd6\xc3\x03\x92\x24\x6f\x78\x08\xa8\x3c\x2b\x22\xa8\x83\x9e\x45" + "\xe5\x1c\xd4\x8a\x1c\xdf\x40\x6e\xbc\x9c\xc2\xd3\xab\x83\x41\x08", +}; + +/** + * Test 9 of RFC5528 + */ +crypter_test_vector_t camellia_ctr9 = { + .alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 36, + .key = "\xff\x7a\x61\x7c\xe6\x91\x48\xe4\xf1\x72\x6e\x2f\x43\x58\x1d\xe2" + "\xaa\x62\xd9\xf8\x05\x53\x2e\xdf\xf1\xee\xd6\x87\xfb\x54\x15\x3d" + "\x00\x1c\xc5\xb7", + .iv = "\x51\xa5\x1d\x70\xa1\xc1\x11\x48", + .plain = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + "\x20\x21\x22\x23", + .cipher = "\xa4\xda\x23\xfc\xe6\xa5\xff\xaa\x6d\x64\xae\x9a\x06\x52\xa4\x2c" + "\xd1\x61\xa3\x4b\x65\xf9\x67\x9f\x75\xc0\x1f\x10\x1f\x71\x27\x6f" + "\x15\xef\x0d\x8d", +}; diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c new file mode 100644 index 000000000..2a58b3732 --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c @@ -0,0 +1,58 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <crypto/crypto_tester.h> + +/** + * draft-kanno-ipsecme-camellia-xcbc Test Case #1 + */ +signer_test_vector_t camellia_xcbc_s1 = { + .alg = AUTH_CAMELLIA_XCBC_96, .len = 20, + .key = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", + .data = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13", + .mac = "\x3d\x04\x2d\xd4\xe7\xbc\x79\x1c\xee\x32\x04\x15", +}; + +prf_test_vector_t camellia_xcbc_p1 = { + .alg = PRF_CAMELLIA128_XCBC, .key_size = 16, .len = 20, + .key = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", + .seed = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13", + .out = "\x3d\x04\x2d\xd4\xe7\xbc\x79\x1c\xee\x32\x04\x15\xc5\xe3\x26\xd6", +}; + +/** + * draft-kanno-ipsecme-camellia-xcbc Test Case #2 + */ +prf_test_vector_t camellia_xcbc_p2 = { + .alg = PRF_CAMELLIA128_XCBC, .key_size = 10, .len = 20, + .key = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09", + .seed = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13", + .out = "\xb9\x16\xb4\x23\x42\x0a\x90\x6c\xd7\xd7\xb6\x72\xa2\x4e\x97\x6f", +}; + +/** + * draft-kanno-ipsecme-camellia-xcbc Test #3 + */ +prf_test_vector_t camellia_xcbc_p3 = { + .alg = PRF_CAMELLIA128_XCBC, .key_size = 18, .len = 20, + .key = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\xed\xcb", + .seed = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13", + .out = "\xb9\x71\x46\x36\x9d\x31\x94\x0f\xf5\x7a\x0d\xdf\x22\x33\xc1\xd2", +}; diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c index 234d237f3..f3a254d8d 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c @@ -20,6 +20,7 @@ /* define symbols of all test vectors */ #define TEST_VECTOR_CRYPTER(x) crypter_test_vector_t x; +#define TEST_VECTOR_AEAD(x) aead_test_vector_t x; #define TEST_VECTOR_SIGNER(x) signer_test_vector_t x; #define TEST_VECTOR_HASHER(x) hasher_test_vector_t x; #define TEST_VECTOR_PRF(x) prf_test_vector_t x; @@ -28,12 +29,14 @@ #include "test_vectors.h" #undef TEST_VECTOR_CRYPTER +#undef TEST_VECTOR_AEAD #undef TEST_VECTOR_SIGNER #undef TEST_VECTOR_HASHER #undef TEST_VECTOR_PRF #undef TEST_VECTOR_RNG #define TEST_VECTOR_CRYPTER(x) +#define TEST_VECTOR_AEAD(x) #define TEST_VECTOR_SIGNER(x) #define TEST_VECTOR_HASHER(x) #define TEST_VECTOR_PRF(x) @@ -48,6 +51,14 @@ static crypter_test_vector_t *crypter[] = { #undef TEST_VECTOR_CRYPTER #define TEST_VECTOR_CRYPTER(x) +#undef TEST_VECTOR_AEAD +#define TEST_VECTOR_AEAD(x) &x, +static aead_test_vector_t *aead[] = { +#include "test_vectors.h" +}; +#undef TEST_VECTOR_AEAD +#define TEST_VECTOR_AEAD(x) + #undef TEST_VECTOR_SIGNER #define TEST_VECTOR_SIGNER(x) &x, static signer_test_vector_t *signer[] = { @@ -116,6 +127,11 @@ plugin_t *test_vectors_plugin_create() lib->crypto->add_test_vector(lib->crypto, ENCRYPTION_ALGORITHM, crypter[i]); } + for (i = 0; i < countof(aead); i++) + { + lib->crypto->add_test_vector(lib->crypto, + AEAD_ALGORITHM, aead[i]); + } for (i = 0; i < countof(signer); i++) { lib->crypto->add_test_vector(lib->crypto, diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index f40427f3f..b1cc2f168 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 92b576aa5..559090aa0 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -260,7 +260,7 @@ static const asn1Object_t otherNameObjects[] = { /** * Extracts an otherName */ -static bool parse_otherName(chunk_t blob, int level0) +static bool parse_otherName(chunk_t *blob, int level0, id_type_t *type) { asn1_parser_t *parser; chunk_t object; @@ -268,7 +268,7 @@ static bool parse_otherName(chunk_t blob, int level0) int oid = OID_UNKNOWN; bool success = FALSE; - parser = asn1_parser_create(otherNameObjects, blob); + parser = asn1_parser_create(otherNameObjects, *blob); parser->set_top_level(parser, level0); while (parser->iterate(parser, &objectID, &object)) @@ -279,13 +279,27 @@ static bool parse_otherName(chunk_t blob, int level0) oid = asn1_known_oid(object); break; case ON_OBJ_VALUE: - if (oid == OID_XMPP_ADDR) + switch (oid) { - if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING, - parser->get_level(parser)+1, "xmppAddr")) - { - goto end; - } + case OID_XMPP_ADDR: + if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING, + parser->get_level(parser)+1, "xmppAddr")) + { + goto end; + } + break; + case OID_USER_PRINCIPAL_NAME: + if (asn1_parse_simple_object(&object, ASN1_UTF8STRING, + parser->get_level(parser)+1, "msUPN")) + { /* we handle UPNs as RFC822 addr */ + *blob = object; + *type = ID_RFC822_ADDR; + } + else + { + goto end; + } + break; } break; default: @@ -379,7 +393,8 @@ static identification_t *parse_generalName(chunk_t blob, int level0) } break; case GN_OBJ_OTHER_NAME: - if (!parse_otherName(object, parser->get_level(parser)+1)) + if (!parse_otherName(&object, parser->get_level(parser)+1, + &id_type)) { goto end; } @@ -1091,15 +1106,28 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje identification_t *current; enumerator_t *enumerator; id_match_t match, best; + chunk_t encoding; - if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID) + if (subject->get_type(subject) == ID_KEY_ID) { - if (chunk_equals(this->encoding_hash, subject->get_encoding(subject))) + encoding = subject->get_encoding(subject); + + if (this->encoding_hash.len && + chunk_equals(this->encoding_hash, encoding)) + { + return ID_MATCH_PERFECT; + } + if (this->subjectKeyIdentifier.len && + chunk_equals(this->subjectKeyIdentifier, encoding)) + { + return ID_MATCH_PERFECT; + } + if (this->public_key && + this->public_key->has_fingerprint(this->public_key, encoding)) { return ID_MATCH_PERFECT; } } - best = this->subject->matches(this->subject, subject); enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames); while (enumerator->enumerate(enumerator, ¤t)) diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index bfb0ca621..7b488484e 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -684,7 +684,7 @@ x509_pkcs10_t *x509_pkcs10_gen(certificate_type_t type, va_list args) enumerator->destroy(enumerator); continue; } - case BUILD_PASSPHRASE: + case BUILD_CHALLENGE_PWD: cert->challengePassword = chunk_clone(va_arg(args, chunk_t)); continue; case BUILD_DIGEST_ALG: diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c index 8391781e2..11a7f023c 100644 --- a/src/libstrongswan/plugins/x509/x509_plugin.c +++ b/src/libstrongswan/plugins/x509/x509_plugin.c @@ -73,25 +73,25 @@ plugin_t *x509_plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE, (builder_function_t)x509_cert_gen); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, TRUE, (builder_function_t)x509_cert_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, FALSE, (builder_function_t)x509_ac_gen); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, TRUE, (builder_function_t)x509_ac_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, TRUE, (builder_function_t)x509_crl_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, FALSE, (builder_function_t)x509_crl_gen); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, FALSE, (builder_function_t)x509_ocsp_request_gen); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, TRUE, (builder_function_t)x509_ocsp_response_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, FALSE, (builder_function_t)x509_pkcs10_gen); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, TRUE, (builder_function_t)x509_pkcs10_load); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index 69bba8d6f..e82e5246f 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c index b9f03eeac..be18d92b8 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc.c +++ b/src/libstrongswan/plugins/xcbc/xcbc.c @@ -27,10 +27,11 @@ typedef struct private_xcbc_t private_xcbc_t; * The variable names are the same as in the RFC. */ struct private_xcbc_t { + /** * Public xcbc_t interface. */ - xcbc_t xcbc; + xcbc_t public; /** * Block size, in bytes @@ -135,9 +136,9 @@ static void final(private_xcbc_t *this, u_int8_t *out) if (this->remaining_bytes == this->b && !this->zero) { /* a) If the blocksize of M[n] is 128 bits: - * XOR M[n] with E[n-1] and Key K2, then encrypt the result with - * Key K1, yielding E[n]. - */ + * XOR M[n] with E[n-1] and Key K2, then encrypt the result with + * Key K1, yielding E[n]. + */ memxor(this->e, this->remaining, this->b); memxor(this->e, this->k2, this->b); this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL); @@ -147,20 +148,20 @@ static void final(private_xcbc_t *this, u_int8_t *out) /* b) If the blocksize of M[n] is less than 128 bits: * * i) Pad M[n] with a single "1" bit, followed by the number of - * "0" bits (possibly none) required to increase M[n]'s - * blocksize to 128 bits. - */ - if (this->remaining_bytes < this->b) - { - this->remaining[this->remaining_bytes] = 0x80; - while (++this->remaining_bytes < this->b) - { - this->remaining[this->remaining_bytes] = 0x00; - } - } - /* ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result - * with Key K1, yielding E[n]. - */ + * "0" bits (possibly none) required to increase M[n]'s + * blocksize to 128 bits. + */ + if (this->remaining_bytes < this->b) + { + this->remaining[this->remaining_bytes] = 0x80; + while (++this->remaining_bytes < this->b) + { + this->remaining[this->remaining_bytes] = 0x00; + } + } + /* ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result + * with Key K1, yielding E[n]. + */ memxor(this->e, this->remaining, this->b); memxor(this->e, this->k3, this->b); this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL); @@ -174,10 +175,8 @@ static void final(private_xcbc_t *this, u_int8_t *out) this->zero = TRUE; } -/** - * Implementation of xcbc_t.get_mac. - */ -static void get_mac(private_xcbc_t *this, chunk_t data, u_int8_t *out) +METHOD(xcbc_t, get_mac, void, + private_xcbc_t *this, chunk_t data, u_int8_t *out) { /* update E, do not process last block */ update(this, data); @@ -188,18 +187,14 @@ static void get_mac(private_xcbc_t *this, chunk_t data, u_int8_t *out) } } -/** - * Implementation of xcbc_t.get_block_size. - */ -static size_t get_block_size(private_xcbc_t *this) +METHOD(xcbc_t, get_block_size, size_t, + private_xcbc_t *this) { return this->b; } -/** - * Implementation of xcbc_t.set_key. - */ -static void set_key(private_xcbc_t *this, chunk_t key) +METHOD(xcbc_t, set_key, void, + private_xcbc_t *this, chunk_t key) { chunk_t iv, k1, lengthened; @@ -228,11 +223,11 @@ static void set_key(private_xcbc_t *this, chunk_t key) /* * (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret - * key K, as follows: - * K1 = 0x01010101010101010101010101010101 encrypted with Key K - * K2 = 0x02020202020202020202020202020202 encrypted with Key K - * K3 = 0x03030303030303030303030303030303 encrypted with Key K - */ + * key K, as follows: + * K1 = 0x01010101010101010101010101010101 encrypted with Key K + * K2 = 0x02020202020202020202020202020202 encrypted with Key K + * K3 = 0x03030303030303030303030303030303 encrypted with Key K + */ this->k1->set_key(this->k1, lengthened); memset(this->k2, 0x02, this->b); this->k1->encrypt(this->k1, chunk_create(this->k2, this->b), iv, NULL); @@ -243,10 +238,8 @@ static void set_key(private_xcbc_t *this, chunk_t key) this->k1->set_key(this->k1, k1); } -/** - * Implementation of xcbc_t.destroy. - */ -static void destroy(private_xcbc_t *this) +METHOD(xcbc_t, destroy, void, + private_xcbc_t *this) { this->k1->destroy(this->k1); free(this->k2); @@ -263,35 +256,38 @@ xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size) { private_xcbc_t *this; crypter_t *crypter; + u_int8_t b; crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size); if (!crypter) { return NULL; } + b = crypter->get_block_size(crypter); /* input and output of crypter must be equal for xcbc */ - if (crypter->get_block_size(crypter) != key_size) + if (b != key_size) { crypter->destroy(crypter); return NULL; } - this = malloc_thing(private_xcbc_t); - this->xcbc.get_mac = (void (*)(xcbc_t *,chunk_t,u_int8_t*))get_mac; - this->xcbc.get_block_size = (size_t (*)(xcbc_t *))get_block_size; - this->xcbc.set_key = (void (*)(xcbc_t *,chunk_t))set_key; - this->xcbc.destroy = (void (*)(xcbc_t *))destroy; - - this->b = crypter->get_block_size(crypter); - this->k1 = crypter; - this->k2 = malloc(this->b); - this->k3 = malloc(this->b); - this->e = malloc(this->b); - memset(this->e, 0, this->b); - this->remaining = malloc(this->b); - this->remaining_bytes = 0; - this->zero = TRUE; - - return &this->xcbc; + INIT(this, + .public = { + .get_mac = _get_mac, + .get_block_size = _get_block_size, + .set_key = _set_key, + .destroy = _destroy, + }, + .b = b, + .k1 = crypter, + .k2 = malloc(b), + .k3 = malloc(b), + .e = malloc(b), + .remaining = malloc(b), + .zero = TRUE, + ); + memset(this->e, 0, b); + + return &this->public; } diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c index 9d903bfaa..88156f383 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c +++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c @@ -32,15 +32,13 @@ struct private_xcbc_plugin_t { xcbc_plugin_t public; }; -/** - * Implementation of xcbc_plugin_t.xcbctroy - */ -static void destroy(private_xcbc_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_xcbc_plugin_t *this) { lib->crypto->remove_prf(lib->crypto, - (prf_constructor_t)xcbc_prf_create); + (prf_constructor_t)xcbc_prf_create); lib->crypto->remove_signer(lib->crypto, - (signer_constructor_t)xcbc_signer_create); + (signer_constructor_t)xcbc_signer_create); free(this); } @@ -49,14 +47,24 @@ static void destroy(private_xcbc_plugin_t *this) */ plugin_t *xcbc_plugin_create() { - private_xcbc_plugin_t *this = malloc_thing(private_xcbc_plugin_t); + private_xcbc_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, - (prf_constructor_t)xcbc_prf_create); + (prf_constructor_t)xcbc_prf_create); + lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC, + (prf_constructor_t)xcbc_prf_create); lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, - (signer_constructor_t)xcbc_signer_create); + (signer_constructor_t)xcbc_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, + (signer_constructor_t)xcbc_signer_create); return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.c b/src/libstrongswan/plugins/xcbc/xcbc_prf.c index 2459dc616..ac9e1fda0 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc_prf.c +++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.c @@ -35,18 +35,14 @@ struct private_xcbc_prf_t { xcbc_t *xcbc; }; -/** - * Implementation of prf_t.get_bytes. - */ -static void get_bytes(private_xcbc_prf_t *this, chunk_t seed, u_int8_t *buffer) +METHOD(prf_t, get_bytes, void, + private_xcbc_prf_t *this, chunk_t seed, u_int8_t *buffer) { this->xcbc->get_mac(this->xcbc, seed, buffer); } -/** - * Implementation of prf_t.allocate_bytes. - */ -static void allocate_bytes(private_xcbc_prf_t *this, chunk_t seed, chunk_t *chunk) +METHOD(prf_t, allocate_bytes, void, + private_xcbc_prf_t *this, chunk_t seed, chunk_t *chunk) { if (chunk) { @@ -59,35 +55,27 @@ static void allocate_bytes(private_xcbc_prf_t *this, chunk_t seed, chunk_t *chun } } -/** - * Implementation of prf_t.get_block_size. - */ -static size_t get_block_size(private_xcbc_prf_t *this) +METHOD(prf_t, get_block_size, size_t, + private_xcbc_prf_t *this) { return this->xcbc->get_block_size(this->xcbc); } -/** - * Implementation of prf_t.get_block_size. - */ -static size_t get_key_size(private_xcbc_prf_t *this) +METHOD(prf_t, get_key_size, size_t, + private_xcbc_prf_t *this) { /* in xcbc, block and key size are always equal */ return this->xcbc->get_block_size(this->xcbc); } -/** - * Implementation of prf_t.set_key. - */ -static void set_key(private_xcbc_prf_t *this, chunk_t key) +METHOD(prf_t, set_key, void, + private_xcbc_prf_t *this, chunk_t key) { this->xcbc->set_key(this->xcbc, key); } -/** - * Implementation of prf_t.destroy. - */ -static void destroy(private_xcbc_prf_t *this) +METHOD(prf_t, destroy, void, + private_xcbc_prf_t *this) { this->xcbc->destroy(this->xcbc); free(this); @@ -106,6 +94,9 @@ xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo) case PRF_AES128_XCBC: xcbc = xcbc_create(ENCR_AES_CBC, 16); break; + case PRF_CAMELLIA128_XCBC: + xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16); + break; default: return NULL; } @@ -114,15 +105,19 @@ xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo) return NULL; } - this = malloc_thing(private_xcbc_prf_t); - this->xcbc = xcbc; - - this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes; - this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes; - this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size; - this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size; - this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key; - this->public.prf_interface.destroy = (void (*) (prf_t *))destroy; + INIT(this, + .public = { + .prf = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .get_block_size = _get_block_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .xcbc = xcbc, + ); return &this->public; } diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.h b/src/libstrongswan/plugins/xcbc/xcbc_prf.h index d2db9af41..294a853b4 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc_prf.h +++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.h @@ -34,9 +34,9 @@ typedef struct xcbc_prf_t xcbc_prf_t; struct xcbc_prf_t { /** - * Generic prf_t interface for this xcbc_prf_t class. + * Implements prf_t interface. */ - prf_t prf_interface; + prf_t prf; }; /** diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.c b/src/libstrongswan/plugins/xcbc/xcbc_signer.c index 1c98d39d7..ece592323 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc_signer.c +++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.c @@ -41,11 +41,8 @@ struct private_xcbc_signer_t { size_t block_size; }; -/** - * Implementation of signer_t.get_signature. - */ -static void get_signature(private_xcbc_signer_t *this, - chunk_t data, u_int8_t *buffer) +METHOD(signer_t, get_signature, void, + private_xcbc_signer_t *this, chunk_t data, u_int8_t *buffer) { if (buffer == NULL) { /* append mode */ @@ -60,11 +57,8 @@ static void get_signature(private_xcbc_signer_t *this, } } -/** - * Implementation of signer_t.allocate_signature. - */ -static void allocate_signature (private_xcbc_signer_t *this, - chunk_t data, chunk_t *chunk) +METHOD(signer_t, allocate_signature, void, + private_xcbc_signer_t *this, chunk_t data, chunk_t *chunk) { if (chunk == NULL) { /* append mode */ @@ -83,11 +77,8 @@ static void allocate_signature (private_xcbc_signer_t *this, } } -/** - * Implementation of signer_t.verify_signature. - */ -static bool verify_signature(private_xcbc_signer_t *this, - chunk_t data, chunk_t signature) +METHOD(signer_t, verify_signature, bool, + private_xcbc_signer_t *this, chunk_t data, chunk_t signature) { u_int8_t mac[this->xcbc->get_block_size(this->xcbc)]; @@ -100,38 +91,29 @@ static bool verify_signature(private_xcbc_signer_t *this, return memeq(signature.ptr, mac, this->block_size); } -/** - * Implementation of signer_t.get_key_size. - */ -static size_t get_key_size(private_xcbc_signer_t *this) +METHOD(signer_t, get_key_size, size_t, + private_xcbc_signer_t *this) { return this->xcbc->get_block_size(this->xcbc); } -/** - * Implementation of signer_t.get_block_size. - */ -static size_t get_block_size(private_xcbc_signer_t *this) +METHOD(signer_t, get_block_size, size_t, + private_xcbc_signer_t *this) { return this->block_size; } -/** - * Implementation of signer_t.set_key. - */ -static void set_key(private_xcbc_signer_t *this, chunk_t key) +METHOD(signer_t, set_key, void, + private_xcbc_signer_t *this, chunk_t key) { this->xcbc->set_key(this->xcbc, key); } -/** - * Implementation of signer_t.destroy. - */ -static status_t destroy(private_xcbc_signer_t *this) +METHOD(signer_t, destroy, void, + private_xcbc_signer_t *this) { this->xcbc->destroy(this->xcbc); free(this); - return SUCCESS; } /* @@ -149,6 +131,10 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo) xcbc = xcbc_create(ENCR_AES_CBC, 16); trunc = 12; break; + case AUTH_CAMELLIA_XCBC_96: + xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16); + trunc = 12; + break; default: return NULL; } @@ -157,18 +143,21 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo) return NULL; } - this = malloc_thing(private_xcbc_signer_t); - this->xcbc = xcbc; - this->block_size = min(trunc, xcbc->get_block_size(xcbc)); - - /* interface functions */ - this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature; - this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature; - this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature; - this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size; - this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size; - this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key; - this->public.signer_interface.destroy = (void (*) (signer_t*))destroy; + INIT(this, + .public = { + .signer = { + .get_signature = _get_signature, + .allocate_signature = _allocate_signature, + .verify_signature = _verify_signature, + .get_key_size = _get_key_size, + .get_block_size = _get_block_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .xcbc = xcbc, + .block_size = min(trunc, xcbc->get_block_size(xcbc)), + ); return &this->public; } diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.h b/src/libstrongswan/plugins/xcbc/xcbc_signer.h index 181cfe299..56b55f223 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc_signer.h +++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.h @@ -31,9 +31,9 @@ typedef struct xcbc_signer_t xcbc_signer_t; struct xcbc_signer_t { /** - * generic signer_t interface for this signer + * Implements signer_t interface. */ - signer_t signer_interface; + signer_t signer; }; /** diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c index 037f0b918..4d4cef829 100644 --- a/src/libstrongswan/printf_hook.c +++ b/src/libstrongswan/printf_hook.c @@ -133,6 +133,14 @@ static int custom_arginfo(const struct printf_info *info, size_t n, int *argtype #include <unistd.h> /* for STDOUT_FILENO */ /** + * These are used below, whenever the public wrapper functions are called before + * initialization or after destruction. + */ +#undef vprintf +#undef vfprintf +#undef vsnprintf + +/** * Vstr custom format specifier callback function. */ static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec) @@ -177,13 +185,16 @@ static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler switch(handler->numargs) { case 1: - vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], VSTR_TYPE_FMT_END); + vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], + VSTR_TYPE_FMT_END); break; case 2: - vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], at[1], VSTR_TYPE_FMT_END); + vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], + at[1], VSTR_TYPE_FMT_END); break; case 3: - vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], at[1], at[2], VSTR_TYPE_FMT_END); + vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], + at[1], at[2], VSTR_TYPE_FMT_END); break; } } @@ -193,7 +204,7 @@ static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler */ #include <threading/thread_value.h> -static thread_value_t *vstr_conf; +static thread_value_t *vstr_conf = NULL; static Vstr_conf *create_vstr_conf() { @@ -216,12 +227,15 @@ static Vstr_conf *create_vstr_conf() static inline Vstr_conf *get_vstr_conf() { - Vstr_conf *conf; - conf = (Vstr_conf*)vstr_conf->get(vstr_conf); - if (!conf) + Vstr_conf *conf = NULL; + if (vstr_conf) { - conf = create_vstr_conf(); - vstr_conf->set(vstr_conf, conf); + conf = (Vstr_conf*)vstr_conf->get(vstr_conf); + if (!conf) + { + conf = create_vstr_conf(); + vstr_conf->set(vstr_conf, conf); + } } return conf; } @@ -265,11 +279,20 @@ int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...) va_end(args); return written; } -static inline int vstr_wrapper_vprintf_internal(int fd, const char *format, +int vstr_wrapper_asprintf(char **str, const char *format, ...) +{ + int written; + va_list args; + va_start(args, format); + written = vstr_wrapper_vasprintf(str, format, args); + va_end(args); + return written; +} +static inline int vstr_wrapper_vprintf_internal(Vstr_conf *conf, int fd, + const char *format, va_list args) { int written; - Vstr_conf *conf = get_vstr_conf(); Vstr_base *s = vstr_make_base(conf); vstr_add_vfmt(s, 0, format, args); written = s->len; @@ -289,24 +312,39 @@ static inline int vstr_wrapper_vprintf_internal(int fd, const char *format, } int vstr_wrapper_vprintf(const char *format, va_list args) { - return vstr_wrapper_vprintf_internal(STDOUT_FILENO, format, args); + Vstr_conf *conf = get_vstr_conf(); + if (conf) + { + return vstr_wrapper_vprintf_internal(conf, STDOUT_FILENO, format, args); + } + return vprintf(format, args); } int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list args) { - return vstr_wrapper_vprintf_internal(fileno(stream), format, args); + Vstr_conf *conf = get_vstr_conf(); + if (conf) + { + return vstr_wrapper_vprintf_internal(conf, fileno(stream), format, + args); + } + return vfprintf(stream, format, args); } static inline int vstr_wrapper_vsnprintf_internal(char *str, size_t size, const char *format, va_list args) { - int written; Vstr_conf *conf = get_vstr_conf(); - Vstr_base *s = vstr_make_base(conf); - vstr_add_vfmt(s, 0, format, args); - written = s->len; - vstr_export_cstr_buf(s, 1, s->len, str, (size > 0) ? size : s->len + 1); - vstr_free_base(s); - return written; + if (conf) + { + int written; + Vstr_base *s = vstr_make_base(conf); + vstr_add_vfmt(s, 0, format, args); + written = s->len; + vstr_export_cstr_buf(s, 1, s->len, str, (size > 0) ? size : s->len + 1); + vstr_free_base(s); + return written; + } + return vsnprintf(str, size, format, args); } int vstr_wrapper_vsprintf(char *str, const char *format, va_list args) { @@ -317,7 +355,26 @@ int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, { return (size > 0) ? vstr_wrapper_vsnprintf_internal(str, size, format, args) : 0; } - +int vstr_wrapper_vasprintf(char **str, const char *format, va_list args) +{ + size_t len = 100; + int written; + *str = malloc(len); + while (TRUE) + { + va_list ac; + va_copy(ac, args); + written = vstr_wrapper_vsnprintf_internal(*str, len, format, ac); + va_end(ac); + if (written < len) + { + break; + } + len = written + 1; + *str = realloc(*str, len); + } + return written; +} #endif /** @@ -408,6 +465,7 @@ static void destroy(private_printf_hook_t *this) #ifdef USE_VSTR /* freeing the Vstr_conf of the main thread */ vstr_conf->destroy(vstr_conf); + vstr_conf = NULL; vstr_free_conf(conf); vstr_exit(); #endif diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h index ce7e10b24..11fd66ce9 100644 --- a/src/libstrongswan/printf_hook.h +++ b/src/libstrongswan/printf_hook.h @@ -58,21 +58,25 @@ int vstr_wrapper_printf(const char *format, ...); int vstr_wrapper_fprintf(FILE *stream, const char *format, ...); int vstr_wrapper_sprintf(char *str, const char *format, ...); int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...); +int vstr_wrapper_asprintf(char **str, const char *format, ...); int vstr_wrapper_vprintf(const char *format, va_list ap); int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list ap); int vstr_wrapper_vsprintf(char *str, const char *format, va_list ap); int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list ap); +int vstr_wrapper_vasprintf(char **str, const char *format, va_list ap); #define printf vstr_wrapper_printf #define fprintf vstr_wrapper_fprintf #define sprintf vstr_wrapper_sprintf #define snprintf vstr_wrapper_snprintf +#define asprintf vstr_wrapper_asprintf #define vprintf vstr_wrapper_vprintf #define vfprintf vstr_wrapper_vfprintf #define vsprintf vstr_wrapper_vsprintf #define vsnprintf vstr_wrapper_vsnprintf +#define vasprintf vstr_wrapper_vasprintf #endif @@ -83,7 +87,7 @@ int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list a * @param len length of the buffer * @param spec format specifier * @param args arguments array - * @return number of characters written + * @return number of characters written */ typedef int (*printf_hook_function_t)(char *dst, size_t len, printf_hook_spec_t *spec, diff --git a/src/libcharon/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c index 45e49112e..556cbd907 100644 --- a/src/libcharon/processing/jobs/callback_job.c +++ b/src/libstrongswan/processing/jobs/callback_job.c @@ -18,10 +18,10 @@ #include <semaphore.h> -#include <daemon.h> #include <threading/thread.h> #include <threading/condvar.h> #include <threading/mutex.h> +#include <utils/linked_list.h> typedef struct private_callback_job_t private_callback_job_t; @@ -226,8 +226,8 @@ static void execute(private_callback_job_t *this) thread_cancellation_point(); if (requeue) { - charon->processor->queue_job(charon->processor, - &this->public.job_interface); + lib->processor->queue_job(lib->processor, + &this->public.job_interface); } thread_cleanup_pop(cleanup); } diff --git a/src/libcharon/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h index 62da1edd1..62da1edd1 100644 --- a/src/libcharon/processing/jobs/callback_job.h +++ b/src/libstrongswan/processing/jobs/callback_job.h diff --git a/src/libcharon/processing/jobs/job.h b/src/libstrongswan/processing/jobs/job.h index 0f1c16ebe..0f1c16ebe 100644 --- a/src/libcharon/processing/jobs/job.h +++ b/src/libstrongswan/processing/jobs/job.h diff --git a/src/libcharon/processing/processor.c b/src/libstrongswan/processing/processor.c index d5774af26..2a44f61e8 100644 --- a/src/libcharon/processing/processor.c +++ b/src/libstrongswan/processing/processor.c @@ -20,7 +20,7 @@ #include "processor.h" -#include <daemon.h> +#include <debug.h> #include <threading/thread.h> #include <threading/condvar.h> #include <threading/mutex.h> diff --git a/src/libcharon/processing/processor.h b/src/libstrongswan/processing/processor.h index 5bf8cf573..bebbe3a15 100644 --- a/src/libcharon/processing/processor.h +++ b/src/libstrongswan/processing/processor.h @@ -51,7 +51,7 @@ struct processor_t { /** * Get the number of queued jobs. * - * @returns number of items in queue + * @return number of items in queue */ u_int (*get_job_load) (processor_t *this); @@ -60,7 +60,7 @@ struct processor_t { * * This function is non blocking and adds a job_t to the queue. * - * @param job job to add to the queue + * @param job job to add to the queue */ void (*queue_job) (processor_t *this, job_t *job); diff --git a/src/libcharon/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c index 345af502a..e23f04598 100644 --- a/src/libcharon/processing/scheduler.c +++ b/src/libstrongswan/processing/scheduler.c @@ -19,7 +19,7 @@ #include "scheduler.h" -#include <daemon.h> +#include <debug.h> #include <processing/processor.h> #include <processing/jobs/callback_job.h> #include <threading/thread.h> @@ -199,7 +199,7 @@ static job_requeue_t schedule(private_scheduler_t * this) remove_event(this); this->mutex->unlock(this->mutex); DBG2(DBG_JOB, "got event, queuing job for execution"); - charon->processor->queue_job(charon->processor, event->job); + lib->processor->queue_job(lib->processor, event->job); free(event); return JOB_REQUEUE_DIRECT; } @@ -351,7 +351,7 @@ scheduler_t * scheduler_create() this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/processing/scheduler.h b/src/libstrongswan/processing/scheduler.h index 5f5d2a563..f2c72550f 100644 --- a/src/libcharon/processing/scheduler.h +++ b/src/libstrongswan/processing/scheduler.h @@ -83,16 +83,16 @@ struct scheduler_t { /** * Adds a event to the queue, using a relative time offset in s. * - * @param job job to schedule - * @param time relative time to schedule job, in s + * @param job job to schedule + * @param time relative time to schedule job, in s */ void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t s); /** * Adds a event to the queue, using a relative time offset in ms. * - * @param job job to schedule - * @param time relative time to schedule job, in ms + * @param job job to schedule + * @param time relative time to schedule job, in ms */ void (*schedule_job_ms) (scheduler_t *this, job_t *job, u_int32_t ms); @@ -102,15 +102,15 @@ struct scheduler_t { * The passed timeval should be calculated based on the time_monotonic() * function. * - * @param job job to schedule - * @param time absolut time to schedule job + * @param job job to schedule + * @param time absolut time to schedule job */ void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv); /** * Returns number of jobs scheduled. * - * @return number of scheduled jobs + * @return number of scheduled jobs */ u_int (*get_job_load) (scheduler_t *this); @@ -123,7 +123,7 @@ struct scheduler_t { /** * Create a scheduler. * - * @return scheduler_t object + * @return scheduler_t object */ scheduler_t *scheduler_create(void); diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c index 610e2b8ea..d85abb1df 100644 --- a/src/libstrongswan/settings.c +++ b/src/libstrongswan/settings.c @@ -88,11 +88,60 @@ struct kv_t { }; /** - * find a section by a given key + * Print a format key, but consume already processed arguments */ -static section_t *find_section(section_t *section, char *key, va_list args) +static bool print_key(char *buf, int len, char *start, char *key, va_list args) { - char name[512], *pos; + va_list copy; + bool res; + char *pos; + + va_copy(copy, args); + while (start < key) + { + pos = strchr(start, '%'); + if (!pos) + { + start += strlen(start) + 1; + continue; + } + pos++; + switch (*pos) + { + case 'd': + va_arg(copy, int); + break; + case 's': + va_arg(copy, char*); + break; + case 'N': + va_arg(copy, enum_name_t*); + va_arg(copy, int); + break; + case '%': + break; + default: + DBG1(DBG_CFG, "settings with %%%c not supported!", *pos); + break; + } + start = pos; + if (*start) + { + start++; + } + } + res = vsnprintf(buf, len, key, copy) < len; + va_end(copy); + return res; +} + +/** + * find a section by a given key, using buffered key, reusable buffer + */ +static section_t *find_section_buffered(section_t *section, + char *start, char *key, va_list args, char *buf, int len) +{ + char *pos; enumerator_t *enumerator; section_t *current, *found = NULL; @@ -100,21 +149,20 @@ static section_t *find_section(section_t *section, char *key, va_list args) { return NULL; } - if (vsnprintf(name, sizeof(name), key, args) >= sizeof(name)) - { - return NULL; - } - - pos = strchr(name, '.'); + pos = strchr(key, '.'); if (pos) { *pos = '\0'; pos++; } + if (!print_key(buf, len, start, key, args)) + { + return NULL; + } enumerator = section->sections->create_enumerator(section->sections); while (enumerator->enumerate(enumerator, ¤t)) { - if (streq(current->name, name)) + if (streq(current->name, buf)) { found = current; break; @@ -123,37 +171,55 @@ static section_t *find_section(section_t *section, char *key, va_list args) enumerator->destroy(enumerator); if (found && pos) { - return find_section(found, pos, args); + return find_section_buffered(found, start, pos, args, buf, len); } return found; } -static char *find_value(section_t *section, char *key, va_list args) +/** + * find a section by a given key + */ +static section_t *find_section(section_t *section, char *key, va_list args) { - char name[512], *pos, *value = NULL; - enumerator_t *enumerator; - kv_t *kv; - section_t *current, *found = NULL; + char buf[128], keybuf[512]; - if (section == NULL) + if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) { return NULL; } + return find_section_buffered(section, keybuf, keybuf, args, buf, sizeof(buf)); +} + +/** + * Find the string value for a key, using buffered key, reusable buffer + */ +static char *find_value_buffered(section_t *section, + char *start, char *key, va_list args, char *buf, int len) +{ + char *pos, *value = NULL; + enumerator_t *enumerator; + kv_t *kv; + section_t *current, *found = NULL; - if (vsnprintf(name, sizeof(name), key, args) >= sizeof(name)) + if (section == NULL) { return NULL; } - pos = strchr(name, '.'); + pos = strchr(key, '.'); if (pos) { *pos = '\0'; pos++; + + if (!print_key(buf, len, start, key, args)) + { + return NULL; + } enumerator = section->sections->create_enumerator(section->sections); while (enumerator->enumerate(enumerator, ¤t)) { - if (streq(current->name, name)) + if (streq(current->name, buf)) { found = current; break; @@ -162,15 +228,19 @@ static char *find_value(section_t *section, char *key, va_list args) enumerator->destroy(enumerator); if (found) { - return find_value(found, pos, args); + return find_value_buffered(found, start, pos, args, buf, len); } } else { + if (!print_key(buf, len, start, key, args)) + { + return NULL; + } enumerator = section->kv->create_enumerator(section->kv); while (enumerator->enumerate(enumerator, &kv)) { - if (streq(kv->key, name)) + if (streq(kv->key, buf)) { value = kv->value; break; @@ -182,6 +252,20 @@ static char *find_value(section_t *section, char *key, va_list args) } /** + * Find the string value for a key + */ +static char *find_value(section_t *section, char *key, va_list args) +{ + char buf[128], keybuf[512]; + + if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) + { + return NULL; + } + return find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf)); +} + +/** * Implementation of settings_t.get. */ static char* get_str(private_settings_t *this, char *key, char *def, ...) diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h index f274fb33c..486de8def 100644 --- a/src/libstrongswan/settings.h +++ b/src/libstrongswan/settings.h @@ -49,8 +49,11 @@ typedef struct settings_t settings_t; } @endcode * - * The values are accesses using the get() functions using dotted keys, e.g. + * The values are accessed using the get() functions using dotted keys, e.g. * section-one.subsection.othervalue + * + * Currently only a limited set of printf format specifiers are supported + * (namely %s, %d and %N, see implementation for details). */ struct settings_t { diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c index 63958593d..b868d538d 100644 --- a/src/libstrongswan/utils.c +++ b/src/libstrongswan/utils.c @@ -28,7 +28,7 @@ #include "enum.h" #include "debug.h" -ENUM(status_names, SUCCESS, DESTROY_ME, +ENUM(status_names, SUCCESS, NEED_MORE, "SUCCESS", "FAILED", "OUT_OF_RES", diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h index 04551835e..35d3bebd1 100644 --- a/src/libstrongswan/utils.h +++ b/src/libstrongswan/utils.h @@ -138,6 +138,28 @@ static ret name(this, ##__VA_ARGS__) /** + * Architecture independent bitfield definition helpers (at least with GCC). + * + * Defines a bitfield with a type t and a fixed size of bitfield members, e.g.: + * BITFIELD2(u_int8_t, + * low: 4, + * high: 4, + * ) flags; + * The member defined first placed at bit 0. + */ +#if BYTE_ORDER == LITTLE_ENDIAN +#define BITFIELD2(t, a, b,...) struct { t a; t b; __VA_ARGS__} +#define BITFIELD3(t, a, b, c,...) struct { t a; t b; t c; __VA_ARGS__} +#define BITFIELD4(t, a, b, c, d,...) struct { t a; t b; t c; t d; __VA_ARGS__} +#define BITFIELD5(t, a, b, c, d, e,...) struct { t a; t b; t c; t d; t e; __VA_ARGS__} +#elif BYTE_ORDER == BIG_ENDIAN +#define BITFIELD2(t, a, b,...) struct { t b; t a; __VA_ARGS__} +#define BITFIELD3(t, a, b, c,...) struct { t c; t b; t a; __VA_ARGS__} +#define BITFIELD4(t, a, b, c, d,...) struct { t d; t c; t b; t a; __VA_ARGS__} +#define BITFIELD5(t, a, b, c, d, e,...) struct { t e; t d; t c; t b; t a; __VA_ARGS__} +#endif + +/** * Macro to allocate a sized type. */ #define malloc_thing(thing) ((thing*)malloc(sizeof(thing))) diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 3caeb8f0e..0696c1030 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -930,7 +930,11 @@ identification_t *identification_create_from_string(char *string) else { /* not IPv4, mostly FQDN */ this = identification_create(ID_FQDN); - this->encoded = chunk_create(strdup(string), strlen(string)); + this->encoded.len = strlen(string); + if (this->encoded.len) + { + this->encoded.ptr = strdup(string); + } } return &this->public; } @@ -947,7 +951,11 @@ identification_t *identification_create_from_string(char *string) else { /* not IPv4/6 fallback to KEY_ID */ this = identification_create(ID_KEY_ID); - this->encoded = chunk_create(strdup(string), strlen(string)); + this->encoded.len = strlen(string); + if (this->encoded.len) + { + this->encoded.ptr = strdup(string); + } } return &this->public; } @@ -969,14 +977,22 @@ identification_t *identification_create_from_string(char *string) { this = identification_create(ID_FQDN); string += 1; - this->encoded = chunk_create(strdup(string), strlen(string)); + this->encoded.len = strlen(string); + if (this->encoded.len) + { + this->encoded.ptr = strdup(string); + } return &this->public; } } else { this = identification_create(ID_RFC822_ADDR); - this->encoded = chunk_create(strdup(string), strlen(string)); + this->encoded.len = strlen(string); + if (this->encoded.len) + { + this->encoded.ptr = strdup(string); + } return &this->public; } } diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index 0673878a5..5673fc32d 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -181,8 +181,11 @@ char *whitelist[] = { "register_printf_specifier", "syslog", "vsyslog", + "__syslog_chk", + "__vsyslog_chk", "getaddrinfo", "setlocale", + "getpass", /* ignore dlopen, as we do not dlclose to get proper leak reports */ "dlopen", "dlerror", @@ -213,6 +216,8 @@ char *whitelist[] = { "gcry_check_version", "gcry_randomize", "gcry_create_nonce", + /* NSPR */ + "PR_CallOnce", }; /** diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h index ba5f28f6a..1444c93fc 100644 --- a/src/libstrongswan/utils/linked_list.h +++ b/src/libstrongswan/utils/linked_list.h @@ -34,8 +34,8 @@ typedef struct linked_list_t linked_list_t; * @param item current list item * @param ... user supplied data (only pointers, at most 5) * @return - * - TRUE, if the item matched - * - FALSE, otherwise + * - TRUE, if the item matched + * - FALSE, otherwise */ typedef bool (*linked_list_match_t)(void *item, ...); @@ -57,7 +57,7 @@ struct linked_list_t { /** * Gets the count of items in the list. * - * @return number of items in list + * @return number of items in list */ int (*get_count) (linked_list_t *this); @@ -69,7 +69,7 @@ struct linked_list_t { * @deprecated Iterator is obsolete and will disappear, it is too * complicated to implement. Use enumerator instead. * - * @param forward iterator direction (TRUE: front to end) + * @param forward iterator direction (TRUE: front to end) * @return new iterator_t object */ iterator_t *(*create_iterator) (linked_list_t *this, bool forward); @@ -94,7 +94,7 @@ struct linked_list_t { /** * Removes the first item in the list and returns its value. * - * @param item returned value of first item, or NULL + * @param item returned value of first item, or NULL * @return SUCCESS, or NOT_FOUND if list is empty */ status_t (*remove_first) (linked_list_t *this, void **item); @@ -107,18 +107,20 @@ struct linked_list_t { void (*remove_at)(linked_list_t *this, enumerator_t *enumerator); /** - * Remove items from the list matching item. + * Remove items from the list matching the given item. * - * If a compare function is given, it is called for each item, where - * the first parameter is the current list item and the second parameter - * is the supplied item parameter. - * If compare is NULL, compare is done by pointer. + * If a compare function is given, it is called for each item, with the + * first parameter being the current list item and the second parameter + * being the supplied item. Return TRUE from the compare function to remove + * the item, return FALSE to keep it in the list. + * + * If compare is NULL, comparison is done by pointers. * * @param item item to remove/pass to comparator * @param compare compare function, or NULL * @return number of removed items */ - int (*remove)(linked_list_t *this, void *item, bool (*compare)(void *,void*)); + int (*remove)(linked_list_t *this, void *item, bool (*compare)(void*,void*)); /** * Returns the value of the first list item without removing it. @@ -132,7 +134,7 @@ struct linked_list_t { /** * Inserts a new item at the end of the list. * - * @param item value to insert into list + * @param item value to insert into list */ void (*insert_last) (linked_list_t *this, void *item); @@ -148,7 +150,7 @@ struct linked_list_t { /** * Returns the value of the last list item without removing it. * - * @param this calling object + * @param this calling object * @param item returned value of last item * @return SUCCESS, NOT_FOUND if list is empty */ @@ -203,6 +205,8 @@ struct linked_list_t { * which can be evalutated at compile time using the offsetof * macro, e.g.: list->invoke(list, offsetof(object_t, method)); * + * @warning Only use pointers as user supplied data. + * * @param offset offset of the method to invoke on objects * @param ... user data to supply to called function (limited to 5 arguments) */ @@ -211,6 +215,8 @@ struct linked_list_t { /** * Invoke a function on all of the contained objects. * + * @warning Only use pointers as user supplied data. + * * @param function offset of the method to invoke on objects * @param ... user data to supply to called function (limited to 5 arguments) */ @@ -265,7 +271,7 @@ struct linked_list_t { /** * Creates an empty linked list object. * - * @return linked_list_t object. + * @return linked_list_t object. */ linked_list_t *linked_list_create(void); diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am new file mode 100644 index 000000000..a58e783d7 --- /dev/null +++ b/src/libtls/Makefile.am @@ -0,0 +1,18 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +noinst_LTLIBRARIES = libtls.la +libtls_la_SOURCES = \ + tls_protection.h tls_protection.c \ + tls_compression.h tls_compression.c \ + tls_fragmentation.h tls_fragmentation.c \ + tls_alert.h tls_alert.c \ + tls_crypto.h tls_crypto.c \ + tls_prf.h tls_prf.c \ + tls_reader.h tls_reader.c \ + tls_writer.h tls_writer.c \ + tls_socket.h tls_socket.c \ + tls_eap.h tls_eap.c \ + tls_peer.h tls_peer.c \ + tls_server.h tls_server.c \ + tls_handshake.h tls_application.h tls.h tls.c diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in new file mode 100644 index 000000000..9f0a817f5 --- /dev/null +++ b/src/libtls/Makefile.in @@ -0,0 +1,559 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libtls +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +LTLIBRARIES = $(noinst_LTLIBRARIES) +libtls_la_LIBADD = +am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \ + tls_fragmentation.lo tls_alert.lo tls_crypto.lo tls_prf.lo \ + tls_reader.lo tls_writer.lo tls_socket.lo tls_eap.lo \ + tls_peer.lo tls_server.lo tls.lo +libtls_la_OBJECTS = $(am_libtls_la_OBJECTS) +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libtls_la_SOURCES) +DIST_SOURCES = $(libtls_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan +noinst_LTLIBRARIES = libtls.la +libtls_la_SOURCES = \ + tls_protection.h tls_protection.c \ + tls_compression.h tls_compression.c \ + tls_fragmentation.h tls_fragmentation.c \ + tls_alert.h tls_alert.c \ + tls_crypto.h tls_crypto.c \ + tls_prf.h tls_prf.c \ + tls_reader.h tls_reader.c \ + tls_writer.h tls_writer.c \ + tls_socket.h tls_socket.c \ + tls_eap.h tls_eap.c \ + tls_peer.h tls_peer.c \ + tls_server.h tls_server.c \ + tls_handshake.h tls_application.h tls.h tls.c + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libtls/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libtls/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libtls.la: $(libtls_la_OBJECTS) $(libtls_la_DEPENDENCIES) + $(LINK) $(libtls_la_OBJECTS) $(libtls_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_alert.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_compression.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypto.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_eap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_fragmentation.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_peer.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_prf.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_protection.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_reader.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_server.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_socket.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_writer.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libtls/tls.c b/src/libtls/tls.c new file mode 100644 index 000000000..20141f235 --- /dev/null +++ b/src/libtls/tls.c @@ -0,0 +1,481 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls.h" + +#include <debug.h> + +#include "tls_protection.h" +#include "tls_compression.h" +#include "tls_fragmentation.h" +#include "tls_crypto.h" +#include "tls_server.h" +#include "tls_peer.h" + +ENUM_BEGIN(tls_version_names, SSL_2_0, SSL_2_0, + "SSLv2"); +ENUM_NEXT(tls_version_names, SSL_3_0, TLS_1_2, SSL_2_0, + "SSLv3", + "TLS 1.0", + "TLS 1.1", + "TLS 1.2"); +ENUM_END(tls_version_names, TLS_1_2); + +ENUM(tls_content_type_names, TLS_CHANGE_CIPHER_SPEC, TLS_APPLICATION_DATA, + "ChangeCipherSpec", + "Alert", + "Handshake", + "ApplicationData", +); + +ENUM_BEGIN(tls_handshake_type_names, TLS_HELLO_REQUEST, TLS_SERVER_HELLO, + "HelloRequest", + "ClientHello", + "ServerHello"); +ENUM_NEXT(tls_handshake_type_names, + TLS_CERTIFICATE, TLS_CLIENT_KEY_EXCHANGE, TLS_SERVER_HELLO, + "Certificate", + "ServerKeyExchange", + "CertificateRequest", + "ServerHelloDone", + "CertificateVerify", + "ClientKeyExchange"); +ENUM_NEXT(tls_handshake_type_names, + TLS_FINISHED, TLS_FINISHED, TLS_CLIENT_KEY_EXCHANGE, + "Finished"); +ENUM_END(tls_handshake_type_names, TLS_FINISHED); + +ENUM_BEGIN(tls_extension_names, TLS_EXT_SERVER_NAME, TLS_EXT_STATUS_REQUEST, + "server name", + "max fragment length", + "client certificate url", + "trusted ca keys", + "truncated hmac", + "status request"); +ENUM_NEXT(tls_extension_names, + TLS_EXT_ELLIPTIC_CURVES, TLS_EXT_EC_POINT_FORMATS, + TLS_EXT_STATUS_REQUEST, + "elliptic curves", + "ec point formats"); +ENUM_NEXT(tls_extension_names, + TLS_EXT_SIGNATURE_ALGORITHMS, TLS_EXT_SIGNATURE_ALGORITHMS, + TLS_EXT_EC_POINT_FORMATS, + "signature algorithms"); +ENUM_END(tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS); + +/** + * TLS record + */ +typedef struct __attribute__((packed)) { + u_int8_t type; + u_int16_t version; + u_int16_t length; + char data[]; +} tls_record_t; + +typedef struct private_tls_t private_tls_t; + +/** + * Private data of an tls_protection_t object. + */ +struct private_tls_t { + + /** + * Public tls_t interface. + */ + tls_t public; + + /** + * Role this TLS stack acts as. + */ + bool is_server; + + /** + * Server identity + */ + identification_t *server; + + /** + * Peer identity + */ + identification_t *peer; + + /** + * Negotiated TLS version + */ + tls_version_t version; + + /** + * TLS stack purpose, as given to constructor + */ + tls_purpose_t purpose; + + /** + * TLS record protection layer + */ + tls_protection_t *protection; + + /** + * TLS record compression layer + */ + tls_compression_t *compression; + + /** + * TLS record fragmentation layer + */ + tls_fragmentation_t *fragmentation; + + /** + * TLS alert handler + */ + tls_alert_t *alert; + + /** + * TLS crypto helper context + */ + tls_crypto_t *crypto; + + /** + * TLS handshake protocol handler + */ + tls_handshake_t *handshake; + + /** + * TLS application data handler + */ + tls_application_t *application; + + /** + * Allocated input buffer + */ + chunk_t input; + + /** + * Number of bytes read in input buffer + */ + size_t inpos; + + /** + * Allocated output buffer + */ + chunk_t output; + + /** + * Number of bytes processed from output buffer + */ + size_t outpos; + + /** + * Partial TLS record header received + */ + tls_record_t head; + + /** + * Position in partially received record header + */ + size_t headpos; +}; + +METHOD(tls_t, process, status_t, + private_tls_t *this, void *buf, size_t buflen) +{ + tls_record_t *record; + status_t status; + u_int len; + + if (this->headpos) + { /* have a partial TLS record header, try to complete it */ + len = min(buflen, sizeof(this->head) - this->headpos); + memcpy(((char*)&this->head) + this->headpos, buf, len); + this->headpos += len; + buflen -= len; + buf += len; + if (this->headpos == sizeof(this->head)) + { /* header complete, allocate space with new header */ + len = untoh16(&this->head.length); + this->input = chunk_alloc(len + sizeof(tls_record_t)); + memcpy(this->input.ptr, &this->head, sizeof(this->head)); + this->inpos = sizeof(this->head); + this->headpos = 0; + } + } + + while (buflen) + { + if (this->input.len == 0) + { + if (buflen < sizeof(tls_record_t)) + { + DBG2(DBG_TLS, "received incomplete TLS record header"); + memcpy(&this->head, buf, buflen); + this->headpos = buflen; + break; + } + while (TRUE) + { + /* try to process records inline */ + record = buf; + len = untoh16(&record->length); + + if (len + sizeof(tls_record_t) > buflen) + { /* not a full record, read to buffer */ + this->input = chunk_alloc(len + sizeof(tls_record_t)); + this->inpos = 0; + break; + } + DBG2(DBG_TLS, "processing TLS %N record (%d bytes)", + tls_content_type_names, record->type, len); + status = this->protection->process(this->protection, + record->type, chunk_create(record->data, len)); + if (status != NEED_MORE) + { + return status; + } + buf += len + sizeof(tls_record_t); + buflen -= len + sizeof(tls_record_t); + if (buflen == 0) + { + return NEED_MORE; + } + } + } + len = min(buflen, this->input.len - this->inpos); + memcpy(this->input.ptr + this->inpos, buf, len); + buf += len; + buflen -= len; + this->inpos += len; + DBG2(DBG_TLS, "buffering %d bytes, %d bytes of %d byte TLS record received", + len, this->inpos, this->input.len); + if (this->input.len == this->inpos) + { + record = (tls_record_t*)this->input.ptr; + len = untoh16(&record->length); + + DBG2(DBG_TLS, "processing buffered TLS %N record (%d bytes)", + tls_content_type_names, record->type, len); + status = this->protection->process(this->protection, + record->type, chunk_create(record->data, len)); + chunk_free(&this->input); + this->inpos = 0; + if (status != NEED_MORE) + { + return status; + } + } + } + return NEED_MORE; +} + +METHOD(tls_t, build, status_t, + private_tls_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + tls_content_type_t type; + tls_record_t record; + status_t status; + chunk_t data; + size_t len; + + len = *buflen; + if (this->output.len == 0) + { + /* query upper layers for new records, as many as we can get */ + while (TRUE) + { + status = this->protection->build(this->protection, &type, &data); + switch (status) + { + case NEED_MORE: + record.type = type; + htoun16(&record.version, this->version); + htoun16(&record.length, data.len); + this->output = chunk_cat("mcm", this->output, + chunk_from_thing(record), data); + DBG2(DBG_TLS, "sending TLS %N record (%d bytes)", + tls_content_type_names, type, data.len); + continue; + case INVALID_STATE: + if (this->output.len == 0) + { + return INVALID_STATE; + } + break; + default: + return status; + } + break; + } + if (msglen) + { + *msglen = this->output.len; + } + } + else + { + if (msglen) + { + *msglen = 0; + } + } + len = min(len, this->output.len - this->outpos); + memcpy(buf, this->output.ptr + this->outpos, len); + this->outpos += len; + *buflen = len; + if (this->outpos == this->output.len) + { + chunk_free(&this->output); + this->outpos = 0; + return ALREADY_DONE; + } + return NEED_MORE; +} + +METHOD(tls_t, is_server, bool, + private_tls_t *this) +{ + return this->is_server; +} + +METHOD(tls_t, get_version, tls_version_t, + private_tls_t *this) +{ + return this->version; +} + +METHOD(tls_t, set_version, bool, + private_tls_t *this, tls_version_t version) +{ + if (version > this->version) + { + return FALSE; + } + switch (version) + { + case TLS_1_0: + case TLS_1_1: + case TLS_1_2: + this->version = version; + this->protection->set_version(this->protection, version); + return TRUE; + case SSL_2_0: + case SSL_3_0: + default: + return FALSE; + } +} + +METHOD(tls_t, get_purpose, tls_purpose_t, + private_tls_t *this) +{ + return this->purpose; +} + +METHOD(tls_t, is_complete, bool, + private_tls_t *this) +{ + if (this->handshake->finished(this->handshake)) + { + if (!this->application) + { + return TRUE; + } + return this->fragmentation->application_finished(this->fragmentation); + } + return FALSE; +} + +METHOD(tls_t, get_eap_msk, chunk_t, + private_tls_t *this) +{ + return this->crypto->get_eap_msk(this->crypto); +} + +METHOD(tls_t, destroy, void, + private_tls_t *this) +{ + this->protection->destroy(this->protection); + this->compression->destroy(this->compression); + this->fragmentation->destroy(this->fragmentation); + this->crypto->destroy(this->crypto); + this->handshake->destroy(this->handshake); + DESTROY_IF(this->peer); + this->server->destroy(this->server); + DESTROY_IF(this->application); + this->alert->destroy(this->alert); + + free(this->input.ptr); + free(this->output.ptr); + + free(this); +} + +/** + * See header + */ +tls_t *tls_create(bool is_server, identification_t *server, + identification_t *peer, tls_purpose_t purpose, + tls_application_t *application) +{ + private_tls_t *this; + + switch (purpose) + { + case TLS_PURPOSE_EAP_TLS: + case TLS_PURPOSE_EAP_TTLS: + case TLS_PURPOSE_GENERIC: + break; + default: + return NULL; + } + + INIT(this, + .public = { + .process = _process, + .build = _build, + .is_server = _is_server, + .get_version = _get_version, + .set_version = _set_version, + .get_purpose = _get_purpose, + .is_complete = _is_complete, + .get_eap_msk = _get_eap_msk, + .destroy = _destroy, + }, + .is_server = is_server, + .version = TLS_1_2, + .server = server->clone(server), + .peer = peer ? peer->clone(peer) : NULL, + .application = application, + .purpose = purpose, + ); + + this->crypto = tls_crypto_create(&this->public); + this->alert = tls_alert_create(); + if (is_server) + { + this->handshake = &tls_server_create(&this->public, this->crypto, + this->alert, this->server, this->peer)->handshake; + } + else + { + this->handshake = &tls_peer_create(&this->public, this->crypto, + this->alert, this->peer, this->server)->handshake; + } + this->fragmentation = tls_fragmentation_create(this->handshake, this->alert, + this->application); + this->compression = tls_compression_create(this->fragmentation, this->alert); + this->protection = tls_protection_create(this->compression, this->alert); + this->crypto->set_protection(this->crypto, this->protection); + + return &this->public; +} diff --git a/src/libtls/tls.h b/src/libtls/tls.h new file mode 100644 index 000000000..1908f5dd4 --- /dev/null +++ b/src/libtls/tls.h @@ -0,0 +1,236 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup libtls libtls + * + * @addtogroup libtls + * TLS implementation on top of libstrongswan + * + * @defgroup tls tls + * @{ @ingroup libtls + */ + +#ifndef TLS_H_ +#define TLS_H_ + +typedef enum tls_version_t tls_version_t; +typedef enum tls_content_type_t tls_content_type_t; +typedef enum tls_handshake_type_t tls_handshake_type_t; +typedef enum tls_purpose_t tls_purpose_t; +typedef struct tls_t tls_t; + +#include <library.h> + +#include "tls_application.h" + +/** + * TLS/SSL version numbers + */ +enum tls_version_t { + SSL_2_0 = 0x0200, + SSL_3_0 = 0x0300, + TLS_1_0 = 0x0301, + TLS_1_1 = 0x0302, + TLS_1_2 = 0x0303, +}; + +/** + * Enum names for tls_version_t + */ +extern enum_name_t *tls_version_names; + +/** + * TLS higher level content type + */ +enum tls_content_type_t { + TLS_CHANGE_CIPHER_SPEC = 20, + TLS_ALERT = 21, + TLS_HANDSHAKE = 22, + TLS_APPLICATION_DATA = 23, +}; + +/** + * Enum names for tls_content_type_t + */ +extern enum_name_t *tls_content_type_names; + +/** + * TLS handshake subtype + */ +enum tls_handshake_type_t { + TLS_HELLO_REQUEST = 0, + TLS_CLIENT_HELLO = 1, + TLS_SERVER_HELLO = 2, + TLS_CERTIFICATE = 11, + TLS_SERVER_KEY_EXCHANGE = 12, + TLS_CERTIFICATE_REQUEST = 13, + TLS_SERVER_HELLO_DONE = 14, + TLS_CERTIFICATE_VERIFY = 15, + TLS_CLIENT_KEY_EXCHANGE = 16, + TLS_FINISHED = 20, +}; + +/** + * Enum names for tls_handshake_type_t + */ +extern enum_name_t *tls_handshake_type_names; + +/** + * Purpose the TLS stack is initiated for. + */ +enum tls_purpose_t { + /** authentication in EAP-TLS */ + TLS_PURPOSE_EAP_TLS, + /** outer authentication and protection in EAP-TTLS */ + TLS_PURPOSE_EAP_TTLS, + /** non-EAP TLS */ + TLS_PURPOSE_GENERIC, + /** EAP binding for TNC */ + TLS_PURPOSE_EAP_TNC +}; + +/** + * TLS Hello extension types. + */ +enum tls_extension_t { + /** Server name the client wants to talk to */ + TLS_EXT_SERVER_NAME = 0, + /** request a maximum fragment size */ + TLS_EXT_MAX_FRAGMENT_LENGTH = 1, + /** indicate client certificate URL support */ + TLS_EXT_CLIENT_CERTIFICATE_URL = 2, + /** list of CA the client trusts */ + TLS_EXT_TRUSTED_CA_KEYS = 3, + /** request MAC truncation to 80-bit */ + TLS_EXT_TRUNCATED_HMAC = 4, + /** list of OCSP responders the client trusts */ + TLS_EXT_STATUS_REQUEST = 5, + /** list of supported elliptic curves */ + TLS_EXT_ELLIPTIC_CURVES = 10, + /** supported point formats */ + TLS_EXT_EC_POINT_FORMATS = 11, + /** list supported signature algorithms */ + TLS_EXT_SIGNATURE_ALGORITHMS = 13, +}; + +/** + * Enum names for tls_extension_t + */ +extern enum_name_t *tls_extension_names; + +/** + * A bottom-up driven TLS stack, suitable for EAP implementations. + */ +struct tls_t { + + /** + * Process one or more TLS records, pass it to upper layers. + * + * @param buf TLS record data, including headers + * @param buflen number of bytes in buf to process + * @return + * - SUCCESS if TLS negotiation complete + * - FAILED if TLS handshake failed + * - NEED_MORE if more invocations to process/build needed + */ + status_t (*process)(tls_t *this, void *buf, size_t buflen); + + /** + * Query upper layer for one or more TLS records, build fragments. + * + * The TLS stack automatically fragments the records to the given buffer + * size. Fragmentation is indicated by the reclen ouput parameter and + * the return value. For the first fragment of a TLS record, a non-zero + * record length is returned in reclen. If more fragments follow, NEED_MORE + * is returned. A return value of ALREADY_DONE indicates that the final + * fragment has been returned. + * + * @param buf buffer to write TLS record fragments to + * @param buflen size of buffer, receives bytes written + * @param msglen receives size of all TLS fragments + * @return + * - SUCCESS if TLS negotiation complete + * - FAILED if TLS handshake failed + * - INVALID_STATE if more input data required + * - NEED_MORE if more fragments available + * - ALREADY_DONE if the last available fragment returned + */ + status_t (*build)(tls_t *this, void *buf, size_t *buflen, size_t *msglen); + + /** + * Check if TLS stack is acting as a server. + * + * @return TRUE if server, FALSE if peer + */ + bool (*is_server)(tls_t *this); + + /** + * Get the negotiated TLS/SSL version. + * + * @return negotiated TLS version + */ + tls_version_t (*get_version)(tls_t *this); + + /** + * Set the negotiated TLS/SSL version. + * + * @param version negotiated TLS version + * @return TRUE if version acceptable + */ + bool (*set_version)(tls_t *this, tls_version_t version); + + /** + * Get the purpose of this TLS stack instance. + * + * @return purpose given during construction + */ + tls_purpose_t (*get_purpose)(tls_t *this); + + /** + * Check if TLS negotiation completed successfully. + * + * @return TRUE if TLS negotation and authentication complete + */ + bool (*is_complete)(tls_t *this); + + /** + * Get the MSK for EAP-TLS. + * + * @return MSK, internal data + */ + chunk_t (*get_eap_msk)(tls_t *this); + + /** + * Destroy a tls_t. + */ + void (*destroy)(tls_t *this); +}; + +/** + * Create a tls instance. + * + * @param is_server TRUE to act as server, FALSE for client + * @param server server identity + * @param peer peer identity, NULL for no client authentication + * @param purpose purpose this TLS stack instance is used for + * @param application higher layer application or NULL if none + * @return TLS stack + */ +tls_t *tls_create(bool is_server, identification_t *server, + identification_t *peer, tls_purpose_t purpose, + tls_application_t *application); + +#endif /** TLS_H_ @}*/ diff --git a/src/libtls/tls_alert.c b/src/libtls/tls_alert.c new file mode 100644 index 000000000..8a4fa7d77 --- /dev/null +++ b/src/libtls/tls_alert.c @@ -0,0 +1,228 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_alert.h" + +#include <debug.h> +#include <utils/linked_list.h> + +ENUM_BEGIN(tls_alert_desc_names, TLS_CLOSE_NOTIFY, TLS_CLOSE_NOTIFY, + "close notify", +); +ENUM_NEXT(tls_alert_desc_names, TLS_UNEXPECTED_MESSAGE, TLS_UNEXPECTED_MESSAGE, + TLS_CLOSE_NOTIFY, + "unexpected message", +); +ENUM_NEXT(tls_alert_desc_names, TLS_BAD_RECORD_MAC, TLS_RECORD_OVERFLOW, + TLS_UNEXPECTED_MESSAGE, + "bad record mac", + "decryption failed", + "record overflow", +); +ENUM_NEXT(tls_alert_desc_names, TLS_DECOMPRESSION_FAILURE, TLS_DECOMPRESSION_FAILURE, + TLS_RECORD_OVERFLOW, + "decompression_failure", +); +ENUM_NEXT(tls_alert_desc_names, TLS_HANDSHAKE_FAILURE, TLS_DECRYPT_ERROR, + TLS_DECOMPRESSION_FAILURE, + "handshake failure", + "no certificate", + "bad certificate", + "unsupported certificate", + "certificate revoked", + "certificate expired", + "certificate unknown", + "illegal parameter", + "unknown ca", + "access denied", + "decode error", + "decrypt error", +); +ENUM_NEXT(tls_alert_desc_names, TLS_EXPORT_RESTRICTION, TLS_EXPORT_RESTRICTION, + TLS_DECRYPT_ERROR, + "export restriction", +); +ENUM_NEXT(tls_alert_desc_names, TLS_PROTOCOL_VERSION, TLS_INSUFFICIENT_SECURITY, + TLS_EXPORT_RESTRICTION, + "protocol version", + "insufficient security", +); +ENUM_NEXT(tls_alert_desc_names, TLS_INTERNAL_ERROR, TLS_INTERNAL_ERROR, + TLS_INSUFFICIENT_SECURITY, + "internal error", +); +ENUM_NEXT(tls_alert_desc_names, TLS_USER_CANCELED, TLS_USER_CANCELED, + TLS_INTERNAL_ERROR, + "user canceled", +); +ENUM_NEXT(tls_alert_desc_names, TLS_NO_RENEGOTIATION, TLS_NO_RENEGOTIATION, + TLS_USER_CANCELED, + "no renegotiation", +); +ENUM_NEXT(tls_alert_desc_names, TLS_UNSUPPORTED_EXTENSION, TLS_UNSUPPORTED_EXTENSION, + TLS_NO_RENEGOTIATION, + "unsupported extension", +); +ENUM_END(tls_alert_desc_names, TLS_UNSUPPORTED_EXTENSION); + + +typedef struct private_tls_alert_t private_tls_alert_t; + +/** + * Private data of an tls_alert_t object. + */ +struct private_tls_alert_t { + + /** + * Public tls_alert_t interface. + */ + tls_alert_t public; + + /** + * Warning queue + */ + linked_list_t *warnings; + + /** + * Do we have a fatal alert? + */ + bool fatal; + + /** + * Has the fatal alert been consumed? + */ + bool consumed; + + /** + * Fatal alert discription + */ + tls_alert_desc_t desc; +}; + +METHOD(tls_alert_t, add, void, + private_tls_alert_t *this, tls_alert_level_t level, + tls_alert_desc_t desc) +{ + if (level == TLS_FATAL) + { + if (!this->fatal) + { + this->desc = desc; + this->fatal = TRUE; + } + } + else + { + this->warnings->insert_last(this->warnings, (void*)(uintptr_t)desc); + } +} + +METHOD(tls_alert_t, get, bool, + private_tls_alert_t *this, tls_alert_level_t *level, + tls_alert_desc_t *desc) +{ + if (this->fatal && !this->consumed) + { + this->consumed = TRUE; + *level = TLS_FATAL; + *desc = this->desc; + if (this->desc == TLS_CLOSE_NOTIFY) + { + DBG1(DBG_TLS, "sending TLS close notify"); + } + else + { + DBG1(DBG_TLS, "sending fatal TLS alert '%N'", + tls_alert_desc_names, this->desc); + } + return TRUE; + } + else + { + uintptr_t warning; + + if (this->warnings->remove_first(this->warnings, + (void**)&warning) == SUCCESS) + { + *level = TLS_WARNING; + *desc = warning; + DBG1(DBG_TLS, "sending TLS alert warning '%N'", + tls_alert_desc_names, warning); + return TRUE; + } + } + return FALSE; +} + +METHOD(tls_alert_t, fatal, bool, + private_tls_alert_t *this) +{ + return this->fatal; +} + +METHOD(tls_alert_t, process, status_t, + private_tls_alert_t *this, tls_alert_level_t level, + tls_alert_desc_t desc) +{ + if (desc == TLS_CLOSE_NOTIFY) + { + DBG1(DBG_TLS, "received TLS close notify"); + add(this, TLS_FATAL, TLS_CLOSE_NOTIFY); + return NEED_MORE; + } + switch (level) + { + case TLS_WARNING: + DBG1(DBG_TLS, "received TLS alert warning '%N'", + tls_alert_desc_names, desc); + return NEED_MORE; + case TLS_FATAL: + DBG1(DBG_TLS, "received fatal TLS alert '%N'", + tls_alert_desc_names, desc); + return FAILED; + default: + DBG1(DBG_TLS, "received unknown TLS alert '%N'", + tls_alert_desc_names, desc); + return FAILED; + } +} + +METHOD(tls_alert_t, destroy, void, + private_tls_alert_t *this) +{ + this->warnings->destroy(this->warnings); + free(this); +} + +/** + * See header + */ +tls_alert_t *tls_alert_create() +{ + private_tls_alert_t *this; + + INIT(this, + .public = { + .add = _add, + .get = _get, + .fatal = _fatal, + .process = _process, + .destroy = _destroy, + }, + .warnings = linked_list_create(), + ); + + return &this->public; +} diff --git a/src/libtls/tls_alert.h b/src/libtls/tls_alert.h new file mode 100644 index 000000000..95ba4d91b --- /dev/null +++ b/src/libtls/tls_alert.h @@ -0,0 +1,126 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_alert tls_alert + * @{ @ingroup libtls + */ + +#ifndef TLS_ALERT_H_ +#define TLS_ALERT_H_ + +#include <library.h> + +typedef struct tls_alert_t tls_alert_t; +typedef enum tls_alert_level_t tls_alert_level_t; +typedef enum tls_alert_desc_t tls_alert_desc_t; + +/** + * Level of a TLS alert + */ +enum tls_alert_level_t { + TLS_WARNING = 1, + TLS_FATAL = 2, +}; + +/** + * Description of a TLS alert + */ +enum tls_alert_desc_t { + TLS_CLOSE_NOTIFY = 0, + TLS_UNEXPECTED_MESSAGE = 10, + TLS_BAD_RECORD_MAC = 20, + TLS_DECRYPTION_FAILED = 21, + TLS_RECORD_OVERFLOW = 22, + TLS_DECOMPRESSION_FAILURE = 30, + TLS_HANDSHAKE_FAILURE = 40, + TLS_NO_CERTIFICATE = 41, + TLS_BAD_CERTIFICATE = 42, + TLS_UNSUPPORTED_CERTIFICATE = 43, + TLS_CERTIFICATE_REVOKED = 44, + TLS_CERTIFICATE_EXPIRED = 45, + TLS_CERTIFICATE_UNKNOWN = 46, + TLS_ILLEGAL_PARAMETER = 47, + TLS_UNKNOWN_CA = 48, + TLS_ACCESS_DENIED = 49, + TLS_DECODE_ERROR = 50, + TLS_DECRYPT_ERROR = 51, + TLS_EXPORT_RESTRICTION = 60, + TLS_PROTOCOL_VERSION = 70, + TLS_INSUFFICIENT_SECURITY = 71, + TLS_INTERNAL_ERROR = 80, + TLS_USER_CANCELED = 90, + TLS_NO_RENEGOTIATION = 100, + TLS_UNSUPPORTED_EXTENSION = 110, +}; + +/** + * Enum names for alert descriptions + */ +extern enum_name_t *tls_alert_desc_names; + +/** + * TLS alert handling. + */ +struct tls_alert_t { + + /** + * Add an alert to the TLS alert queue, will be sent. + * + * @param level level of TLS alert + * @param description description of alert + */ + void (*add)(tls_alert_t *this, tls_alert_level_t level, + tls_alert_desc_t description); + + /** + * Get an alert pushed to the alert queue, to send. + * + * @param level receives TLS alert level + * @param description receives TLS alert description + * @return TRUE if returned an alert + */ + bool (*get)(tls_alert_t *this, tls_alert_level_t *level, + tls_alert_desc_t *description); + + /** + * Did a fatal alert occur?. + * + * @return TRUE if a fatal alert has occured + */ + bool (*fatal)(tls_alert_t *this); + + /** + * Process a received TLS alert. + * + * @param level level of received alert + * @param description alert description + * @return status to pass down to TLS stack + */ + status_t (*process)(tls_alert_t *this, tls_alert_level_t level, + tls_alert_desc_t description); + + /** + * Destroy a tls_alert_t. + */ + void (*destroy)(tls_alert_t *this); +}; + +/** + * Create a tls_alert instance. + */ +tls_alert_t *tls_alert_create(); + +#endif /** TLS_ALERT_H_ @}*/ diff --git a/src/libtls/tls_application.h b/src/libtls/tls_application.h new file mode 100644 index 000000000..b54a25e22 --- /dev/null +++ b/src/libtls/tls_application.h @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_handshake tls_handshake + * @{ @ingroup libtls + */ + +#ifndef TLS_APPLICATION_H_ +#define TLS_APPLICATION_H_ + +typedef struct tls_application_t tls_application_t; + +#include "tls_reader.h" +#include "tls_writer.h" + +/** + * TLS application data interface. + */ +struct tls_application_t { + + /** + * Process received TLS application data. + * + * @param reader TLS data buffer + * @return + * - SUCCESS if application completed + * - FAILED if application data processing failed + * - NEED_MORE if another invocation of process/build needed + */ + status_t (*process)(tls_application_t *this, tls_reader_t *reader); + + /** + * Build TLS application data to send out. + * + * @param writer TLS data buffer to write to + * @return + * - SUCCESS if application completed + * - FAILED if application data build failed + * - NEED_MORE if more data ready for delivery + * - INVALID_STATE if more input to process() required + */ + status_t (*build)(tls_application_t *this, tls_writer_t *writer); + + /** + * Destroy a tls_application_t. + */ + void (*destroy)(tls_application_t *this); +}; + +#endif /** TLS_APPLICATION_H_ @}*/ diff --git a/src/libtls/tls_compression.c b/src/libtls/tls_compression.c new file mode 100644 index 000000000..68266cd0c --- /dev/null +++ b/src/libtls/tls_compression.c @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_compression.h" + +typedef struct private_tls_compression_t private_tls_compression_t; + +/** + * Private data of an tls_compression_t object. + */ +struct private_tls_compression_t { + + /** + * Public tls_compression_t interface. + */ + tls_compression_t public; + + /** + * Upper layer, TLS record fragmentation + */ + tls_fragmentation_t *fragmentation; +}; + +METHOD(tls_compression_t, process, status_t, + private_tls_compression_t *this, tls_content_type_t type, chunk_t data) +{ + return this->fragmentation->process(this->fragmentation, type, data); +} + +METHOD(tls_compression_t, build, status_t, + private_tls_compression_t *this, tls_content_type_t *type, chunk_t *data) +{ + return this->fragmentation->build(this->fragmentation, type, data); +} + +METHOD(tls_compression_t, destroy, void, + private_tls_compression_t *this) +{ + free(this); +} + +/** + * See header + */ +tls_compression_t *tls_compression_create(tls_fragmentation_t *fragmentation, + tls_alert_t *alert) +{ + private_tls_compression_t *this; + + INIT(this, + .public = { + .process = _process, + .build = _build, + .destroy = _destroy, + }, + .fragmentation = fragmentation, + ); + + return &this->public; +} diff --git a/src/libtls/tls_compression.h b/src/libtls/tls_compression.h new file mode 100644 index 000000000..b4832ab06 --- /dev/null +++ b/src/libtls/tls_compression.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_compression tls_compression + * @{ @ingroup libtls + */ + +#ifndef TLS_COMPRESSION_H_ +#define TLS_COMPRESSION_H_ + +#include <library.h> + +#include "tls.h" +#include "tls_alert.h" +#include "tls_fragmentation.h" + +typedef struct tls_compression_t tls_compression_t; + +/** + * TLS record protocol compression layer. + */ +struct tls_compression_t { + + /** + * Process a compressed TLS record, pass it to upper layers. + * + * @param type type of the TLS record to process + * @param data associated TLS record data + * @return + * - SUCCESS if TLS negotiation complete + * - FAILED if TLS handshake failed + * - NEED_MORE if more invocations to process/build needed + */ + status_t (*process)(tls_compression_t *this, + tls_content_type_t type, chunk_t data); + + /** + * Query upper layer for TLS record, build compressed record. + * + * @param type type of the built TLS record + * @param data allocated data of the built TLS record + * @return + * - SUCCESS if TLS negotiation complete + * - FAILED if TLS handshake failed + * - NEED_MORE if upper layers have more records to send + * - INVALID_STATE if more input records required + */ + status_t (*build)(tls_compression_t *this, + tls_content_type_t *type, chunk_t *data); + + /** + * Destroy a tls_compression_t. + */ + void (*destroy)(tls_compression_t *this); +}; + +/** + * Create a tls_compression instance. + * + * @param fragmentation fragmentation layer of TLS stack + * @param alert TLS alert handler + * @return TLS compression layer. + */ +tls_compression_t *tls_compression_create(tls_fragmentation_t *fragmentation, + tls_alert_t *alert); + +#endif /** TLS_COMPRESSION_H_ @}*/ diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c new file mode 100644 index 000000000..78f2a796d --- /dev/null +++ b/src/libtls/tls_crypto.c @@ -0,0 +1,1674 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_crypto.h" + +#include <debug.h> + +ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL, + TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, + "TLS_NULL_WITH_NULL_NULL", + "TLS_RSA_WITH_NULL_MD5", + "TLS_RSA_WITH_NULL_SHA", + "TLS_RSA_EXPORT_WITH_RC4_40_MD5", + "TLS_RSA_WITH_RC4_128_MD5", + "TLS_RSA_WITH_RC4_128_SHA", + "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", + "TLS_RSA_WITH_IDEA_CBC_SHA", + "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", + "TLS_RSA_WITH_DES_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", + "TLS_DH_DSS_WITH_DES_CBC_SHA", + "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", + "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", + "TLS_DH_RSA_WITH_DES_CBC_SHA", + "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", + "TLS_DHE_DSS_WITH_DES_CBC_SHA", + "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", + "TLS_DHE_RSA_WITH_DES_CBC_SHA", + "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5", + "TLS_DH_anon_WITH_RC4_128_MD5", + "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA", + "TLS_DH_anon_WITH_DES_CBC_SHA", + "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"); +ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA, + TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA, + TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, + "TLS_KRB5_WITH_DES_CBC_SHA", + "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", + "TLS_KRB5_WITH_RC4_128_SHA", + "TLS_KRB5_WITH_IDEA_CBC_SHA", + "TLS_KRB5_WITH_DES_CBC_MD5", + "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", + "TLS_KRB5_WITH_RC4_128_MD5", + "TLS_KRB5_WITH_IDEA_CBC_MD5", + "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", + "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", + "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", + "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", + "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", + "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", + "TLS_PSK_WITH_NULL_SHA", + "TLS_DHE_PSK_WITH_NULL_SHA", + "TLS_RSA_PSK_WITH_NULL_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_DH_DSS_WITH_AES_128_CBC_SHA", + "TLS_DH_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DH_anon_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_DH_DSS_WITH_AES_256_CBC_SHA", + "TLS_DH_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DH_anon_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_NULL_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA256 ", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DH_DSS_WITH_AES_128_CBC_SHA256", + "TLS_DH_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA"); +ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DH_anon_WITH_AES_256_CBC_SHA256, + TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA, + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DH_DSS_WITH_AES_256_CBC_SHA256", + "TLS_DH_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DH_anon_WITH_AES_128_CBC_SHA256", + "TLS_DH_anon_WITH_AES_256_CBC_SHA256"); +ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, + TLS_DH_anon_WITH_AES_256_CBC_SHA256, + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", + "TLS_PSK_WITH_RC4_128_SHA", + "TLS_PSK_WITH_3DES_EDE_CBC_SHA2", + "TLS_PSK_WITH_AES_128_CBC_SHA", + "TLS_PSK_WITH_AES_256_CBC_SHA", + "TLS_DHE_PSK_WITH_RC4_128_SHA", + "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", + "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2", + "TLS_RSA_PSK_WITH_RC4_128_SHA", + "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", + "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_SEED_CBC_SHA", + "TLS_DH_DSS_WITH_SEED_CBC_SHA", + "TLS_DH_RSA_WITH_SEED_CBC_SHA", + "TLS_DHE_DSS_WITH_SEED_CBC_SHA", + "TLS_DHE_RSA_WITH_SEED_CBC_SHA", + "TLS_DH_anon_WITH_SEED_CBC_SHA", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DH_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DH_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", + "TLS_DH_DSS_WITH_AES_128_GCM_SHA256", + "TLS_DH_DSS_WITH_AES_256_GCM_SHA384", + "TLS_DH_anon_WITH_AES_128_GCM_SHA256", + "TLS_DH_anon_WITH_AES_256_GCM_SHA384", + "TLS_PSK_WITH_AES_128_GCM_SHA256", + "TLS_PSK_WITH_AES_256_GCM_SHA384", + "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", + "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", + "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", + "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", + "TLS_PSK_WITH_AES_128_CBC_SHA256", + "TLS_PSK_WITH_AES_256_CBC_SHA384", + "TLS_PSK_WITH_NULL_SHA256", + "TLS_PSK_WITH_NULL_SHA384", + "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", + "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", + "TLS_DHE_PSK_WITH_NULL_SHA256", + "TLS_DHE_PSK_WITH_NULL_SHA384", + "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", + "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", + "TLS_RSA_PSK_WITH_NULL_SHA256", + "TLS_RSA_PSK_WITH_NULL_SHA384", + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256"); +ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, + TLS_EMPTY_RENEGOTIATION_INFO_SCSV, + TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"); +ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA, + TLS_ECDHE_PSK_WITH_NULL_SHA384, + TLS_EMPTY_RENEGOTIATION_INFO_SCSV, + "TLS_ECDH_ECDSA_WITH_NULL_SHA", + "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_NULL_SHA", + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_RSA_WITH_NULL_SHA", + "TLS_ECDH_RSA_WITH_RC4_128_SHA", + "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_NULL_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_anon_WITH_NULL_SHA", + "TLS_ECDH_anon_WITH_RC4_128_SHA", + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", + "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", + "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", + "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", + "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", + "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", + "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", + "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", + "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_PSK_WITH_RC4_128_SHA", + "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_PSK_WITH_NULL_SHA", + "TLS_ECDHE_PSK_WITH_NULL_SHA256", + "TLS_ECDHE_PSK_WITH_NULL_SHA384"); +ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384); + +ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512, + "NONE", + "MD5", + "SHA1", + "SHA224", + "SHA256", + "SHA384", + "SHA512", +); + +ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA, + "RSA", + "DSA", + "ECDSA", +); + +ENUM_BEGIN(tls_client_certificate_type_names, + TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH, + "RSA_SIGN", + "DSA_SIGN", + "RSA_FIXED_DH", + "DSS_FIXED_DH", + "RSA_EPHEMERAL_DH", + "DSS_EPHEMERAL_DH"); +ENUM_NEXT(tls_client_certificate_type_names, + TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH, + "FORTEZZA_DMS"); +ENUM_NEXT(tls_client_certificate_type_names, + TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS, + "ECDSA_SIGN", + "RSA_FIXED_ECDH", + "ECDSA_FIXED_ECDH"); +ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH); + +ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE, + "EXPLICIT_PRIME", + "EXPLICIT_CHAR2", + "NAMED_CURVE", +); + +ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1, + "SECT163K1", + "SECT163R1", + "SECT163R2", + "SECT193R1", + "SECT193R2", + "SECT233K1", + "SECT233R1", + "SECT239K1", + "SECT283K1", + "SECT283R1", + "SECT409K1", + "SECT409R1", + "SECT571K1", + "SECT571R1", + "SECP160K1", + "SECP160R1", + "SECP160R2", + "SECP192K1", + "SECP192R1", + "SECP224K1", + "SECP224R1", + "SECP256K1", + "SECP256R1", + "SECP384R1", + "SECP521R1", +); + +ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y, + "compressed", + "compressed y", + "uncompressed", + "uncompressed y", + "hybrid", + "hybrid y", +); + +ENUM(tls_ec_point_format_names, + TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2, + "uncompressed", + "ansiX962 compressed prime", + "ansiX962 compressed char2", +); + +typedef struct private_tls_crypto_t private_tls_crypto_t; + +/** + * Private data of an tls_crypto_t object. + */ +struct private_tls_crypto_t { + + /** + * Public tls_crypto_t interface. + */ + tls_crypto_t public; + + /** + * Protection layer + */ + tls_protection_t *protection; + + /** + * List of supported/acceptable cipher suites + */ + tls_cipher_suite_t *suites; + + /** + * Number of supported suites + */ + int suite_count; + + /** + * Selected cipher suite + */ + tls_cipher_suite_t suite; + + /** + * RSA supported? + */ + bool rsa; + + /** + * ECDSA supported? + */ + bool ecdsa; + + /** + * TLS context + */ + tls_t *tls; + + /** + * All handshake data concatentated + */ + chunk_t handshake; + + /** + * Connection state TLS PRF + */ + tls_prf_t *prf; + + /** + * Signer instance for inbound traffic + */ + signer_t *signer_in; + + /** + * Signer instance for outbound traffic + */ + signer_t *signer_out; + + /** + * Crypter instance for inbound traffic + */ + crypter_t *crypter_in; + + /** + * Crypter instance for outbound traffic + */ + crypter_t *crypter_out; + + /** + * IV for input decryption, if < TLSv1.2 + */ + chunk_t iv_in; + + /** + * IV for output decryption, if < TLSv1.2 + */ + chunk_t iv_out; + + /** + * EAP-[T]TLS MSK + */ + chunk_t msk; + + /** + * ASCII string constant used as seed for EAP-[T]TLS MSK PRF + */ + char *msk_label; +}; + +typedef struct { + tls_cipher_suite_t suite; + key_type_t key; + diffie_hellman_group_t dh; + hash_algorithm_t hash; + pseudo_random_function_t prf; + integrity_algorithm_t mac; + encryption_algorithm_t encr; + size_t encr_size; +} suite_algs_t; + +/** + * Mapping suites to a set of algorithms + */ +static suite_algs_t suite_algs[] = { + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + KEY_ECDSA, ECP_256_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16 + }, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + KEY_ECDSA, ECP_256_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16 + }, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + KEY_ECDSA, ECP_384_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32 + }, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + KEY_ECDSA, ECP_384_BIT, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32 + }, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + KEY_RSA, ECP_256_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16 + }, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + KEY_RSA, ECP_256_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16 + }, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + KEY_RSA, ECP_384_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32 + }, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + KEY_RSA, ECP_384_BIT, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32 + }, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + KEY_RSA, MODP_2048_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16 + }, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + KEY_RSA, MODP_3072_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16 + }, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + KEY_RSA, MODP_3072_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32 + }, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + KEY_RSA, MODP_4096_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32 + }, + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + KEY_RSA, MODP_2048_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16 + }, + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + KEY_RSA, MODP_3072_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16 + }, + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + KEY_RSA, MODP_3072_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32 + }, + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, + KEY_RSA, MODP_4096_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32 + }, + { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + KEY_RSA, MODP_2048_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_3DES, 0 + }, + { TLS_RSA_WITH_AES_128_CBC_SHA, + KEY_RSA, MODP_NONE, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16 + }, + { TLS_RSA_WITH_AES_128_CBC_SHA256, + KEY_RSA, MODP_NONE, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16 + }, + { TLS_RSA_WITH_AES_256_CBC_SHA, + KEY_RSA, MODP_NONE, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32 + }, + { TLS_RSA_WITH_AES_256_CBC_SHA256, + KEY_RSA, MODP_NONE, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32 + }, + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, + KEY_RSA, MODP_NONE, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16 + }, + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, + KEY_RSA, MODP_NONE, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16 + }, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, + KEY_RSA, MODP_NONE, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32 + }, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, + KEY_RSA, MODP_NONE, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32 + }, + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + KEY_ECDSA, ECP_256_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_3DES, 0 + }, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + KEY_RSA, ECP_256_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_3DES, 0 + }, + { TLS_RSA_WITH_3DES_EDE_CBC_SHA, + KEY_RSA, MODP_NONE, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_3DES, 0 + }, + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, + KEY_ECDSA, ECP_256_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_NULL, 0 + }, + { TLS_ECDHE_RSA_WITH_NULL_SHA, + KEY_ECDSA, ECP_256_BIT, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_NULL, 0 + }, + { TLS_RSA_WITH_NULL_SHA, + KEY_RSA, MODP_NONE, + HASH_SHA1, PRF_HMAC_SHA1, + AUTH_HMAC_SHA1_160, ENCR_NULL, 0 + }, + { TLS_RSA_WITH_NULL_SHA256, + KEY_RSA, MODP_NONE, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0 + }, + { TLS_RSA_WITH_NULL_MD5, + KEY_RSA, MODP_NONE, + HASH_MD5, PRF_HMAC_MD5, + AUTH_HMAC_MD5_128, ENCR_NULL, 0 + }, +}; + +/** + * Look up algoritms by a suite + */ +static suite_algs_t *find_suite(tls_cipher_suite_t suite) +{ + int i; + + for (i = 0; i < countof(suite_algs); i++) + { + if (suite_algs[i].suite == suite) + { + return &suite_algs[i]; + } + } + return NULL; +} + +/** + * Filter a suite list using a transform enumerator + */ +static void filter_suite(private_tls_crypto_t *this, + suite_algs_t suites[], int *count, int offset, + enumerator_t*(*create_enumerator)(crypto_factory_t*)) +{ + suite_algs_t current; + int i, remaining = 0; + enumerator_t *enumerator; + + memset(¤t, 0, sizeof(current)); + for (i = 0; i < *count; i++) + { + enumerator = create_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, ((char*)¤t) + offset)) + { + if ((suites[i].encr == ENCR_NULL || + !current.encr || current.encr == suites[i].encr) && + (!current.mac || current.mac == suites[i].mac) && + (!current.prf || current.prf == suites[i].prf) && + (!current.hash || current.hash == suites[i].hash) && + (suites[i].dh == MODP_NONE || + !current.dh || current.dh == suites[i].dh)) + { + suites[remaining] = suites[i]; + remaining++; + break; + } + } + enumerator->destroy(enumerator); + } + *count = remaining; +} + +/** + * Purge NULL encryption cipher suites from list + */ +static void filter_null_suites(private_tls_crypto_t *this, + suite_algs_t suites[], int *count) +{ + int i, remaining = 0; + + for (i = 0; i < *count; i++) + { + if (suites[i].encr != ENCR_NULL) + { + suites[remaining] = suites[i]; + remaining++; + } + } + *count = remaining; +} + +/** + * Purge suites using a given key type + */ +static void filter_key_suites(private_tls_crypto_t *this, + suite_algs_t suites[], int *count, key_type_t key) +{ + int i, remaining = 0; + + DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key); + for (i = 0; i < *count; i++) + { + if (suites[i].key != key) + { + suites[remaining] = suites[i]; + remaining++; + } + } + *count = remaining; +} + +/** + * Filter suites by key exchange user config + */ +static void filter_key_exchange_config_suites(private_tls_crypto_t *this, + suite_algs_t suites[], int *count) +{ + enumerator_t *enumerator; + int i, remaining = 0; + char *token, *config; + + config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL); + if (config) + { + for (i = 0; i < *count; i++) + { + enumerator = enumerator_create_token(config, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + if (strcaseeq(token, "ecdhe-ecdsa") && + diffie_hellman_group_is_ec(suites[i].dh) && + suites[i].key == KEY_ECDSA) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "ecdhe-rsa") && + diffie_hellman_group_is_ec(suites[i].dh) && + suites[i].key == KEY_RSA) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "dhe-rsa") && + !diffie_hellman_group_is_ec(suites[i].dh) && + suites[i].dh != MODP_NONE && + suites[i].key == KEY_RSA) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "rsa") && + suites[i].dh == MODP_NONE && + suites[i].key == KEY_RSA) + { + suites[remaining++] = suites[i]; + break; + } + } + enumerator->destroy(enumerator); + } + *count = remaining; + } +} + +/** + * Filter suites by cipher user config + */ +static void filter_cipher_config_suites(private_tls_crypto_t *this, + suite_algs_t suites[], int *count) +{ + enumerator_t *enumerator; + int i, remaining = 0; + char *token, *config; + + config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL); + if (config) + { + for (i = 0; i < *count; i++) + { + enumerator = enumerator_create_token(config, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + if (strcaseeq(token, "aes128") && + suites[i].encr == ENCR_AES_CBC && + suites[i].encr_size == 16) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "aes256") && + suites[i].encr == ENCR_AES_CBC && + suites[i].encr_size == 32) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "camellia128") && + suites[i].encr == ENCR_CAMELLIA_CBC && + suites[i].encr_size == 16) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "camellia256") && + suites[i].encr == ENCR_CAMELLIA_CBC && + suites[i].encr_size == 32) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "3des") && + suites[i].encr == ENCR_3DES) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "null") && + suites[i].encr == ENCR_NULL) + { + suites[remaining++] = suites[i]; + break; + } + } + enumerator->destroy(enumerator); + } + *count = remaining; + } +} + +/** + * Filter suites by mac user config + */ +static void filter_mac_config_suites(private_tls_crypto_t *this, + suite_algs_t suites[], int *count) +{ + enumerator_t *enumerator; + int i, remaining = 0; + char *token, *config; + + config = lib->settings->get_str(lib->settings, "libtls.mac", NULL); + if (config) + { + for (i = 0; i < *count; i++) + { + enumerator = enumerator_create_token(config, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + if (strcaseeq(token, "md5") && + suites[i].hash == HASH_MD5) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "sha1") && + suites[i].hash == HASH_SHA1) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "sha256") && + suites[i].hash == HASH_SHA256) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "sha384") && + suites[i].hash == HASH_SHA384) + { + suites[remaining++] = suites[i]; + break; + } + } + enumerator->destroy(enumerator); + } + *count = remaining; + } +} + +/** + * Filter for specific suites specified in strongswan.conf + */ +static void filter_specific_config_suites(private_tls_crypto_t *this, + suite_algs_t suites[], int *count) +{ + enumerator_t *enumerator; + int i, remaining = 0, suite; + char *token, *config; + + config = lib->settings->get_str(lib->settings, "libtls.suites", NULL); + if (config) + { + for (i = 0; i < *count; i++) + { + enumerator = enumerator_create_token(config, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + suite = enum_from_name(tls_cipher_suite_names, token); + if (suite == suites[i].suite) + { + suites[remaining++] = suites[i]; + break; + } + } + enumerator->destroy(enumerator); + } + *count = remaining; + } +} + +/** + * Initialize the cipher suite list + */ +static void build_cipher_suite_list(private_tls_crypto_t *this, + bool require_encryption) +{ + suite_algs_t suites[countof(suite_algs)]; + int count = countof(suite_algs), i; + + /* copy all suites */ + for (i = 0; i < count; i++) + { + suites[i] = suite_algs[i]; + } + if (require_encryption) + { + filter_null_suites(this, suites, &count); + } + if (!this->rsa) + { + filter_key_suites(this, suites, &count, KEY_RSA); + } + if (!this->ecdsa) + { + filter_key_suites(this, suites, &count, KEY_ECDSA); + } + + /* filter suite list by each algorithm */ + filter_suite(this, suites, &count, offsetof(suite_algs_t, encr), + lib->crypto->create_crypter_enumerator); + filter_suite(this, suites, &count, offsetof(suite_algs_t, mac), + lib->crypto->create_signer_enumerator); + filter_suite(this, suites, &count, offsetof(suite_algs_t, prf), + lib->crypto->create_prf_enumerator); + filter_suite(this, suites, &count, offsetof(suite_algs_t, hash), + lib->crypto->create_hasher_enumerator); + filter_suite(this, suites, &count, offsetof(suite_algs_t, dh), + lib->crypto->create_dh_enumerator); + + /* filter suites with strongswan.conf options */ + filter_key_exchange_config_suites(this, suites, &count); + filter_cipher_config_suites(this, suites, &count); + filter_mac_config_suites(this, suites, &count); + filter_specific_config_suites(this, suites, &count); + + free(this->suites); + this->suite_count = count; + this->suites = malloc(sizeof(tls_cipher_suite_t) * count); + + DBG2(DBG_TLS, "%d supported TLS cipher suites:", count); + for (i = 0; i < count; i++) + { + DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite); + this->suites[i] = suites[i].suite; + } +} + +METHOD(tls_crypto_t, get_cipher_suites, int, + private_tls_crypto_t *this, tls_cipher_suite_t **suites) +{ + *suites = this->suites; + return this->suite_count; +} + +/** + * Create crypto primitives + */ +static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs) +{ + DESTROY_IF(this->prf); + if (this->tls->get_version(this->tls) < TLS_1_2) + { + this->prf = tls_prf_create_10(); + } + else + { + this->prf = tls_prf_create_12(algs->prf); + } + if (!this->prf) + { + DBG1(DBG_TLS, "selected TLS PRF not supported"); + return FALSE; + } + + DESTROY_IF(this->signer_in); + DESTROY_IF(this->signer_out); + this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac); + this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac); + if (!this->signer_in || !this->signer_out) + { + DBG1(DBG_TLS, "selected TLS MAC %N not supported", + integrity_algorithm_names, algs->mac); + return FALSE; + } + + DESTROY_IF(this->crypter_in); + DESTROY_IF(this->crypter_out); + if (algs->encr == ENCR_NULL) + { + this->crypter_in = this->crypter_out = NULL; + } + else + { + this->crypter_in = lib->crypto->create_crypter(lib->crypto, + algs->encr, algs->encr_size); + this->crypter_out = lib->crypto->create_crypter(lib->crypto, + algs->encr, algs->encr_size); + if (!this->crypter_in || !this->crypter_out) + { + DBG1(DBG_TLS, "selected TLS crypter %N not supported", + encryption_algorithm_names, algs->encr); + return FALSE; + } + } + return TRUE; +} + +METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t, + private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count, + key_type_t key) +{ + suite_algs_t *algs; + int i, j; + + for (i = 0; i < this->suite_count; i++) + { + for (j = 0; j < count; j++) + { + if (this->suites[i] == suites[j]) + { + algs = find_suite(this->suites[i]); + if (algs) + { + if (key == KEY_ANY || key == algs->key) + { + if (create_ciphers(this, algs)) + { + this->suite = this->suites[i]; + return this->suite; + } + } + } + } + } + } + return 0; +} + +METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t, + private_tls_crypto_t *this) +{ + suite_algs_t *algs; + + algs = find_suite(this->suite); + if (algs) + { + return algs->dh; + } + return MODP_NONE; +} + +METHOD(tls_crypto_t, get_signature_algorithms, void, + private_tls_crypto_t *this, tls_writer_t *writer) +{ + tls_writer_t *supported; + enumerator_t *enumerator; + hash_algorithm_t alg; + tls_hash_algorithm_t hash; + + supported = tls_writer_create(32); + enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &alg)) + { + switch (alg) + { + case HASH_MD5: + hash = TLS_HASH_MD5; + break; + case HASH_SHA1: + hash = TLS_HASH_SHA1; + break; + case HASH_SHA224: + hash = TLS_HASH_SHA224; + break; + case HASH_SHA256: + hash = TLS_HASH_SHA256; + break; + case HASH_SHA384: + hash = TLS_HASH_SHA384; + break; + case HASH_SHA512: + hash = TLS_HASH_SHA512; + break; + default: + continue; + } + if (this->rsa) + { + supported->write_uint8(supported, hash); + supported->write_uint8(supported, TLS_SIG_RSA); + } + if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224) + { /* currently we have no signature scheme for MD5/SHA224 */ + supported->write_uint8(supported, hash); + supported->write_uint8(supported, TLS_SIG_ECDSA); + } + } + enumerator->destroy(enumerator); + + writer->write_data16(writer, supported->get_buf(supported)); + supported->destroy(supported); +} + +/** + * Mapping groups to TLS named curves + */ +static struct { + diffie_hellman_group_t group; + tls_named_curve_t curve; +} curves[] = { + { ECP_256_BIT, TLS_SECP256R1}, + { ECP_384_BIT, TLS_SECP384R1}, + { ECP_521_BIT, TLS_SECP521R1}, + { ECP_224_BIT, TLS_SECP224R1}, + { ECP_192_BIT, TLS_SECP192R1}, +}; + +/** + * Filter EC groups, add TLS curve + */ +static bool group_filter(void *null, + diffie_hellman_group_t *in, diffie_hellman_group_t *out, + void* dummy1, tls_named_curve_t *curve) +{ + int i; + + for (i = 0; i < countof(curves); i++) + { + if (curves[i].group == *in) + { + if (out) + { + *out = curves[i].group; + } + if (curve) + { + *curve = curves[i].curve; + } + return TRUE; + } + } + return FALSE; +} + +METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*, + private_tls_crypto_t *this) +{ + return enumerator_create_filter( + lib->crypto->create_dh_enumerator(lib->crypto), + (void*)group_filter, NULL, NULL); +} + +METHOD(tls_crypto_t, set_protection, void, + private_tls_crypto_t *this, tls_protection_t *protection) +{ + this->protection = protection; +} + +METHOD(tls_crypto_t, append_handshake, void, + private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data) +{ + u_int32_t header; + + /* reconstruct handshake header */ + header = htonl(data.len | (type << 24)); + this->handshake = chunk_cat("mcc", this->handshake, + chunk_from_thing(header), data); +} + +/** + * Create a hash using the suites HASH algorithm + */ +static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash) +{ + if (this->tls->get_version(this->tls) >= TLS_1_2) + { + hasher_t *hasher; + suite_algs_t *alg; + + alg = find_suite(this->suite); + if (!alg) + { + return FALSE; + } + hasher = lib->crypto->create_hasher(lib->crypto, alg->hash); + if (!hasher) + { + DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash); + return FALSE; + } + hasher->allocate_hash(hasher, data, hash); + hasher->destroy(hasher); + } + else + { + hasher_t *md5, *sha1; + char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1]; + + md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5); + if (!md5) + { + DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5); + return FALSE; + } + md5->get_hash(md5, data, buf); + md5->destroy(md5); + sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (!sha1) + { + DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1); + return FALSE; + } + sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5); + sha1->destroy(sha1); + + *hash = chunk_clone(chunk_from_thing(buf)); + } + return TRUE; +} + +/** + * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair + */ +static signature_scheme_t hashsig_to_scheme(key_type_t type, + tls_hash_algorithm_t hash, tls_signature_algorithm_t sig) +{ + switch (sig) + { + case TLS_SIG_RSA: + if (type != KEY_RSA) + { + return SIGN_UNKNOWN; + } + switch (hash) + { + case TLS_HASH_MD5: + return SIGN_RSA_EMSA_PKCS1_MD5; + case TLS_HASH_SHA1: + return SIGN_RSA_EMSA_PKCS1_SHA1; + case TLS_HASH_SHA224: + return SIGN_RSA_EMSA_PKCS1_SHA224; + case TLS_HASH_SHA256: + return SIGN_RSA_EMSA_PKCS1_SHA256; + case TLS_HASH_SHA384: + return SIGN_RSA_EMSA_PKCS1_SHA384; + case TLS_HASH_SHA512: + return SIGN_RSA_EMSA_PKCS1_SHA512; + default: + return SIGN_UNKNOWN; + } + case TLS_SIG_ECDSA: + if (type != KEY_ECDSA) + { + return SIGN_UNKNOWN; + } + switch (hash) + { + case TLS_HASH_SHA224: + return SIGN_ECDSA_WITH_SHA1_DER; + case TLS_HASH_SHA256: + return SIGN_ECDSA_WITH_SHA256_DER; + case TLS_HASH_SHA384: + return SIGN_ECDSA_WITH_SHA384_DER; + case TLS_HASH_SHA512: + return SIGN_ECDSA_WITH_SHA512_DER; + default: + return SIGN_UNKNOWN; + } + default: + return SIGN_UNKNOWN; + } +} + +METHOD(tls_crypto_t, sign, bool, + private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer, + chunk_t data, chunk_t hashsig) +{ + if (this->tls->get_version(this->tls) >= TLS_1_2) + { + signature_scheme_t scheme; + tls_reader_t *reader; + u_int8_t hash, alg; + chunk_t sig; + bool done = FALSE; + + if (!hashsig.len) + { /* fallback if none given */ + hashsig = chunk_from_chars( + TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA); + } + reader = tls_reader_create(hashsig); + while (reader->remaining(reader) >= 2) + { + if (reader->read_uint8(reader, &hash) && + reader->read_uint8(reader, &alg)) + { + scheme = hashsig_to_scheme(key->get_type(key), hash, alg); + if (scheme != SIGN_UNKNOWN && + key->sign(key, scheme, data, &sig)) + { + done = TRUE; + break; + } + } + } + reader->destroy(reader); + if (!done) + { + DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported"); + return FALSE; + } + DBG2(DBG_TLS, "created signature with %N/%N", + tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg); + writer->write_uint8(writer, hash); + writer->write_uint8(writer, alg); + writer->write_data16(writer, sig); + free(sig.ptr); + } + else + { + chunk_t sig, hash; + bool done; + + switch (key->get_type(key)) + { + case KEY_RSA: + if (!hash_data(this, data, &hash)) + { + return FALSE; + } + done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig); + free(hash.ptr); + if (!done) + { + return FALSE; + } + DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA"); + break; + case KEY_ECDSA: + if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig)) + { + return FALSE; + } + DBG2(DBG_TLS, "created signature with SHA1/ECDSA"); + break; + default: + return FALSE; + } + writer->write_data16(writer, sig); + free(sig.ptr); + } + return TRUE; +} + +METHOD(tls_crypto_t, verify, bool, + private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader, + chunk_t data) +{ + if (this->tls->get_version(this->tls) >= TLS_1_2) + { + signature_scheme_t scheme = SIGN_UNKNOWN; + u_int8_t hash, alg; + chunk_t sig; + + if (!reader->read_uint8(reader, &hash) || + !reader->read_uint8(reader, &alg) || + !reader->read_data16(reader, &sig)) + { + DBG1(DBG_TLS, "received invalid signature"); + return FALSE; + } + scheme = hashsig_to_scheme(key->get_type(key), hash, alg); + if (scheme == SIGN_UNKNOWN) + { + DBG1(DBG_TLS, "signature algorithms %N/%N not supported", + tls_hash_algorithm_names, hash, + tls_signature_algorithm_names, alg); + return FALSE; + } + if (!key->verify(key, scheme, data, sig)) + { + return FALSE; + } + DBG2(DBG_TLS, "verified signature with %N/%N", + tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg); + } + else + { + chunk_t sig, hash; + bool done; + + if (!reader->read_data16(reader, &sig)) + { + DBG1(DBG_TLS, "received invalid signature"); + return FALSE; + } + switch (key->get_type(key)) + { + case KEY_RSA: + if (!hash_data(this, data, &hash)) + { + return FALSE; + } + done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig); + free(hash.ptr); + if (!done) + { + return FALSE; + } + DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA"); + break; + case KEY_ECDSA: + if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig)) + { + return FALSE; + } + DBG2(DBG_TLS, "verified signature with SHA1/ECDSA"); + break; + default: + return FALSE; + } + } + return TRUE; +} + +METHOD(tls_crypto_t, sign_handshake, bool, + private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer, + chunk_t hashsig) +{ + return sign(this, key, writer, this->handshake, hashsig); +} + +METHOD(tls_crypto_t, verify_handshake, bool, + private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader) +{ + return verify(this, key, reader, this->handshake); +} + +METHOD(tls_crypto_t, calculate_finished, bool, + private_tls_crypto_t *this, char *label, char out[12]) +{ + chunk_t seed; + + if (!this->prf) + { + return FALSE; + } + if (!hash_data(this, this->handshake, &seed)) + { + return FALSE; + } + this->prf->get_bytes(this->prf, label, seed, 12, out); + free(seed.ptr); + return TRUE; +} + +METHOD(tls_crypto_t, derive_secrets, void, + private_tls_crypto_t *this, chunk_t premaster, + chunk_t client_random, chunk_t server_random) +{ + char master[48]; + chunk_t seed, block, client_write, server_write; + int mks, eks = 0, ivs = 0; + + /* derive master secret */ + seed = chunk_cata("cc", client_random, server_random); + this->prf->set_key(this->prf, premaster); + this->prf->get_bytes(this->prf, "master secret", seed, + sizeof(master), master); + + this->prf->set_key(this->prf, chunk_from_thing(master)); + memset(master, 0, sizeof(master)); + + /* derive key block for key expansion */ + mks = this->signer_out->get_key_size(this->signer_out); + if (this->crypter_out) + { + eks = this->crypter_out->get_key_size(this->crypter_out); + if (this->tls->get_version(this->tls) < TLS_1_1) + { + ivs = this->crypter_out->get_iv_size(this->crypter_out); + } + } + seed = chunk_cata("cc", server_random, client_random); + block = chunk_alloca((mks + eks + ivs) * 2); + this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr); + + /* signer keys */ + client_write = chunk_create(block.ptr, mks); + block = chunk_skip(block, mks); + server_write = chunk_create(block.ptr, mks); + block = chunk_skip(block, mks); + if (this->tls->is_server(this->tls)) + { + this->signer_in->set_key(this->signer_in, client_write); + this->signer_out->set_key(this->signer_out, server_write); + } + else + { + this->signer_out->set_key(this->signer_out, client_write); + this->signer_in->set_key(this->signer_in, server_write); + } + + /* crypter keys, and IVs if < TLSv1.2 */ + if (this->crypter_out && this->crypter_in) + { + client_write = chunk_create(block.ptr, eks); + block = chunk_skip(block, eks); + server_write = chunk_create(block.ptr, eks); + block = chunk_skip(block, eks); + + if (this->tls->is_server(this->tls)) + { + this->crypter_in->set_key(this->crypter_in, client_write); + this->crypter_out->set_key(this->crypter_out, server_write); + } + else + { + this->crypter_out->set_key(this->crypter_out, client_write); + this->crypter_in->set_key(this->crypter_in, server_write); + } + if (ivs) + { + client_write = chunk_create(block.ptr, ivs); + block = chunk_skip(block, ivs); + server_write = chunk_create(block.ptr, ivs); + block = chunk_skip(block, ivs); + + if (this->tls->is_server(this->tls)) + { + this->iv_in = chunk_clone(client_write); + this->iv_out = chunk_clone(server_write); + } + else + { + this->iv_out = chunk_clone(client_write); + this->iv_in = chunk_clone(server_write); + } + } + } +} + +METHOD(tls_crypto_t, change_cipher, void, + private_tls_crypto_t *this, bool inbound) +{ + if (this->protection) + { + if (inbound) + { + this->protection->set_cipher(this->protection, TRUE, + this->signer_in, this->crypter_in, this->iv_in); + } + else + { + this->protection->set_cipher(this->protection, FALSE, + this->signer_out, this->crypter_out, this->iv_out); + } + } +} + +METHOD(tls_crypto_t, derive_eap_msk, void, + private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random) +{ + if (this->msk_label) + { + chunk_t seed; + + seed = chunk_cata("cc", client_random, server_random); + free(this->msk.ptr); + this->msk = chunk_alloc(64); + this->prf->get_bytes(this->prf, this->msk_label, seed, + this->msk.len, this->msk.ptr); + } +} + +METHOD(tls_crypto_t, get_eap_msk, chunk_t, + private_tls_crypto_t *this) +{ + return this->msk; +} + +METHOD(tls_crypto_t, destroy, void, + private_tls_crypto_t *this) +{ + DESTROY_IF(this->signer_in); + DESTROY_IF(this->signer_out); + DESTROY_IF(this->crypter_in); + DESTROY_IF(this->crypter_out); + free(this->iv_in.ptr); + free(this->iv_out.ptr); + free(this->handshake.ptr); + free(this->msk.ptr); + DESTROY_IF(this->prf); + free(this->suites); + free(this); +} + +/** + * See header + */ +tls_crypto_t *tls_crypto_create(tls_t *tls) +{ + private_tls_crypto_t *this; + enumerator_t *enumerator; + credential_type_t type; + int subtype; + + INIT(this, + .public = { + .get_cipher_suites = _get_cipher_suites, + .select_cipher_suite = _select_cipher_suite, + .get_dh_group = _get_dh_group, + .get_signature_algorithms = _get_signature_algorithms, + .create_ec_enumerator = _create_ec_enumerator, + .set_protection = _set_protection, + .append_handshake = _append_handshake, + .sign = _sign, + .verify = _verify, + .sign_handshake = _sign_handshake, + .verify_handshake = _verify_handshake, + .calculate_finished = _calculate_finished, + .derive_secrets = _derive_secrets, + .change_cipher = _change_cipher, + .derive_eap_msk = _derive_eap_msk, + .get_eap_msk = _get_eap_msk, + .destroy = _destroy, + }, + .tls = tls, + ); + + enumerator = lib->creds->create_builder_enumerator(lib->creds); + while (enumerator->enumerate(enumerator, &type, &subtype)) + { + if (type == CRED_PUBLIC_KEY) + { + switch (subtype) + { + case KEY_RSA: + this->rsa = TRUE; + break; + case KEY_ECDSA: + this->ecdsa = TRUE; + break; + default: + break; + } + } + } + enumerator->destroy(enumerator); + + switch (tls->get_purpose(tls)) + { + case TLS_PURPOSE_EAP_TLS: + /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */ + this->msk_label = "client EAP encryption"; + build_cipher_suite_list(this, FALSE); + break; + case TLS_PURPOSE_EAP_TTLS: + /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */ + this->msk_label = "ttls keying material"; + build_cipher_suite_list(this, TRUE); + break; + case TLS_PURPOSE_GENERIC: + build_cipher_suite_list(this, TRUE); + break; + default: + break; + } + return &this->public; +} diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h new file mode 100644 index 000000000..f57b8f3e1 --- /dev/null +++ b/src/libtls/tls_crypto.h @@ -0,0 +1,554 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_crypto tls_crypto + * @{ @ingroup libtls + */ + +#ifndef TLS_CRYPTO_H_ +#define TLS_CRYPTO_H_ + +typedef struct tls_crypto_t tls_crypto_t; +typedef enum tls_cipher_suite_t tls_cipher_suite_t; +typedef enum tls_hash_algorithm_t tls_hash_algorithm_t; +typedef enum tls_signature_algorithm_t tls_signature_algorithm_t; +typedef enum tls_client_certificate_type_t tls_client_certificate_type_t; +typedef enum tls_ecc_curve_type_t tls_ecc_curve_type_t; +typedef enum tls_named_curve_t tls_named_curve_t; +typedef enum tls_ansi_point_format_t tls_ansi_point_format_t; +typedef enum tls_ec_point_format_t tls_ec_point_format_t; + +#include "tls.h" +#include "tls_prf.h" +#include "tls_protection.h" + +#include <library.h> + +#include <credentials/keys/private_key.h> + +/** + * TLS cipher suites + */ +enum tls_cipher_suite_t { + TLS_NULL_WITH_NULL_NULL = 0x0000, + TLS_RSA_WITH_NULL_MD5 = 0x0001, + TLS_RSA_WITH_NULL_SHA = 0x0002, + TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003, + TLS_RSA_WITH_RC4_128_MD5 = 0x0004, + TLS_RSA_WITH_RC4_128_SHA = 0x0005, + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006, + TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007, + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008, + TLS_RSA_WITH_DES_CBC_SHA = 0x0009, + TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B, + TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C, + TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D, + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E, + TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F, + TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010, + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011, + TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014, + TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, + TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017, + TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018, + TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019, + TLS_DH_anon_WITH_DES_CBC_SHA = 0x001A, + TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B, + + TLS_KRB5_WITH_DES_CBC_SHA = 0x001E, + TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F, + TLS_KRB5_WITH_RC4_128_SHA = 0x0020, + TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021, + TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022, + TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023, + TLS_KRB5_WITH_RC4_128_MD5 = 0x0024, + TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027, + TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A, + TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B, + TLS_PSK_WITH_NULL_SHA = 0x002C, + TLS_DHE_PSK_WITH_NULL_SHA = 0x002D, + TLS_RSA_PSK_WITH_NULL_SHA = 0x002E, + TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F, + TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030, + TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033, + TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034, + TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, + TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036, + TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039, + TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A, + TLS_RSA_WITH_NULL_SHA256 = 0x003B, + TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C, + TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D, + TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E, + TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040, + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041, + TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042, + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045, + TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046, + + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067, + TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068, + TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B, + TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x006C, + TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x006D, + + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084, + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085, + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088, + TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089, + TLS_PSK_WITH_RC4_128_SHA = 0x008A, + TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B, + TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C, + TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D, + TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E, + TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091, + TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092, + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095, + TLS_RSA_WITH_SEED_CBC_SHA = 0x0096, + TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097, + TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098, + TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099, + TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A, + TLS_DH_anon_WITH_SEED_CBC_SHA = 0x009B, + TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C, + TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E, + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F, + TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0, + TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1, + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2, + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3, + TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4, + TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5, + TLS_DH_anon_WITH_AES_128_GCM_SHA256 = 0x00A6, + TLS_DH_anon_WITH_AES_256_GCM_SHA384 = 0x00A7, + TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8, + TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9, + TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA, + TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB, + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC, + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD, + TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE, + TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF, + TLS_PSK_WITH_NULL_SHA256 = 0x00B0, + TLS_PSK_WITH_NULL_SHA384 = 0x00B1, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3, + TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4, + TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7, + TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8, + TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9, + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA, + TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB, + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE, + TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF, + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0, + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1, + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4, + TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5, + + TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF, + + TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001, + TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002, + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005, + TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A, + TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B, + TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C, + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F, + TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010, + TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014, + TLS_ECDH_anon_WITH_NULL_SHA = 0xC015, + TLS_ECDH_anon_WITH_RC4_128_SHA = 0xC016, + TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xC017, + TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xC018, + TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xC019, + TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A, + TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B, + TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C, + TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D, + TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E, + TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F, + TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020, + TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021, + TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C, + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D, + TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030, + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031, + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032, + TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033, + TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038, + TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039, + TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A, + TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B +}; + +/** + * Enum names for tls_cipher_suite_t + */ +extern enum_name_t *tls_cipher_suite_names; + +/** + * TLS HashAlgorithm identifiers + */ +enum tls_hash_algorithm_t { + TLS_HASH_NONE = 0, + TLS_HASH_MD5 = 1, + TLS_HASH_SHA1 = 2, + TLS_HASH_SHA224 = 3, + TLS_HASH_SHA256 = 4, + TLS_HASH_SHA384 = 5, + TLS_HASH_SHA512 = 6, +}; + +/** + * Enum names for tls_hash_algorithm_t + */ +extern enum_name_t *tls_hash_algorithm_names; + +/** + * TLS SignatureAlgorithm identifiers + */ +enum tls_signature_algorithm_t { + TLS_SIG_RSA = 1, + TLS_SIG_DSA = 2, + TLS_SIG_ECDSA = 3, +}; + +/** + * Enum names for tls_signature_algorithm_t + */ +extern enum_name_t *tls_signature_algorithm_names; + +/** + * TLS ClientCertificateType + */ +enum tls_client_certificate_type_t { + TLS_RSA_SIGN = 1, + TLS_DSA_SIGN = 2, + TLS_RSA_FIXED_DH = 3, + TLS_DSS_FIXED_DH = 4, + TLS_RSA_EPHEMERAL_DH = 5, + TLS_DSS_EPHEMERAL_DH = 6, + TLS_FORTEZZA_DMS = 20, + TLS_ECDSA_SIGN = 64, + TLS_RSA_FIXED_ECDH = 65, + TLS_ECDSA_FIXED_ECDH = 66, +}; + +/** + * Enum names for tls_client_certificate_type_t + */ +extern enum_name_t *tls_client_certificate_type_names; + +/** + * TLS EccCurveType + */ +enum tls_ecc_curve_type_t { + TLS_ECC_EXPLICIT_PRIME = 1, + TLS_ECC_EXPLICIT_CHAR2 = 2, + TLS_ECC_NAMED_CURVE = 3, +}; + +/** + * Enum names for tls_ecc_curve_type_t + */ +extern enum_name_t *tls_ecc_curve_type_names; + +/** + * TLS Named Curve identifiers + */ +enum tls_named_curve_t { + TLS_SECT163K1 = 1, + TLS_SECT163R1 = 2, + TLS_SECT163R2 = 3, + TLS_SECT193R1 = 4, + TLS_SECT193R2 = 5, + TLS_SECT233K1 = 6, + TLS_SECT233R1 = 7, + TLS_SECT239K1 = 8, + TLS_SECT283K1 = 9, + TLS_SECT283R1 = 10, + TLS_SECT409K1 = 11, + TLS_SECT409R1 = 12, + TLS_SECT571K1 = 13, + TLS_SECT571R1 = 14, + TLS_SECP160K1 = 15, + TLS_SECP160R1 = 16, + TLS_SECP160R2 = 17, + TLS_SECP192K1 = 18, + TLS_SECP192R1 = 19, + TLS_SECP224K1 = 20, + TLS_SECP224R1 = 21, + TLS_SECP256K1 = 22, + TLS_SECP256R1 = 23, + TLS_SECP384R1 = 24, + TLS_SECP521R1 = 25, +}; + +/** + * Enum names for tls_named_curve_t + */ +extern enum_name_t *tls_named_curve_names; + +/** + * EC Point format, ANSI X9.62. + */ +enum tls_ansi_point_format_t { + TLS_ANSI_COMPRESSED = 2, + TLS_ANSI_COMPRESSED_Y = 3, + TLS_ANSI_UNCOMPRESSED = 4, + TLS_ANSI_HYBRID = 6, + TLS_ANSI_HYBRID_Y = 7, +}; + +/** + * Enum names for tls_ansi_point_format_t. + */ +extern enum_name_t *tls_ansi_point_format_names; + +/** + * EC Point format, TLS specific identifiers. + */ +enum tls_ec_point_format_t { + TLS_EC_POINT_UNCOMPRESSED = 0, + TLS_EC_POINT_ANSIX962_COMPRESSED_PRIME = 1, + TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2 = 2, +}; + +/** + * Enum names for tls_ec_point_format_t. + */ +extern enum_name_t *tls_ec_point_format_names; + +/** + * TLS crypto helper functions. + */ +struct tls_crypto_t { + + /** + * Get a list of supported TLS cipher suites. + * + * @param suites list of suites, points to internal data + * @return number of suites returned + */ + int (*get_cipher_suites)(tls_crypto_t *this, tls_cipher_suite_t **suites); + + /** + * Select and store a cipher suite from a given list of candidates. + * + * @param suites list of candidates to select from + * @param count number of suites + * @param key key type used, or KEY_ANY + * @return selected suite, 0 if none acceptable + */ + tls_cipher_suite_t (*select_cipher_suite)(tls_crypto_t *this, + tls_cipher_suite_t *suites, int count, + key_type_t key); + + /** + * Get the Diffie-Hellman group to use, if any. + * + * @return Diffie Hellman group, ord MODP_NONE + */ + diffie_hellman_group_t (*get_dh_group)(tls_crypto_t *this); + + /** + * Write the list of supported hash/sig algorithms to writer. + * + * @param writer writer to write supported hash/sig algorithms + */ + void (*get_signature_algorithms)(tls_crypto_t *this, tls_writer_t *writer); + + /** + * Create an enumerator over supported ECDH groups. + * + * Enumerates over (diffie_hellman_group_t, tls_named_curve_t) + * + * @return enumerator + */ + enumerator_t* (*create_ec_enumerator)(tls_crypto_t *this); + + /** + * Set the protection layer of the TLS stack to control it. + * + * @param protection protection layer to work on + */ + void (*set_protection)(tls_crypto_t *this, tls_protection_t *protection); + + /** + * Store exchanged handshake data, used for cryptographic operations. + * + * @param type handshake sub type + * @param data data to append to handshake buffer + */ + void (*append_handshake)(tls_crypto_t *this, + tls_handshake_type_t type, chunk_t data); + + /** + * Sign a blob of data, append signature to writer. + * + * @param key private key to use for signature + * @param writer TLS writer to write signature to + * @param data data to sign + * @param hashsig list of TLS1.2 hash/sig algorithms to select from + * @return TRUE if signature create successfully + */ + bool (*sign)(tls_crypto_t *this, private_key_t *key, + tls_writer_t *writer, chunk_t data, chunk_t hashsig); + + /** + * Verify a blob of data, read signature from a reader. + * + * @param key public key to verify signature with + * @param reader TLS reader to read signature from + * @param data data to verify signature + * @return TRUE if signature valid + */ + bool (*verify)(tls_crypto_t *this, public_key_t *key, + tls_reader_t *reader, chunk_t data); + + /** + * Create a signature of the handshake data using a given private key. + * + * @param key private key to use for signature + * @param writer TLS writer to write signature to + * @param hashsig list of TLS1.2 hash/sig algorithms to select from + * @return TRUE if signature create successfully + */ + bool (*sign_handshake)(tls_crypto_t *this, private_key_t *key, + tls_writer_t *writer, chunk_t hashsig); + + /** + * Verify the signature over handshake data using a given public key. + * + * @param key public key to verify signature with + * @param reader TLS reader to read signature from + * @return TRUE if signature valid + */ + bool (*verify_handshake)(tls_crypto_t *this, public_key_t *key, + tls_reader_t *reader); + + /** + * Calculate the data of a TLS finished message. + * + * @param label ASCII label to use for calculation + * @param out buffer to write finished data to + * @return TRUE if calculation successful + */ + bool (*calculate_finished)(tls_crypto_t *this, char *label, char out[12]); + + /** + * Derive the master secret, MAC and encryption keys. + * + * @param premaster premaster secret + * @param client_random random data from client hello + * @param server_random random data from server hello + */ + void (*derive_secrets)(tls_crypto_t *this, chunk_t premaster, + chunk_t client_random, chunk_t server_random); + + /** + * Change the cipher used at protection layer. + * + * @param inbound TRUE to change inbound cipher, FALSE for outbound + */ + void (*change_cipher)(tls_crypto_t *this, bool inbound); + + /** + * Derive the EAP-TLS MSK. + * + * @param client_random random data from client hello + * @param server_random random data from server hello + */ + void (*derive_eap_msk)(tls_crypto_t *this, + chunk_t client_random, chunk_t server_random); + + /** + * Get the MSK to use in EAP-TLS. + * + * @return MSK, points to internal data + */ + chunk_t (*get_eap_msk)(tls_crypto_t *this); + + /** + * Destroy a tls_crypto_t. + */ + void (*destroy)(tls_crypto_t *this); +}; + +/** + * Create a tls_crypto instance. + */ +tls_crypto_t *tls_crypto_create(tls_t *tls); + +#endif /** TLS_CRYPTO_H_ @}*/ diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c new file mode 100644 index 000000000..a8c3a5053 --- /dev/null +++ b/src/libtls/tls_eap.c @@ -0,0 +1,379 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_eap.h" + +#include "tls.h" + +#include <debug.h> +#include <library.h> + +/** Size limit for a single TLS message */ +#define MAX_TLS_MESSAGE_LEN 65536 + +typedef struct private_tls_eap_t private_tls_eap_t; + +/** + * Private data of an tls_eap_t object. + */ +struct private_tls_eap_t { + + /** + * Public tls_eap_t interface. + */ + tls_eap_t public; + + /** + * Type of EAP method, EAP-TLS, EAP-TTLS, or EAP-TNC + */ + eap_type_t type; + + /** + * TLS stack + */ + tls_t *tls; + + /** + * Role + */ + bool is_server; + + /** + * First fragment of a multi-fragment record? + */ + bool first_fragment; + + /** + * Maximum size of an outgoing EAP-TLS fragment + */ + size_t frag_size; + + /** + * Number of EAP messages/fragments processed so far + */ + int processed; + + /** + * Maximum number of processed EAP messages/fragments + */ + int max_msg_count; +}; + +/** + * Flags of an EAP-TLS/TTLS/TNC message + */ +typedef enum { + EAP_TLS_LENGTH = (1<<7), /* shared with EAP-TTLS/TNC */ + EAP_TLS_MORE_FRAGS = (1<<6), /* shared with EAP-TTLS/TNC */ + EAP_TLS_START = (1<<5), /* shared with EAP-TTLS/TNC */ + EAP_TTLS_VERSION = (0x07), /* shared with EAP-TNC */ +} eap_tls_flags_t; + +#define EAP_TTLS_SUPPORTED_VERSION 0 +#define EAP_TNC_SUPPORTED_VERSION 1 + +/** + * EAP-TLS/TTLS packet format + */ +typedef struct __attribute__((packed)) { + u_int8_t code; + u_int8_t identifier; + u_int16_t length; + u_int8_t type; + u_int8_t flags; +} eap_tls_packet_t; + +METHOD(tls_eap_t, initiate, status_t, + private_tls_eap_t *this, chunk_t *out) +{ + if (this->is_server) + { + eap_tls_packet_t pkt = { + .type = this->type, + .code = EAP_REQUEST, + .flags = EAP_TLS_START, + }; + switch (this->type) + { + case EAP_TTLS: + pkt.flags |= EAP_TTLS_SUPPORTED_VERSION; + break; + case EAP_TNC: + pkt.flags |= EAP_TNC_SUPPORTED_VERSION; + break; + default: + break; + } + htoun16(&pkt.length, sizeof(eap_tls_packet_t)); + do + { /* start with non-zero random identifier */ + pkt.identifier = random(); + } + while (!pkt.identifier); + + DBG2(DBG_IKE, "sending %N start packet", eap_type_names, this->type); + *out = chunk_clone(chunk_from_thing(pkt)); + return NEED_MORE; + } + return FAILED; +} + +/** + * Process a received packet + */ +static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt) +{ + u_int32_t msg_len; + u_int16_t pkt_len; + + pkt_len = untoh16(&pkt->length); + if (pkt->flags & EAP_TLS_LENGTH) + { + if (pkt_len < sizeof(eap_tls_packet_t) + sizeof(msg_len)) + { + DBG1(DBG_TLS, "%N packet too short", eap_type_names, this->type); + return FAILED; + } + msg_len = untoh32(pkt + 1); + if (msg_len < pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len) || + msg_len > MAX_TLS_MESSAGE_LEN) + { + DBG1(DBG_TLS, "invalid %N packet length", eap_type_names, this->type); + return FAILED; + } + return this->tls->process(this->tls, (char*)(pkt + 1) + sizeof(msg_len), + pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len)); + } + return this->tls->process(this->tls, (char*)(pkt + 1), + pkt_len - sizeof(eap_tls_packet_t)); +} + +/** + * Build a packet to send + */ +static status_t build_pkt(private_tls_eap_t *this, + u_int8_t identifier, chunk_t *out) +{ + char buf[this->frag_size]; + eap_tls_packet_t *pkt; + size_t len, reclen; + status_t status; + char *kind; + + pkt = (eap_tls_packet_t*)buf; + pkt->code = this->is_server ? EAP_REQUEST : EAP_RESPONSE; + pkt->identifier = this->is_server ? identifier + 1 : identifier; + pkt->type = this->type; + pkt->flags = 0; + + switch (this->type) + { + case EAP_TTLS: + pkt->flags |= EAP_TTLS_SUPPORTED_VERSION; + break; + case EAP_TNC: + pkt->flags |= EAP_TNC_SUPPORTED_VERSION; + break; + default: + break; + } + + if (this->first_fragment) + { + pkt->flags |= EAP_TLS_LENGTH; + len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t); + status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t) + + sizeof(u_int32_t), &len, &reclen); + } + else + { + len = sizeof(buf) - sizeof(eap_tls_packet_t); + status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t), + &len, &reclen); + } + switch (status) + { + case NEED_MORE: + pkt->flags |= EAP_TLS_MORE_FRAGS; + kind = "further fragment"; + if (this->first_fragment) + { + this->first_fragment = FALSE; + kind = "first fragment"; + } + break; + case ALREADY_DONE: + kind = "packet"; + if (!this->first_fragment) + { + this->first_fragment = TRUE; + kind = "final fragment"; + } + break; + default: + return status; + } + DBG2(DBG_TLS, "sending %N %s (%u bytes)", + eap_type_names, this->type, kind, len); + if (reclen) + { + htoun32(pkt + 1, reclen); + len += sizeof(u_int32_t); + pkt->flags |= EAP_TLS_LENGTH; + } + len += sizeof(eap_tls_packet_t); + htoun16(&pkt->length, len); + *out = chunk_clone(chunk_create(buf, len)); + return NEED_MORE; +} + +/** + * Send an ack to request next fragment + */ +static chunk_t create_ack(private_tls_eap_t *this, u_int8_t identifier) +{ + eap_tls_packet_t pkt = { + .code = this->is_server ? EAP_REQUEST : EAP_RESPONSE, + .identifier = this->is_server ? identifier + 1 : identifier, + .type = this->type, + }; + htoun16(&pkt.length, sizeof(pkt)); + switch (this->type) + { + case EAP_TTLS: + pkt.flags |= EAP_TTLS_SUPPORTED_VERSION; + break; + case EAP_TNC: + pkt.flags |= EAP_TNC_SUPPORTED_VERSION; + break; + default: + break; + } + DBG2(DBG_TLS, "sending %N acknowledgement packet", + eap_type_names, this->type); + return chunk_clone(chunk_from_thing(pkt)); +} + +METHOD(tls_eap_t, process, status_t, + private_tls_eap_t *this, chunk_t in, chunk_t *out) +{ + eap_tls_packet_t *pkt; + status_t status; + + if (++this->processed > this->max_msg_count) + { + DBG1(DBG_IKE, "%N packet count exceeded (%d > %d)", + eap_type_names, this->type, + this->processed, this->max_msg_count); + return FAILED; + } + + pkt = (eap_tls_packet_t*)in.ptr; + if (in.len < sizeof(eap_tls_packet_t) || + untoh16(&pkt->length) != in.len) + { + DBG1(DBG_IKE, "invalid %N packet length", + eap_type_names, this->type); + return FAILED; + } + if (pkt->flags & EAP_TLS_START) + { + if (this->type == EAP_TTLS || this->type == EAP_TNC) + { + DBG1(DBG_TLS, "%N version is v%u", eap_type_names, this->type, + pkt->flags & EAP_TTLS_VERSION); + } + } + else + { + if (in.len == sizeof(eap_tls_packet_t)) + { + DBG2(DBG_TLS, "received %N acknowledgement packet", + eap_type_names, this->type); + status = build_pkt(this, pkt->identifier, out); + if (status == INVALID_STATE && + this->tls->is_complete(this->tls)) + { + return SUCCESS; + } + return status; + } + status = process_pkt(this, pkt); + if (status != NEED_MORE) + { + return status; + } + } + status = build_pkt(this, pkt->identifier, out); + switch (status) + { + case INVALID_STATE: + *out = create_ack(this, pkt->identifier); + return NEED_MORE; + case FAILED: + if (!this->is_server) + { + *out = create_ack(this, pkt->identifier); + return NEED_MORE; + } + return FAILED; + default: + return status; + } +} + +METHOD(tls_eap_t, get_msk, chunk_t, + private_tls_eap_t *this) +{ + return this->tls->get_eap_msk(this->tls); +} + +METHOD(tls_eap_t, destroy, void, + private_tls_eap_t *this) +{ + this->tls->destroy(this->tls); + free(this); +} + +/** + * See header + */ +tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size, + int max_msg_count) +{ + private_tls_eap_t *this; + + if (!tls) + { + return NULL; + } + + INIT(this, + .public = { + .initiate = _initiate, + .process = _process, + .get_msk = _get_msk, + .destroy = _destroy, + }, + .type = type, + .is_server = tls->is_server(tls), + .first_fragment = TRUE, + .frag_size = frag_size, + .max_msg_count = max_msg_count, + .tls = tls, + ); + + return &this->public; +} diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h new file mode 100644 index 000000000..ebda2636d --- /dev/null +++ b/src/libtls/tls_eap.h @@ -0,0 +1,81 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_eap tls_eap + * @{ @ingroup libtls + */ + +#ifndef TLS_EAP_H_ +#define TLS_EAP_H_ + +typedef struct tls_eap_t tls_eap_t; + +#include <eap/eap.h> + +#include "tls.h" + +/** + * TLS over EAP helper, as used by EAP-TLS and EAP-TTLS. + */ +struct tls_eap_t { + + /** + * Initiate TLS/TTLS/TNC over EAP exchange (as client). + * + * @param out allocated EAP packet data to send + * @return + * - NEED_MORE if more exchanges required + * - FAILED if initiation failed + */ + status_t (*initiate)(tls_eap_t *this, chunk_t *out); + + /** + * Process a received EAP-TLS/TTLS/TNC packet, create response. + * + * @param in EAP packet data to process + * @param out allocated EAP packet data to send + * @return + * - SUCCESS if TLS negotiation completed + * - FAILED if TLS negotiation failed + * - NEED_MORE if more exchanges required + */ + status_t (*process)(tls_eap_t *this, chunk_t in, chunk_t *out); + + /** + * Get the EAP-MSK. + * + * @return MSK + */ + chunk_t (*get_msk)(tls_eap_t *this); + + /** + * Destroy a tls_eap_t. + */ + void (*destroy)(tls_eap_t *this); +}; + +/** + * Create a tls_eap instance. + * + * @param type EAP type, EAP-TLS or EAP-TTLS + * @param tls TLS implementation + * @param frag_size maximum size of a TLS fragment we send + * @param max_msg_count maximum number of processed messages + */ +tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size, + int max_msg_count); + +#endif /** TLS_EAP_H_ @}*/ diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c new file mode 100644 index 000000000..5a598cfc4 --- /dev/null +++ b/src/libtls/tls_fragmentation.c @@ -0,0 +1,471 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_fragmentation.h" + +#include "tls_reader.h" + +#include <debug.h> + +typedef struct private_tls_fragmentation_t private_tls_fragmentation_t; + +/** + * Alert state + */ +typedef enum { + /* no alert received/sent */ + ALERT_NONE, + /* currently sending an alert */ + ALERT_SENDING, + /* alert sent and out */ + ALERT_SENT, +} alert_state_t; + +/** + * Private data of an tls_fragmentation_t object. + */ +struct private_tls_fragmentation_t { + + /** + * Public tls_fragmentation_t interface. + */ + tls_fragmentation_t public; + + /** + * Upper layer handshake protocol + */ + tls_handshake_t *handshake; + + /** + * TLS alert handler + */ + tls_alert_t *alert; + + /** + * State of alert handling + */ + alert_state_t state; + + /** + * Did the application layer complete successfully? + */ + bool application_finished; + + /** + * Handshake input buffer + */ + chunk_t input; + + /** + * Position in input buffer + */ + size_t inpos; + + /** + * Currently processed handshake message type + */ + tls_handshake_type_t type; + + /** + * Handshake output buffer + */ + chunk_t output; + + /** + * Type of data in output buffer + */ + tls_content_type_t output_type; + + /** + * Upper layer application data protocol + */ + tls_application_t *application; +}; + +/** + * Maximum size of a TLS fragment + */ +#define MAX_TLS_FRAGMENT_LEN 16384 + +/** + * Maximum size of a TLS handshake message we accept + */ +#define MAX_TLS_HANDSHAKE_LEN 65536 + +/** + * Process a TLS alert + */ +static status_t process_alert(private_tls_fragmentation_t *this, + tls_reader_t *reader) +{ + u_int8_t level, description; + + if (!reader->read_uint8(reader, &level) || + !reader->read_uint8(reader, &description)) + { + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + return this->alert->process(this->alert, level, description); +} + +/** + * Process TLS handshake protocol data + */ +static status_t process_handshake(private_tls_fragmentation_t *this, + tls_reader_t *reader) +{ + while (reader->remaining(reader)) + { + tls_reader_t *msg; + u_int8_t type; + u_int32_t len; + status_t status; + chunk_t data; + + if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN) + { + DBG1(DBG_TLS, "TLS fragment has invalid length"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + + if (this->input.len == 0) + { /* new handshake message */ + if (!reader->read_uint8(reader, &type) || + !reader->read_uint24(reader, &len)) + { + DBG1(DBG_TLS, "TLS handshake header invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + this->type = type; + if (len > MAX_TLS_HANDSHAKE_LEN) + { + DBG1(DBG_TLS, "TLS handshake exceeds maximum length"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + chunk_free(&this->input); + this->inpos = 0; + if (len) + { + this->input = chunk_alloc(len); + } + } + + len = min(this->input.len - this->inpos, reader->remaining(reader)); + if (!reader->read_data(reader, len, &data)) + { + DBG1(DBG_TLS, "TLS fragment has invalid length"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + memcpy(this->input.ptr + this->inpos, data.ptr, len); + this->inpos += len; + + if (this->input.len == this->inpos) + { /* message completely defragmented, process */ + msg = tls_reader_create(this->input); + DBG2(DBG_TLS, "received TLS %N handshake (%u bytes)", + tls_handshake_type_names, this->type, this->input.len); + status = this->handshake->process(this->handshake, this->type, msg); + msg->destroy(msg); + chunk_free(&this->input); + if (status != NEED_MORE) + { + return status; + } + } + if (this->alert->fatal(this->alert)) + { + break; + } + } + return NEED_MORE; +} + +/** + * Process TLS application data + */ +static status_t process_application(private_tls_fragmentation_t *this, + tls_reader_t *reader) +{ + while (reader->remaining(reader)) + { + status_t status; + + if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN) + { + DBG1(DBG_TLS, "TLS fragment has invalid length"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + status = this->application->process(this->application, reader); + switch (status) + { + case NEED_MORE: + continue; + case SUCCESS: + this->application_finished = TRUE; + return SUCCESS; + case FAILED: + default: + this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY); + return NEED_MORE; + } + } + return NEED_MORE; +} + +METHOD(tls_fragmentation_t, process, status_t, + private_tls_fragmentation_t *this, tls_content_type_t type, chunk_t data) +{ + tls_reader_t *reader; + status_t status; + + switch (this->state) + { + case ALERT_SENDING: + case ALERT_SENT: + /* don't accept more input, fatal error ocurred */ + return NEED_MORE; + case ALERT_NONE: + break; + } + reader = tls_reader_create(data); + switch (type) + { + case TLS_CHANGE_CIPHER_SPEC: + if (this->handshake->change_cipherspec(this->handshake)) + { + status = NEED_MORE; + break; + } + status = FAILED; + break; + case TLS_ALERT: + status = process_alert(this, reader); + break; + case TLS_HANDSHAKE: + status = process_handshake(this, reader); + break; + case TLS_APPLICATION_DATA: + status = process_application(this, reader); + break; + default: + DBG1(DBG_TLS, "received unknown TLS content type %d, ignored", type); + status = NEED_MORE; + break; + } + reader->destroy(reader); + return status; +} + +/** + * Check if alerts are pending + */ +static bool check_alerts(private_tls_fragmentation_t *this, chunk_t *data) +{ + tls_alert_level_t level; + tls_alert_desc_t desc; + tls_writer_t *writer; + + if (this->alert->get(this->alert, &level, &desc)) + { + writer = tls_writer_create(2); + + writer->write_uint8(writer, level); + writer->write_uint8(writer, desc); + + *data = chunk_clone(writer->get_buf(writer)); + writer->destroy(writer); + return TRUE; + } + return FALSE; +} + +/** + * Build hanshake message + */ +static status_t build_handshake(private_tls_fragmentation_t *this) +{ + tls_writer_t *hs, *msg; + tls_handshake_type_t type; + status_t status; + + msg = tls_writer_create(64); + while (TRUE) + { + hs = tls_writer_create(64); + status = this->handshake->build(this->handshake, &type, hs); + switch (status) + { + case NEED_MORE: + if (this->alert->fatal(this->alert)) + { + break; + } + msg->write_uint8(msg, type); + msg->write_data24(msg, hs->get_buf(hs)); + DBG2(DBG_TLS, "sending TLS %N handshake (%u bytes)", + tls_handshake_type_names, type, hs->get_buf(hs).len); + hs->destroy(hs); + continue; + case INVALID_STATE: + this->output_type = TLS_HANDSHAKE; + this->output = chunk_clone(msg->get_buf(msg)); + break; + default: + break; + } + hs->destroy(hs); + break; + } + msg->destroy(msg); + return status; +} + +/** + * Build TLS application data + */ +static status_t build_application(private_tls_fragmentation_t *this) +{ + tls_writer_t *msg; + status_t status; + + msg = tls_writer_create(64); + while (TRUE) + { + status = this->application->build(this->application, msg); + switch (status) + { + case NEED_MORE: + continue; + case INVALID_STATE: + this->output_type = TLS_APPLICATION_DATA; + this->output = chunk_clone(msg->get_buf(msg)); + break; + case SUCCESS: + this->application_finished = TRUE; + break; + case FAILED: + default: + this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY); + break; + } + break; + } + msg->destroy(msg); + return status; +} + +METHOD(tls_fragmentation_t, build, status_t, + private_tls_fragmentation_t *this, tls_content_type_t *type, chunk_t *data) +{ + status_t status = INVALID_STATE; + + switch (this->state) + { + case ALERT_SENDING: + this->state = ALERT_SENT; + return INVALID_STATE; + case ALERT_SENT: + return FAILED; + case ALERT_NONE: + break; + } + if (check_alerts(this, data)) + { + this->state = ALERT_SENDING; + *type = TLS_ALERT; + return NEED_MORE; + } + if (!this->output.len) + { + if (this->handshake->cipherspec_changed(this->handshake)) + { + *type = TLS_CHANGE_CIPHER_SPEC; + *data = chunk_clone(chunk_from_chars(0x01)); + return NEED_MORE; + } + if (!this->handshake->finished(this->handshake)) + { + status = build_handshake(this); + } + else if (this->application) + { + status = build_application(this); + } + if (check_alerts(this, data)) + { + this->state = ALERT_SENDING; + *type = TLS_ALERT; + return NEED_MORE; + } + } + if (this->output.len) + { + *type = this->output_type; + if (this->output.len <= MAX_TLS_FRAGMENT_LEN) + { + *data = this->output; + this->output = chunk_empty; + return NEED_MORE; + } + *data = chunk_create(this->output.ptr, MAX_TLS_FRAGMENT_LEN); + this->output = chunk_clone(chunk_skip(this->output, MAX_TLS_FRAGMENT_LEN)); + return NEED_MORE; + } + return status; +} + +METHOD(tls_fragmentation_t, application_finished, bool, + private_tls_fragmentation_t *this) +{ + return this->application_finished; +} + +METHOD(tls_fragmentation_t, destroy, void, + private_tls_fragmentation_t *this) +{ + free(this->input.ptr); + free(this->output.ptr); + free(this); +} + +/** + * See header + */ +tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake, + tls_alert_t *alert, tls_application_t *application) +{ + private_tls_fragmentation_t *this; + + INIT(this, + .public = { + .process = _process, + .build = _build, + .application_finished = _application_finished, + .destroy = _destroy, + }, + .handshake = handshake, + .alert = alert, + .state = ALERT_NONE, + .application = application, + ); + + return &this->public; +} diff --git a/src/libtls/tls_fragmentation.h b/src/libtls/tls_fragmentation.h new file mode 100644 index 000000000..d80278916 --- /dev/null +++ b/src/libtls/tls_fragmentation.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_fragmentation tls_fragmentation + * @{ @ingroup libtls + */ + +#ifndef TLS_FRAGMENTATION_H_ +#define TLS_FRAGMENTATION_H_ + +#include <library.h> + +#include "tls.h" +#include "tls_alert.h" +#include "tls_handshake.h" + +typedef struct tls_fragmentation_t tls_fragmentation_t; + +/** + * TLS record protocol fragmentation layer. + */ +struct tls_fragmentation_t { + + /** + * Process a fragmented TLS record, pass it to upper layers. + * + * @param type type of the TLS record to process + * @param data associated TLS record data + * @return + * - SUCCESS if TLS negotiation complete + * - FAILED if TLS handshake failed + * - NEED_MORE if more invocations to process/build needed + */ + status_t (*process)(tls_fragmentation_t *this, + tls_content_type_t type, chunk_t data); + + /** + * Query upper layer for TLS messages, build fragmented records. + * + * @param type type of the built TLS record + * @param data allocated data of the built TLS record + * @return + * - SUCCESS if TLS negotiation complete + * - FAILED if TLS handshake failed + * - NEED_MORE if upper layers have more records to send + * - INVALID_STATE if more input records required + */ + status_t (*build)(tls_fragmentation_t *this, + tls_content_type_t *type, chunk_t *data); + + /** + * Has the application layer finished (returned SUCCESS)?. + * + * @return TRUE if application layer finished + */ + bool (*application_finished)(tls_fragmentation_t *this); + + /** + * Destroy a tls_fragmentation_t. + */ + void (*destroy)(tls_fragmentation_t *this); +}; + +/** + * Create a tls_fragmentation instance. + * + * @param handshake upper layer handshake protocol + * @param alert TLS alert handler + * @param application upper layer application data or NULL + * @return TLS fragmentation layer + */ +tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake, + tls_alert_t *alert, tls_application_t *application); + +#endif /** TLS_FRAGMENTATION_H_ @}*/ diff --git a/src/libtls/tls_handshake.h b/src/libtls/tls_handshake.h new file mode 100644 index 000000000..6703b341b --- /dev/null +++ b/src/libtls/tls_handshake.h @@ -0,0 +1,90 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_handshake tls_handshake + * @{ @ingroup libtls + */ + +#ifndef TLS_HANDSHAKE_H_ +#define TLS_HANDSHAKE_H_ + +typedef struct tls_handshake_t tls_handshake_t; + +#include "tls.h" +#include "tls_reader.h" +#include "tls_writer.h" + +/** + * TLS handshake state machine interface. + */ +struct tls_handshake_t { + + /** + * Process received TLS handshake message. + * + * @param type TLS handshake message type + * @param reader TLS data buffer + * @return + * - SUCCESS if TLS negotiation complete + * - FAILED if a fatal TLS alert queued + * - NEED_MORE if more invocations to process/build needed + * - DESTROY_ME if a fatal TLS alert received + */ + status_t (*process)(tls_handshake_t *this, + tls_handshake_type_t type, tls_reader_t *reader); + + /** + * Build TLS handshake messages to send out. + * + * @param type type of created handshake message + * @param writer TLS data buffer to write to + * @return + * - SUCCESS if handshake complete + * - FAILED if handshake failed + * - NEED_MORE if more messages ready for delivery + * - INVALID_STATE if more input to process() required + */ + status_t (*build)(tls_handshake_t *this, + tls_handshake_type_t *type, tls_writer_t *writer); + + /** + * Check if the cipher spec for outgoing messages has changed. + * + * @return TRUE if cipher spec changed + */ + bool (*cipherspec_changed)(tls_handshake_t *this); + + /** + * Change the cipher spec for incoming messages. + * + * @return TRUE if cipher spec changed + */ + bool (*change_cipherspec)(tls_handshake_t *this); + + /** + * Check if the finished message was decoded successfully. + * + * @return TRUE if finished message was decoded successfully + */ + bool (*finished)(tls_handshake_t *this); + + /** + * Destroy a tls_handshake_t. + */ + void (*destroy)(tls_handshake_t *this); +}; + +#endif /** TLS_HANDSHAKE_H_ @}*/ diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c new file mode 100644 index 000000000..c1fd33eea --- /dev/null +++ b/src/libtls/tls_peer.c @@ -0,0 +1,1099 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_peer.h" + +#include <debug.h> +#include <credentials/certificates/x509.h> + +#include <time.h> + +typedef struct private_tls_peer_t private_tls_peer_t; + +typedef enum { + STATE_INIT, + STATE_HELLO_SENT, + STATE_HELLO_RECEIVED, + STATE_HELLO_DONE, + STATE_CERT_SENT, + STATE_CERT_RECEIVED, + STATE_KEY_EXCHANGE_RECEIVED, + STATE_CERTREQ_RECEIVED, + STATE_KEY_EXCHANGE_SENT, + STATE_VERIFY_SENT, + STATE_CIPHERSPEC_CHANGED_OUT, + STATE_FINISHED_SENT, + STATE_CIPHERSPEC_CHANGED_IN, + STATE_COMPLETE, +} peer_state_t; + +/** + * Private data of an tls_peer_t object. + */ +struct private_tls_peer_t { + + /** + * Public tls_peer_t interface. + */ + tls_peer_t public; + + /** + * TLS stack + */ + tls_t *tls; + + /** + * TLS crypto context + */ + tls_crypto_t *crypto; + + /** + * TLS alert handler + */ + tls_alert_t *alert; + + /** + * Peer identity, NULL for no client authentication + */ + identification_t *peer; + + /** + * Server identity + */ + identification_t *server; + + /** + * State we are in + */ + peer_state_t state; + + /** + * Hello random data selected by client + */ + char client_random[32]; + + /** + * Hello random data selected by server + */ + char server_random[32]; + + /** + * Auth helper for peer authentication + */ + auth_cfg_t *peer_auth; + + /** + * Auth helper for server authentication + */ + auth_cfg_t *server_auth; + + /** + * Peer private key + */ + private_key_t *private; + + /** + * DHE exchange + */ + diffie_hellman_t *dh; + + /** + * List of server-supported hashsig algorithms + */ + chunk_t hashsig; + + /** + * List of server-supported client certificate types + */ + chunk_t cert_types; +}; + +/** + * Process a server hello message + */ +static status_t process_server_hello(private_tls_peer_t *this, + tls_reader_t *reader) +{ + u_int8_t compression; + u_int16_t version, cipher; + chunk_t random, session, ext = chunk_empty; + tls_cipher_suite_t suite; + + this->crypto->append_handshake(this->crypto, + TLS_SERVER_HELLO, reader->peek(reader)); + + if (!reader->read_uint16(reader, &version) || + !reader->read_data(reader, sizeof(this->server_random), &random) || + !reader->read_data8(reader, &session) || + !reader->read_uint16(reader, &cipher) || + !reader->read_uint8(reader, &compression) || + (reader->remaining(reader) && !reader->read_data16(reader, &ext))) + { + DBG1(DBG_TLS, "received invalid ServerHello"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + + memcpy(this->server_random, random.ptr, sizeof(this->server_random)); + + if (!this->tls->set_version(this->tls, version)) + { + DBG1(DBG_TLS, "negotiated version %N not supported", + tls_version_names, version); + this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION); + return NEED_MORE; + } + suite = cipher; + if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY)) + { + DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable", + tls_cipher_suite_names, suite); + this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE); + return NEED_MORE; + } + DBG1(DBG_TLS, "negotiated TLS version %N with suite %N", + tls_version_names, version, tls_cipher_suite_names, suite); + this->state = STATE_HELLO_RECEIVED; + return NEED_MORE; +} + +/** + * Check if a server certificate is acceptable for the given server identity + */ +static bool check_certificate(private_tls_peer_t *this, certificate_t *cert) +{ + identification_t *id; + + if (cert->has_subject(cert, this->server)) + { + return TRUE; + } + id = cert->get_subject(cert); + if (id->matches(id, this->server)) + { + return TRUE; + } + if (cert->get_type(cert) == CERT_X509) + { + x509_t *x509 = (x509_t*)cert; + enumerator_t *enumerator; + + enumerator = x509->create_subjectAltName_enumerator(x509); + while (enumerator->enumerate(enumerator, &id)) + { + if (id->matches(id, this->server)) + { + enumerator->destroy(enumerator); + return TRUE; + } + } + enumerator->destroy(enumerator); + } + DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server); + return FALSE; +} + +/** + * Process a Certificate message + */ +static status_t process_certificate(private_tls_peer_t *this, + tls_reader_t *reader) +{ + certificate_t *cert; + tls_reader_t *certs; + chunk_t data; + bool first = TRUE; + + this->crypto->append_handshake(this->crypto, + TLS_CERTIFICATE, reader->peek(reader)); + + if (!reader->read_data24(reader, &data)) + { + DBG1(DBG_TLS, "certificate message header invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + certs = tls_reader_create(data); + while (certs->remaining(certs)) + { + if (!certs->read_data24(certs, &data)) + { + DBG1(DBG_TLS, "certificate message invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + certs->destroy(certs); + return NEED_MORE; + } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, data, BUILD_END); + if (cert) + { + if (first) + { + if (!check_certificate(this, cert)) + { + cert->destroy(cert); + certs->destroy(certs); + this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED); + return NEED_MORE; + } + this->server_auth->add(this->server_auth, + AUTH_HELPER_SUBJECT_CERT, cert); + DBG1(DBG_TLS, "received TLS server certificate '%Y'", + cert->get_subject(cert)); + first = FALSE; + } + else + { + DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'", + cert->get_subject(cert)); + this->server_auth->add(this->server_auth, + AUTH_HELPER_IM_CERT, cert); + } + } + else + { + DBG1(DBG_TLS, "parsing TLS certificate failed, skipped"); + this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE); + } + } + certs->destroy(certs); + this->state = STATE_CERT_RECEIVED; + return NEED_MORE; +} + +/** + * Find a trusted public key to encrypt/verify key exchange data + */ +static public_key_t *find_public_key(private_tls_peer_t *this) +{ + public_key_t *public = NULL, *current; + certificate_t *cert; + enumerator_t *enumerator; + auth_cfg_t *auth; + + cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT); + if (cert) + { + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + KEY_ANY, cert->get_subject(cert), this->server_auth); + while (enumerator->enumerate(enumerator, ¤t, &auth)) + { + public = current->get_ref(current); + break; + } + enumerator->destroy(enumerator); + } + return public; +} + +/** + * Process a Key Exchange message using MODP Diffie Hellman + */ +static status_t process_modp_key_exchange(private_tls_peer_t *this, + tls_reader_t *reader) +{ + chunk_t prime, generator, pub, chunk; + public_key_t *public; + + chunk = reader->peek(reader); + if (!reader->read_data16(reader, &prime) || + !reader->read_data16(reader, &generator) || + !reader->read_data16(reader, &pub)) + { + DBG1(DBG_TLS, "received invalid Server Key Exchange"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + public = find_public_key(this); + if (!public) + { + DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server); + this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN); + return NEED_MORE; + } + + chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len; + chunk = chunk_cat("ccc", chunk_from_thing(this->client_random), + chunk_from_thing(this->server_random), chunk); + if (!this->crypto->verify(this->crypto, public, reader, chunk)) + { + public->destroy(public); + free(chunk.ptr); + DBG1(DBG_TLS, "verifying DH parameters failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE); + return NEED_MORE; + } + public->destroy(public); + free(chunk.ptr); + + this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM, + generator, prime); + if (!this->dh) + { + DBG1(DBG_TLS, "custom DH parameters not supported"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + this->dh->set_other_public_value(this->dh, pub); + + this->state = STATE_KEY_EXCHANGE_RECEIVED; + return NEED_MORE; +} + +/** + * Get the EC group for a TLS named curve + */ +static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this, + tls_named_curve_t curve) +{ + diffie_hellman_group_t group; + tls_named_curve_t current; + enumerator_t *enumerator; + + enumerator = this->crypto->create_ec_enumerator(this->crypto); + while (enumerator->enumerate(enumerator, &group, ¤t)) + { + if (current == curve) + { + enumerator->destroy(enumerator); + return group; + } + } + enumerator->destroy(enumerator); + return 0; +} + +/** + * Process a Key Exchange message using EC Diffie Hellman + */ +static status_t process_ec_key_exchange(private_tls_peer_t *this, + tls_reader_t *reader) +{ + diffie_hellman_group_t group; + public_key_t *public; + u_int8_t type; + u_int16_t curve; + chunk_t pub, chunk; + + chunk = reader->peek(reader); + if (!reader->read_uint8(reader, &type)) + { + DBG1(DBG_TLS, "received invalid Server Key Exchange"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + if (type != TLS_ECC_NAMED_CURVE) + { + DBG1(DBG_TLS, "ECDH curve type %N not supported", + tls_ecc_curve_type_names, type); + this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE); + return NEED_MORE; + } + if (!reader->read_uint16(reader, &curve) || + !reader->read_data8(reader, &pub) || pub.len == 0) + { + DBG1(DBG_TLS, "received invalid Server Key Exchange"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + + group = curve_to_ec_group(this, curve); + if (!group) + { + DBG1(DBG_TLS, "ECDH curve %N not supported", + tls_named_curve_names, curve); + this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE); + return NEED_MORE; + } + + public = find_public_key(this); + if (!public) + { + DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server); + this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN); + return NEED_MORE; + } + + chunk.len = 4 + pub.len; + chunk = chunk_cat("ccc", chunk_from_thing(this->client_random), + chunk_from_thing(this->server_random), chunk); + if (!this->crypto->verify(this->crypto, public, reader, chunk)) + { + public->destroy(public); + free(chunk.ptr); + DBG1(DBG_TLS, "verifying DH parameters failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE); + return NEED_MORE; + } + public->destroy(public); + free(chunk.ptr); + + this->dh = lib->crypto->create_dh(lib->crypto, group); + if (!this->dh) + { + DBG1(DBG_TLS, "DH group %N not supported", + diffie_hellman_group_names, group); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + + if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED) + { + DBG1(DBG_TLS, "DH point format '%N' not supported", + tls_ansi_point_format_names, pub.ptr[0]); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1)); + + this->state = STATE_KEY_EXCHANGE_RECEIVED; + return NEED_MORE; +} + +/** + * Process a Server Key Exchange + */ +static status_t process_key_exchange(private_tls_peer_t *this, + tls_reader_t *reader) +{ + diffie_hellman_group_t group; + + this->crypto->append_handshake(this->crypto, + TLS_SERVER_KEY_EXCHANGE, reader->peek(reader)); + + group = this->crypto->get_dh_group(this->crypto); + if (group == MODP_NONE) + { + DBG1(DBG_TLS, "received Server Key Exchange, but not required " + "for current suite"); + this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE); + return NEED_MORE; + } + if (diffie_hellman_group_is_ec(group)) + { + return process_ec_key_exchange(this, reader); + } + return process_modp_key_exchange(this, reader); +} + +/** + * Process a Certificate Request message + */ +static status_t process_certreq(private_tls_peer_t *this, tls_reader_t *reader) +{ + chunk_t types, hashsig, data; + tls_reader_t *authorities; + identification_t *id; + certificate_t *cert; + + if (!this->peer) + { + DBG1(DBG_TLS, "server requested a certificate, but client " + "authentication disabled"); + this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE); + return NEED_MORE; + } + this->crypto->append_handshake(this->crypto, + TLS_CERTIFICATE_REQUEST, reader->peek(reader)); + + if (!reader->read_data8(reader, &types)) + { + DBG1(DBG_TLS, "certreq message header invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + this->cert_types = chunk_clone(types); + if (this->tls->get_version(this->tls) >= TLS_1_2) + { + if (!reader->read_data16(reader, &hashsig)) + { + DBG1(DBG_TLS, "certreq message invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + this->hashsig = chunk_clone(hashsig); + } + if (!reader->read_data16(reader, &data)) + { + DBG1(DBG_TLS, "certreq message invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + authorities = tls_reader_create(data); + while (authorities->remaining(authorities)) + { + if (!authorities->read_data16(authorities, &data)) + { + DBG1(DBG_TLS, "certreq message invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + authorities->destroy(authorities); + return NEED_MORE; + } + id = identification_create_from_encoding(ID_DER_ASN1_DN, data); + cert = lib->credmgr->get_cert(lib->credmgr, + CERT_X509, KEY_ANY, id, TRUE); + if (cert) + { + DBG1(DBG_TLS, "received TLS cert request for '%Y", id); + this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert); + } + else + { + DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id); + } + id->destroy(id); + } + authorities->destroy(authorities); + this->state = STATE_CERTREQ_RECEIVED; + return NEED_MORE; +} + +/** + * Process Hello Done message + */ +static status_t process_hello_done(private_tls_peer_t *this, + tls_reader_t *reader) +{ + this->crypto->append_handshake(this->crypto, + TLS_SERVER_HELLO_DONE, reader->peek(reader)); + this->state = STATE_HELLO_DONE; + return NEED_MORE; +} + +/** + * Process finished message + */ +static status_t process_finished(private_tls_peer_t *this, tls_reader_t *reader) +{ + chunk_t received; + char buf[12]; + + if (!reader->read_data(reader, sizeof(buf), &received)) + { + DBG1(DBG_TLS, "received server finished too short"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + if (!this->crypto->calculate_finished(this->crypto, "server finished", buf)) + { + DBG1(DBG_TLS, "calculating server finished failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + if (!chunk_equals(received, chunk_from_thing(buf))) + { + DBG1(DBG_TLS, "received server finished invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR); + return NEED_MORE; + } + this->state = STATE_COMPLETE; + this->crypto->derive_eap_msk(this->crypto, + chunk_from_thing(this->client_random), + chunk_from_thing(this->server_random)); + return NEED_MORE; +} + +METHOD(tls_handshake_t, process, status_t, + private_tls_peer_t *this, tls_handshake_type_t type, tls_reader_t *reader) +{ + tls_handshake_type_t expected; + + switch (this->state) + { + case STATE_HELLO_SENT: + if (type == TLS_SERVER_HELLO) + { + return process_server_hello(this, reader); + } + expected = TLS_SERVER_HELLO; + break; + case STATE_HELLO_RECEIVED: + if (type == TLS_CERTIFICATE) + { + return process_certificate(this, reader); + } + expected = TLS_CERTIFICATE; + break; + case STATE_CERT_RECEIVED: + if (type == TLS_SERVER_KEY_EXCHANGE) + { + return process_key_exchange(this, reader); + } + /* fall through since TLS_SERVER_KEY_EXCHANGE is optional */ + case STATE_KEY_EXCHANGE_RECEIVED: + if (type == TLS_CERTIFICATE_REQUEST) + { + return process_certreq(this, reader); + } + this->peer = NULL; + /* fall through since TLS_CERTIFICATE_REQUEST is optional */ + case STATE_CERTREQ_RECEIVED: + if (type == TLS_SERVER_HELLO_DONE) + { + return process_hello_done(this, reader); + } + expected = TLS_SERVER_HELLO_DONE; + break; + case STATE_CIPHERSPEC_CHANGED_IN: + if (type == TLS_FINISHED) + { + return process_finished(this, reader); + } + expected = TLS_FINISHED; + break; + default: + DBG1(DBG_TLS, "TLS %N not expected in current state", + tls_handshake_type_names, type); + this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE); + return NEED_MORE; + } + DBG1(DBG_TLS, "TLS %N expected, but received %N", + tls_handshake_type_names, expected, tls_handshake_type_names, type); + this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE); + return NEED_MORE; +} + +/** + * Send a client hello + */ +static status_t send_client_hello(private_tls_peer_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + tls_cipher_suite_t *suites; + tls_writer_t *extensions, *curves = NULL; + tls_version_t version; + tls_named_curve_t curve; + enumerator_t *enumerator; + int count, i; + rng_t *rng; + + htoun32(&this->client_random, time(NULL)); + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!rng) + { + DBG1(DBG_TLS, "no suitable RNG found to generate client random"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + rng->get_bytes(rng, sizeof(this->client_random) - 4, this->client_random + 4); + rng->destroy(rng); + + /* TLS version */ + version = this->tls->get_version(this->tls); + writer->write_uint16(writer, version); + writer->write_data(writer, chunk_from_thing(this->client_random)); + + /* session identifier => none */ + writer->write_data8(writer, chunk_empty); + + /* add TLS cipher suites */ + count = this->crypto->get_cipher_suites(this->crypto, &suites); + writer->write_uint16(writer, count * 2); + for (i = 0; i < count; i++) + { + writer->write_uint16(writer, suites[i]); + } + + /* NULL compression only */ + writer->write_uint8(writer, 1); + writer->write_uint8(writer, 0); + + extensions = tls_writer_create(32); + + extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS); + this->crypto->get_signature_algorithms(this->crypto, extensions); + + /* add supported Elliptic Curves, if any */ + enumerator = this->crypto->create_ec_enumerator(this->crypto); + while (enumerator->enumerate(enumerator, NULL, &curve)) + { + if (!curves) + { + extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES); + curves = tls_writer_create(16); + } + curves->write_uint16(curves, curve); + } + enumerator->destroy(enumerator); + if (curves) + { + extensions->write_data16(extensions, curves->get_buf(curves)); + curves->destroy(curves); + + /* if we support curves, add point format extension */ + extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS); + extensions->write_uint16(extensions, 2); + extensions->write_uint8(extensions, 1); + extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED); + } + + writer->write_data16(writer, extensions->get_buf(extensions)); + extensions->destroy(extensions); + + *type = TLS_CLIENT_HELLO; + this->state = STATE_HELLO_SENT; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +/** + * Find a private key suitable to sign Certificate Verify + */ +static private_key_t *find_private_key(private_tls_peer_t *this) +{ + private_key_t *key = NULL; + tls_reader_t *reader; + key_type_t type; + u_int8_t cert; + + if (!this->peer) + { + return NULL; + } + reader = tls_reader_create(this->cert_types); + while (reader->remaining(reader) && reader->read_uint8(reader, &cert)) + { + switch (cert) + { + case TLS_RSA_SIGN: + type = KEY_RSA; + break; + case TLS_ECDSA_SIGN: + type = KEY_ECDSA; + break; + default: + continue; + } + key = lib->credmgr->get_private(lib->credmgr, type, + this->peer, this->peer_auth); + if (key) + { + break; + } + } + reader->destroy(reader); + return key; +} + +/** + * Send Certificate + */ +static status_t send_certificate(private_tls_peer_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + enumerator_t *enumerator; + certificate_t *cert; + auth_rule_t rule; + tls_writer_t *certs; + chunk_t data; + + this->private = find_private_key(this); + if (!this->private) + { + DBG1(DBG_TLS, "no TLS peer certificate found for '%Y'", this->peer); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + + /* generate certificate payload */ + certs = tls_writer_create(256); + cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT); + if (cert) + { + if (cert->get_encoding(cert, CERT_ASN1_DER, &data)) + { + DBG1(DBG_TLS, "sending TLS peer certificate '%Y'", + cert->get_subject(cert)); + certs->write_data24(certs, data); + free(data.ptr); + } + } + enumerator = this->peer_auth->create_enumerator(this->peer_auth); + while (enumerator->enumerate(enumerator, &rule, &cert)) + { + if (rule == AUTH_RULE_IM_CERT) + { + if (cert->get_encoding(cert, CERT_ASN1_DER, &data)) + { + DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'", + cert->get_subject(cert)); + certs->write_data24(certs, data); + free(data.ptr); + } + } + } + enumerator->destroy(enumerator); + + writer->write_data24(writer, certs->get_buf(certs)); + certs->destroy(certs); + + *type = TLS_CERTIFICATE; + this->state = STATE_CERT_SENT; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +/** + * Send client key exchange, using premaster encryption + */ +static status_t send_key_exchange_encrypt(private_tls_peer_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + public_key_t *public; + rng_t *rng; + char premaster[48]; + chunk_t encrypted; + + rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); + if (!rng) + { + DBG1(DBG_TLS, "no suitable RNG found for TLS premaster secret"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2); + rng->destroy(rng); + htoun16(premaster, TLS_1_2); + + this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster), + chunk_from_thing(this->client_random), + chunk_from_thing(this->server_random)); + + public = find_public_key(this); + if (!public) + { + DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server); + this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN); + return NEED_MORE; + } + if (!public->encrypt(public, ENCRYPT_RSA_PKCS1, + chunk_from_thing(premaster), &encrypted)) + { + public->destroy(public); + DBG1(DBG_TLS, "encrypting TLS premaster secret failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE); + return NEED_MORE; + } + public->destroy(public); + + writer->write_data16(writer, encrypted); + free(encrypted.ptr); + + *type = TLS_CLIENT_KEY_EXCHANGE; + this->state = STATE_KEY_EXCHANGE_SENT; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +/** + * Send client key exchange, using DHE exchange + */ +static status_t send_key_exchange_dhe(private_tls_peer_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + chunk_t premaster, pub; + + if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS) + { + DBG1(DBG_TLS, "calculating premaster from DH failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + this->crypto->derive_secrets(this->crypto, premaster, + chunk_from_thing(this->client_random), + chunk_from_thing(this->server_random)); + chunk_clear(&premaster); + + this->dh->get_my_public_value(this->dh, &pub); + if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM) + { + writer->write_data16(writer, pub); + } + else + { /* ECP uses 8bit length header only, but a point format */ + writer->write_uint8(writer, pub.len + 1); + writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED); + writer->write_data(writer, pub); + } + free(pub.ptr); + + *type = TLS_CLIENT_KEY_EXCHANGE; + this->state = STATE_KEY_EXCHANGE_SENT; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +/** + * Send client key exchange, depending on suite + */ +static status_t send_key_exchange(private_tls_peer_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + if (this->dh) + { + return send_key_exchange_dhe(this, type, writer); + } + return send_key_exchange_encrypt(this, type, writer); +} + +/** + * Send certificate verify + */ +static status_t send_certificate_verify(private_tls_peer_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + if (!this->private || + !this->crypto->sign_handshake(this->crypto, this->private, + writer, this->hashsig)) + { + DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + + *type = TLS_CERTIFICATE_VERIFY; + this->state = STATE_VERIFY_SENT; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +/** + * Send Finished + */ +static status_t send_finished(private_tls_peer_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + char buf[12]; + + if (!this->crypto->calculate_finished(this->crypto, "client finished", buf)) + { + DBG1(DBG_TLS, "calculating client finished data failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + + writer->write_data(writer, chunk_from_thing(buf)); + + *type = TLS_FINISHED; + this->state = STATE_FINISHED_SENT; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +METHOD(tls_handshake_t, build, status_t, + private_tls_peer_t *this, tls_handshake_type_t *type, tls_writer_t *writer) +{ + switch (this->state) + { + case STATE_INIT: + return send_client_hello(this, type, writer); + case STATE_HELLO_DONE: + if (this->peer) + { + return send_certificate(this, type, writer); + } + /* otherwise fall through to next state */ + case STATE_CERT_SENT: + return send_key_exchange(this, type, writer); + case STATE_KEY_EXCHANGE_SENT: + if (this->peer) + { + return send_certificate_verify(this, type, writer); + } + else + { + return INVALID_STATE; + } + case STATE_CIPHERSPEC_CHANGED_OUT: + return send_finished(this, type, writer); + default: + return INVALID_STATE; + } +} + +METHOD(tls_handshake_t, cipherspec_changed, bool, + private_tls_peer_t *this) +{ + if ((this->peer && this->state == STATE_VERIFY_SENT) || + (!this->peer && this->state == STATE_KEY_EXCHANGE_SENT)) + { + this->crypto->change_cipher(this->crypto, FALSE); + this->state = STATE_CIPHERSPEC_CHANGED_OUT; + return TRUE; + } + return FALSE; +} + +METHOD(tls_handshake_t, change_cipherspec, bool, + private_tls_peer_t *this) +{ + if (this->state == STATE_FINISHED_SENT) + { + this->crypto->change_cipher(this->crypto, TRUE); + this->state = STATE_CIPHERSPEC_CHANGED_IN; + return TRUE; + } + return FALSE; +} + +METHOD(tls_handshake_t, finished, bool, + private_tls_peer_t *this) +{ + return this->state == STATE_COMPLETE; +} + +METHOD(tls_handshake_t, destroy, void, + private_tls_peer_t *this) +{ + DESTROY_IF(this->private); + DESTROY_IF(this->dh); + this->peer_auth->destroy(this->peer_auth); + this->server_auth->destroy(this->server_auth); + free(this->hashsig.ptr); + free(this->cert_types.ptr); + free(this); +} + +/** + * See header + */ +tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert, + identification_t *peer, identification_t *server) +{ + private_tls_peer_t *this; + + INIT(this, + .public = { + .handshake = { + .process = _process, + .build = _build, + .cipherspec_changed = _cipherspec_changed, + .change_cipherspec = _change_cipherspec, + .finished = _finished, + .destroy = _destroy, + }, + }, + .state = STATE_INIT, + .tls = tls, + .crypto = crypto, + .alert = alert, + .peer = peer, + .server = server, + .peer_auth = auth_cfg_create(), + .server_auth = auth_cfg_create(), + ); + + return &this->public; +} diff --git a/src/libtls/tls_peer.h b/src/libtls/tls_peer.h new file mode 100644 index 000000000..f773ea72e --- /dev/null +++ b/src/libtls/tls_peer.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_peer tls_peer + * @{ @ingroup libtls + */ + +#ifndef TLS_PEER_H_ +#define TLS_PEER_H_ + +typedef struct tls_peer_t tls_peer_t; + +#include "tls_handshake.h" +#include "tls_crypto.h" + +#include <library.h> + +/** + * TLS handshake protocol handler as peer. + */ +struct tls_peer_t { + + /** + * Implements the TLS handshake protocol handler. + */ + tls_handshake_t handshake; +}; + +/** + * Create a tls_peer instance. +* + * @param tls TLS stack + * @param crypto TLS crypto helper + * @param alert TLS alert handler + * @param peer peer identity + * @param server server identity + */ +tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert, + identification_t *peer, identification_t *server); + +#endif /** TLS_PEER_H_ @}*/ diff --git a/src/libtls/tls_prf.c b/src/libtls/tls_prf.c new file mode 100644 index 000000000..f181d01d3 --- /dev/null +++ b/src/libtls/tls_prf.c @@ -0,0 +1,190 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_prf.h" + +typedef struct private_tls_prf12_t private_tls_prf12_t; + +/** + * Private data of an tls_prf_t object. + */ +struct private_tls_prf12_t { + + /** + * Public tls_prf_t interface. + */ + tls_prf_t public; + + /** + * Underlying primitive PRF + */ + prf_t *prf; +}; + +METHOD(tls_prf_t, set_key12, void, + private_tls_prf12_t *this, chunk_t key) +{ + this->prf->set_key(this->prf, key); +} + +/** + * The P_hash function as in TLS 1.0/1.2 + */ +static void p_hash(prf_t *prf, char *label, chunk_t seed, size_t block_size, + size_t bytes, char *out) +{ + char buf[block_size], abuf[block_size]; + chunk_t a; + + /* seed = label + seed */ + seed = chunk_cata("cc", chunk_create(label, strlen(label)), seed); + /* A(0) = seed */ + a = seed; + + while (TRUE) + { + /* A(i) = HMAC_hash(secret, A(i-1)) */ + prf->get_bytes(prf, a, abuf); + a = chunk_from_thing(abuf); + /* HMAC_hash(secret, A(i) + seed) */ + prf->get_bytes(prf, a, NULL); + prf->get_bytes(prf, seed, buf); + + if (bytes <= block_size) + { + memcpy(out, buf, bytes); + break; + } + memcpy(out, buf, block_size); + out += block_size; + bytes -= block_size; + } +} + +METHOD(tls_prf_t, get_bytes12, void, + private_tls_prf12_t *this, char *label, chunk_t seed, + size_t bytes, char *out) +{ + p_hash(this->prf, label, seed, this->prf->get_block_size(this->prf), + bytes, out); +} + +METHOD(tls_prf_t, destroy12, void, + private_tls_prf12_t *this) +{ + this->prf->destroy(this->prf); + free(this); +} + +/** + * See header + */ +tls_prf_t *tls_prf_create_12(pseudo_random_function_t prf) +{ + private_tls_prf12_t *this; + + INIT(this, + .public = { + .set_key = _set_key12, + .get_bytes = _get_bytes12, + .destroy = _destroy12, + }, + .prf = lib->crypto->create_prf(lib->crypto, prf), + ); + if (!this->prf) + { + free(this); + return NULL; + } + return &this->public; +} + + +typedef struct private_tls_prf10_t private_tls_prf10_t; + +/** + * Private data of an tls_prf_t object. + */ +struct private_tls_prf10_t { + + /** + * Public tls_prf_t interface. + */ + tls_prf_t public; + + /** + * Underlying MD5 PRF + */ + prf_t *md5; + + /** + * Underlying SHA1 PRF + */ + prf_t *sha1; +}; + +METHOD(tls_prf_t, set_key10, void, + private_tls_prf10_t *this, chunk_t key) +{ + size_t len = key.len / 2 + key.len % 2; + + this->md5->set_key(this->md5, chunk_create(key.ptr, len)); + this->sha1->set_key(this->sha1, chunk_create(key.ptr + key.len - len, len)); +} + +METHOD(tls_prf_t, get_bytes10, void, + private_tls_prf10_t *this, char *label, chunk_t seed, + size_t bytes, char *out) +{ + char buf[bytes]; + + p_hash(this->md5, label, seed, this->md5->get_block_size(this->md5), + bytes, out); + p_hash(this->sha1, label, seed, this->sha1->get_block_size(this->sha1), + bytes, buf); + memxor(out, buf, bytes); +} + +METHOD(tls_prf_t, destroy10, void, + private_tls_prf10_t *this) +{ + DESTROY_IF(this->md5); + DESTROY_IF(this->sha1); + free(this); +} + +/** + * See header + */ +tls_prf_t *tls_prf_create_10(pseudo_random_function_t prf) +{ + private_tls_prf10_t *this; + + INIT(this, + .public = { + .set_key = _set_key10, + .get_bytes = _get_bytes10, + .destroy = _destroy10, + }, + .md5 = lib->crypto->create_prf(lib->crypto, PRF_HMAC_MD5), + .sha1 = lib->crypto->create_prf(lib->crypto, PRF_HMAC_SHA1), + ); + if (!this->md5 || !this->sha1) + { + destroy10(this); + return NULL; + } + return &this->public; +} diff --git a/src/libtls/tls_prf.h b/src/libtls/tls_prf.h new file mode 100644 index 000000000..9fb9bc2de --- /dev/null +++ b/src/libtls/tls_prf.h @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_prf tls_prf + * @{ @ingroup libtls + */ + +#ifndef TLS_PRF_H_ +#define TLS_PRF_H_ + +typedef struct tls_prf_t tls_prf_t; + +#include <crypto/prfs/prf.h> + +/** + * The PRF function specified on TLS, based on HMAC. + */ +struct tls_prf_t { + + /** + * Set the key of the PRF function. + * + * @param key key to set + */ + void (*set_key)(tls_prf_t *this, chunk_t key); + + /** + * Generate a series of bytes using a label and a seed. + * + * @param label ASCII input label + * @param seed seed input value + * @param bytes number of bytes to get + * @param out buffer receiving bytes + */ + void (*get_bytes)(tls_prf_t *this, char *label, chunk_t seed, + size_t bytes, char *out); + + /** + * Destroy a tls_prf_t. + */ + void (*destroy)(tls_prf_t *this); +}; + +/** + * Create a tls_prf instance with specific algorithm as in TLS 1.2. + * + * @param prf underlying PRF function to use + * @return TLS PRF algorithm + */ +tls_prf_t *tls_prf_create_12(pseudo_random_function_t prf); + +/** + * Create a tls_prf instance with XOred SHA1/MD5 as in TLS 1.0/1.1. + * + * @return TLS PRF algorithm + */ +tls_prf_t *tls_prf_create_10(); + +#endif /** TLS_PRF_H_ @}*/ diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c new file mode 100644 index 000000000..d823bae04 --- /dev/null +++ b/src/libtls/tls_protection.c @@ -0,0 +1,333 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_protection.h" + +#include <debug.h> + +typedef struct private_tls_protection_t private_tls_protection_t; + +/** + * Private data of an tls_protection_t object. + */ +struct private_tls_protection_t { + + /** + * Public tls_protection_t interface. + */ + tls_protection_t public; + + /** + * negotiated TLS version + */ + tls_version_t version; + + /** + * Upper layer, TLS record compression + */ + tls_compression_t *compression; + + /** + * TLS alert handler + */ + tls_alert_t *alert; + + /** + * RNG if we generate IVs ourself + */ + rng_t *rng; + + /** + * Sequence number of incoming records + */ + u_int32_t seq_in; + + /** + * Sequence number for outgoing records + */ + u_int32_t seq_out; + + /** + * Signer instance for inbound traffic + */ + signer_t *signer_in; + + /** + * Signer instance for outbound traffic + */ + signer_t *signer_out; + + /** + * Crypter instance for inbound traffic + */ + crypter_t *crypter_in; + + /** + * Crypter instance for outbound traffic + */ + crypter_t *crypter_out; + + /** + * Current IV for input decryption + */ + chunk_t iv_in; + + /** + * Current IV for output decryption + */ + chunk_t iv_out; +}; + +/** + * Create the header to append to the record data to create the MAC + */ +static chunk_t sigheader(u_int32_t seq, u_int8_t type, + u_int16_t version, u_int16_t length) +{ + /* we only support 32 bit sequence numbers, but TLS uses 64 bit */ + u_int32_t seq_high = 0; + + seq = htonl(seq); + version = htons(version); + length = htons(length); + + return chunk_cat("ccccc", chunk_from_thing(seq_high), + chunk_from_thing(seq), chunk_from_thing(type), + chunk_from_thing(version), chunk_from_thing(length)); +} + +METHOD(tls_protection_t, process, status_t, + private_tls_protection_t *this, tls_content_type_t type, chunk_t data) +{ + if (this->alert->fatal(this->alert)) + { /* don't accept more input, fatal error ocurred */ + return NEED_MORE; + } + + if (this->crypter_in) + { + chunk_t iv, next_iv = chunk_empty; + u_int8_t bs, padding_length; + + bs = this->crypter_in->get_block_size(this->crypter_in); + if (this->iv_in.len) + { /* < TLSv1.1 uses IV from key derivation/last block */ + if (data.len < bs || data.len % bs) + { + DBG1(DBG_TLS, "encrypted TLS record length invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); + return NEED_MORE; + } + iv = this->iv_in; + next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs)); + } + else + { /* TLSv1.1 uses random IVs, prepended to record */ + iv.len = this->crypter_in->get_iv_size(this->crypter_in); + iv = chunk_create(data.ptr, iv.len); + data = chunk_skip(data, iv.len); + if (data.len < bs || data.len % bs) + { + DBG1(DBG_TLS, "encrypted TLS record length invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); + return NEED_MORE; + } + } + this->crypter_in->decrypt(this->crypter_in, data, iv, NULL); + + if (next_iv.len) + { /* next record IV is last ciphertext block of this record */ + memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len); + free(next_iv.ptr); + } + + padding_length = data.ptr[data.len - 1]; + if (padding_length >= data.len) + { + DBG1(DBG_TLS, "invalid TLS record padding"); + this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); + return NEED_MORE; + } + data.len -= padding_length + 1; + } + if (this->signer_in) + { + chunk_t mac, macdata, header; + u_int8_t bs; + + bs = this->signer_in->get_block_size(this->signer_in); + if (data.len < bs) + { + DBG1(DBG_TLS, "TLS record too short to verify MAC"); + this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); + return NEED_MORE; + } + mac = chunk_skip(data, data.len - bs); + data.len -= bs; + + header = sigheader(this->seq_in, type, this->version, data.len); + macdata = chunk_cat("mc", header, data); + if (!this->signer_in->verify_signature(this->signer_in, macdata, mac)) + { + DBG1(DBG_TLS, "TLS record MAC verification failed"); + free(macdata.ptr); + this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); + return NEED_MORE; + } + free(macdata.ptr); + } + + if (type == TLS_CHANGE_CIPHER_SPEC) + { + this->seq_in = 0; + } + else + { + this->seq_in++; + } + return this->compression->process(this->compression, type, data); +} + +METHOD(tls_protection_t, build, status_t, + private_tls_protection_t *this, tls_content_type_t *type, chunk_t *data) +{ + status_t status; + + status = this->compression->build(this->compression, type, data); + if (*type == TLS_CHANGE_CIPHER_SPEC) + { + this->seq_out = 0; + return status; + } + + if (status == NEED_MORE) + { + if (this->signer_out) + { + chunk_t mac, header; + + header = sigheader(this->seq_out, *type, this->version, data->len); + this->signer_out->get_signature(this->signer_out, header, NULL); + free(header.ptr); + this->signer_out->allocate_signature(this->signer_out, *data, &mac); + if (this->crypter_out) + { + chunk_t padding, iv; + u_int8_t bs, padding_length; + + bs = this->crypter_out->get_block_size(this->crypter_out); + padding_length = bs - ((data->len + mac.len + 1) % bs); + + padding = chunk_alloca(padding_length); + memset(padding.ptr, padding_length, padding.len); + + if (this->iv_out.len) + { /* < TLSv1.1 uses IV from key derivation/last block */ + iv = this->iv_out; + } + else + { /* TLSv1.1 uses random IVs, prepended to record */ + if (!this->rng) + { + DBG1(DBG_TLS, "no RNG supported to generate TLS IV"); + free(data->ptr); + return FAILED; + } + iv.len = this->crypter_out->get_iv_size(this->crypter_out); + this->rng->allocate_bytes(this->rng, iv.len, &iv); + } + + *data = chunk_cat("mmcc", *data, mac, padding, + chunk_from_thing(padding_length)); + /* encrypt inline */ + this->crypter_out->encrypt(this->crypter_out, *data, iv, NULL); + + if (this->iv_out.len) + { /* next record IV is last ciphertext block of this record */ + memcpy(this->iv_out.ptr, data->ptr + data->len - + this->iv_out.len, this->iv_out.len); + } + else + { /* prepend IV */ + *data = chunk_cat("mm", iv, *data); + } + } + else + { /* NULL encryption */ + *data = chunk_cat("mm", *data, mac); + } + } + this->seq_out++; + } + return status; +} + +METHOD(tls_protection_t, set_cipher, void, + private_tls_protection_t *this, bool inbound, signer_t *signer, + crypter_t *crypter, chunk_t iv) +{ + if (inbound) + { + this->signer_in = signer; + this->crypter_in = crypter; + this->iv_in = iv; + } + else + { + this->signer_out = signer; + this->crypter_out = crypter; + this->iv_out = iv; + if (!iv.len) + { /* generate IVs if none given */ + this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + } + } +} + +METHOD(tls_protection_t, set_version, void, + private_tls_protection_t *this, tls_version_t version) +{ + this->version = version; +} + +METHOD(tls_protection_t, destroy, void, + private_tls_protection_t *this) +{ + DESTROY_IF(this->rng); + free(this); +} + +/** + * See header + */ +tls_protection_t *tls_protection_create(tls_compression_t *compression, + tls_alert_t *alert) +{ + private_tls_protection_t *this; + + INIT(this, + .public = { + .process = _process, + .build = _build, + .set_cipher = _set_cipher, + .set_version = _set_version, + .destroy = _destroy, + }, + .alert = alert, + .compression = compression, + ); + + return &this->public; +} diff --git a/src/libtls/tls_protection.h b/src/libtls/tls_protection.h new file mode 100644 index 000000000..99c94e935 --- /dev/null +++ b/src/libtls/tls_protection.h @@ -0,0 +1,98 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_protection tls_protection + * @{ @ingroup libtls + */ + +#ifndef TLS_PROTECTION_H_ +#define TLS_PROTECTION_H_ + +#include <library.h> + +#include "tls.h" +#include "tls_alert.h" +#include "tls_compression.h" + +typedef struct tls_protection_t tls_protection_t; + +/** + * TLS record protocol protection layer. + */ +struct tls_protection_t { + + /** + * Process a protected TLS record, pass it to upper layers. + * + * @param type type of the TLS record to process + * @param data associated TLS record data + * @return + * - SUCCESS if TLS negotiation complete + * - FAILED if TLS handshake failed + * - NEED_MORE if more invocations to process/build needed + */ + status_t (*process)(tls_protection_t *this, + tls_content_type_t type, chunk_t data); + + /** + * Query upper layer for TLS record, build protected record. + * + * @param type type of the built TLS record + * @param data allocated data of the built TLS record + * @return + * - SUCCESS if TLS negotiation complete + * - FAILED if TLS handshake failed + * - NEED_MORE if upper layers have more records to send + * - INVALID_STATE if more input records required + */ + status_t (*build)(tls_protection_t *this, + tls_content_type_t *type, chunk_t *data); + + /** + * Set a new cipher, including encryption and integrity algorithms. + * + * @param inbound TRUE to use cipher for inbound data, FALSE for outbound + * @param signer new signer to use, gets owned by protection layer + * @param crypter new crypter to use, gets owned by protection layer + * @param iv initial IV for crypter, gets owned by protection layer + */ + void (*set_cipher)(tls_protection_t *this, bool inbound, signer_t *signer, + crypter_t *crypter, chunk_t iv); + + /** + * Set the TLS version negotiated, used for MAC calculation. + * + * @param version TLS version negotiated + */ + void (*set_version)(tls_protection_t *this, tls_version_t version); + + /** + * Destroy a tls_protection_t. + */ + void (*destroy)(tls_protection_t *this); +}; + +/** + * Create a tls_protection instance. + * + * @param compression compression layer of TLS stack + * @param alert TLS alert handler + * @return TLS protection layer. + */ +tls_protection_t *tls_protection_create(tls_compression_t *compression, + tls_alert_t *alert); + +#endif /** TLS_PROTECTION_H_ @}*/ diff --git a/src/libtls/tls_reader.c b/src/libtls/tls_reader.c new file mode 100644 index 000000000..17ec68fd5 --- /dev/null +++ b/src/libtls/tls_reader.c @@ -0,0 +1,200 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_reader.h" + +#include <debug.h> + +typedef struct private_tls_reader_t private_tls_reader_t; + +/** + * Private data of an tls_reader_t object. + */ +struct private_tls_reader_t { + + /** + * Public tls_reader_t interface. + */ + tls_reader_t public; + + /** + * Remaining data to process + */ + chunk_t buf; +}; + +METHOD(tls_reader_t, remaining, u_int32_t, + private_tls_reader_t *this) +{ + return this->buf.len; +} + +METHOD(tls_reader_t, peek, chunk_t, + private_tls_reader_t *this) +{ + return this->buf; +} + +METHOD(tls_reader_t, read_uint8, bool, + private_tls_reader_t *this, u_int8_t *res) +{ + if (this->buf.len < 1) + { + DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", + this->buf.len, 8); + return FALSE; + } + *res = this->buf.ptr[0]; + this->buf = chunk_skip(this->buf, 1); + return TRUE; +} + +METHOD(tls_reader_t, read_uint16, bool, + private_tls_reader_t *this, u_int16_t *res) +{ + if (this->buf.len < 2) + { + DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", + this->buf.len, 16); + return FALSE; + } + *res = untoh16(this->buf.ptr); + this->buf = chunk_skip(this->buf, 2); + return TRUE; +} + +METHOD(tls_reader_t, read_uint24, bool, + private_tls_reader_t *this, u_int32_t *res) +{ + if (this->buf.len < 3) + { + DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", + this->buf.len, 24); + return FALSE; + } + *res = untoh32(this->buf.ptr) >> 8; + this->buf = chunk_skip(this->buf, 3); + return TRUE; +} + +METHOD(tls_reader_t, read_uint32, bool, + private_tls_reader_t *this, u_int32_t *res) +{ + if (this->buf.len < 4) + { + DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", + this->buf.len, 32); + return FALSE; + } + *res = untoh32(this->buf.ptr); + this->buf = chunk_skip(this->buf, 4); + return TRUE; +} + +METHOD(tls_reader_t, read_data, bool, + private_tls_reader_t *this, u_int32_t len, chunk_t *res) +{ + if (this->buf.len < len) + { + DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes TLS data", + this->buf.len, len); + return FALSE; + } + *res = chunk_create(this->buf.ptr, len); + this->buf = chunk_skip(this->buf, len); + return TRUE; +} + +METHOD(tls_reader_t, read_data8, bool, + private_tls_reader_t *this, chunk_t *res) +{ + u_int8_t len; + + if (!read_uint8(this, &len)) + { + return FALSE; + } + return read_data(this, len, res); +} + +METHOD(tls_reader_t, read_data16, bool, + private_tls_reader_t *this, chunk_t *res) +{ + u_int16_t len; + + if (!read_uint16(this, &len)) + { + return FALSE; + } + return read_data(this, len, res); +} + +METHOD(tls_reader_t, read_data24, bool, + private_tls_reader_t *this, chunk_t *res) +{ + u_int32_t len; + + if (!read_uint24(this, &len)) + { + return FALSE; + } + return read_data(this, len, res); +} + +METHOD(tls_reader_t, read_data32, bool, + private_tls_reader_t *this, chunk_t *res) +{ + u_int32_t len; + + if (!read_uint32(this, &len)) + { + return FALSE; + } + return read_data(this, len, res); +} + +METHOD(tls_reader_t, destroy, void, + private_tls_reader_t *this) +{ + free(this); +} + +/** + * See header + */ +tls_reader_t *tls_reader_create(chunk_t data) +{ + private_tls_reader_t *this; + + INIT(this, + .public = { + .remaining = _remaining, + .peek = _peek, + .read_uint8 = _read_uint8, + .read_uint16 = _read_uint16, + .read_uint24 = _read_uint24, + .read_uint32 = _read_uint32, + .read_data = _read_data, + .read_data8 = _read_data8, + .read_data16 = _read_data16, + .read_data24 = _read_data24, + .read_data32 = _read_data32, + .destroy = _destroy, + }, + .buf = data, + ); + + return &this->public; +} diff --git a/src/libtls/tls_reader.h b/src/libtls/tls_reader.h new file mode 100644 index 000000000..a8978b486 --- /dev/null +++ b/src/libtls/tls_reader.h @@ -0,0 +1,131 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_reader tls_reader + * @{ @ingroup libtls + */ + +#ifndef TLS_READER_H_ +#define TLS_READER_H_ + +typedef struct tls_reader_t tls_reader_t; + +#include <library.h> + +/** + * TLS record parser. + */ +struct tls_reader_t { + + /** + * Get the number of remaining bytes. + * + * @return number of remaining bytes in buffer + */ + u_int32_t (*remaining)(tls_reader_t *this); + + /** + * Peek the remaining data, not consuming any bytes. + * + * @return remaining data + */ + chunk_t (*peek)(tls_reader_t *this); + + /** + * Read a 8-bit integer from the buffer, advance. + * + * @param res pointer to result + * @return TRUE if integer read successfully + */ + bool (*read_uint8)(tls_reader_t *this, u_int8_t *res); + + /** + * Read a 16-bit integer from the buffer, advance. + * + * @param res pointer to result + * @return TRUE if integer read successfully + */ + bool (*read_uint16)(tls_reader_t *this, u_int16_t *res); + + /** + * Read a 24-bit integer from the buffer, advance. + * + * @param res pointer to result + * @return TRUE if integer read successfully + */ + bool (*read_uint24)(tls_reader_t *this, u_int32_t *res); + + /** + * Read a 32-bit integer from the buffer, advance. + * + * @param res pointer to result + * @return TRUE if integer read successfully + */ + bool (*read_uint32)(tls_reader_t *this, u_int32_t *res); + + /** + * Read a chunk of len bytes, advance. + * + * @param len number of bytes to read + * @param res pointer to result, not cloned + * @return TRUE if data read successfully + */ + bool (*read_data)(tls_reader_t *this, u_int32_t len, chunk_t *res); + + /** + * Read a chunk of bytes with a 8-bit length header, advance. + * + * @param res pointer to result, not cloned + * @return TRUE if data read successfully + */ + bool (*read_data8)(tls_reader_t *this, chunk_t *res); + + /** + * Read a chunk of bytes with a 16-bit length header, advance. + * + * @param res pointer to result, not cloned + * @return TRUE if data read successfully + */ + bool (*read_data16)(tls_reader_t *this, chunk_t *res); + + /** + * Read a chunk of bytes with a 24-bit length header, advance. + * + * @param res pointer to result, not cloned + * @return TRUE if data read successfully + */ + bool (*read_data24)(tls_reader_t *this, chunk_t *res); + + /** + * Read a chunk of bytes with a 32-bit length header, advance. + * + * @param res pointer to result, not cloned + * @return TRUE if data read successfully + */ + bool (*read_data32)(tls_reader_t *this, chunk_t *res); + + /** + * Destroy a tls_reader_t. + */ + void (*destroy)(tls_reader_t *this); +}; + +/** + * Create a tls_reader instance. + */ +tls_reader_t *tls_reader_create(chunk_t data); + +#endif /** tls_reader_H_ @}*/ diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c new file mode 100644 index 000000000..b0417f6cb --- /dev/null +++ b/src/libtls/tls_server.c @@ -0,0 +1,1032 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_server.h" + +#include <time.h> + +#include <debug.h> +#include <credentials/certificates/x509.h> + +typedef struct private_tls_server_t private_tls_server_t; + + +typedef enum { + STATE_INIT, + STATE_HELLO_RECEIVED, + STATE_HELLO_SENT, + STATE_CERT_SENT, + STATE_KEY_EXCHANGE_SENT, + STATE_CERTREQ_SENT, + STATE_HELLO_DONE, + STATE_CERT_RECEIVED, + STATE_KEY_EXCHANGE_RECEIVED, + STATE_CERT_VERIFY_RECEIVED, + STATE_CIPHERSPEC_CHANGED_IN, + STATE_FINISHED_RECEIVED, + STATE_CIPHERSPEC_CHANGED_OUT, + STATE_FINISHED_SENT, +} server_state_t; + +/** + * Private data of an tls_server_t object. + */ +struct private_tls_server_t { + + /** + * Public tls_server_t interface. + */ + tls_server_t public; + + /** + * TLS stack + */ + tls_t *tls; + + /** + * TLS crypto context + */ + tls_crypto_t *crypto; + + /** + * TLS alert handler + */ + tls_alert_t *alert; + + /** + * Server identity + */ + identification_t *server; + + /** + * Peer identity, NULL for no client authentication + */ + identification_t *peer; + + /** + * State we are in + */ + server_state_t state; + + /** + * Hello random data selected by client + */ + char client_random[32]; + + /** + * Hello random data selected by server + */ + char server_random[32]; + + /** + * Auth helper for peer authentication + */ + auth_cfg_t *peer_auth; + + /** + * Auth helper for server authentication + */ + auth_cfg_t *server_auth; + + /** + * Peer private key + */ + private_key_t *private; + + /** + * DHE exchange + */ + diffie_hellman_t *dh; + + /** + * Selected TLS cipher suite + */ + tls_cipher_suite_t suite; + + /** + * Offered TLS version of the client + */ + tls_version_t client_version; + + /** + * Hash and signature algorithms supported by peer + */ + chunk_t hashsig; + + /** + * Elliptic curves supported by peer + */ + chunk_t curves; + + /** + * Did we receive the curves from the client? + */ + bool curves_received; +}; + +/** + * Find a cipher suite and a server key + */ +static bool select_suite_and_key(private_tls_server_t *this, + tls_cipher_suite_t *suites, int count) +{ + private_key_t *key; + key_type_t type; + + key = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->server, + this->server_auth); + if (!key) + { + DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'", + this->server); + return FALSE; + } + this->suite = this->crypto->select_cipher_suite(this->crypto, + suites, count, key->get_type(key)); + if (!this->suite) + { /* no match for this key, try to find another type */ + if (key->get_type(key) == KEY_ECDSA) + { + type = KEY_RSA; + } + else + { + type = KEY_ECDSA; + } + key->destroy(key); + + this->suite = this->crypto->select_cipher_suite(this->crypto, + suites, count, type); + if (!this->suite) + { + DBG1(DBG_TLS, "received cipher suites inacceptable"); + return FALSE; + } + this->server_auth->destroy(this->server_auth); + this->server_auth = auth_cfg_create(); + key = lib->credmgr->get_private(lib->credmgr, type, this->server, + this->server_auth); + if (!key) + { + DBG1(DBG_TLS, "received cipher suites inacceptable"); + return FALSE; + } + } + this->private = key; + return TRUE; +} + +/** + * Process client hello message + */ +static status_t process_client_hello(private_tls_server_t *this, + tls_reader_t *reader) +{ + u_int16_t version, extension; + chunk_t random, session, ciphers, compression, ext = chunk_empty; + tls_reader_t *extensions; + tls_cipher_suite_t *suites; + int count, i; + + this->crypto->append_handshake(this->crypto, + TLS_CLIENT_HELLO, reader->peek(reader)); + + if (!reader->read_uint16(reader, &version) || + !reader->read_data(reader, sizeof(this->client_random), &random) || + !reader->read_data8(reader, &session) || + !reader->read_data16(reader, &ciphers) || + !reader->read_data8(reader, &compression) || + (reader->remaining(reader) && !reader->read_data16(reader, &ext))) + { + DBG1(DBG_TLS, "received invalid ClientHello"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + + if (ext.len) + { + extensions = tls_reader_create(ext); + while (extensions->remaining(extensions)) + { + if (!extensions->read_uint16(extensions, &extension) || + !extensions->read_data16(extensions, &ext)) + { + DBG1(DBG_TLS, "received invalid ClientHello Extensions"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + extensions->destroy(extensions); + return NEED_MORE; + } + DBG1(DBG_TLS, "received TLS '%N' extension", + tls_extension_names, extension); + DBG3(DBG_TLS, "%B", &ext); + switch (extension) + { + case TLS_EXT_SIGNATURE_ALGORITHMS: + this->hashsig = chunk_clone(ext); + break; + case TLS_EXT_ELLIPTIC_CURVES: + this->curves_received = TRUE; + this->curves = chunk_clone(ext); + break; + default: + break; + } + } + extensions->destroy(extensions); + } + + memcpy(this->client_random, random.ptr, sizeof(this->client_random)); + + if (!this->tls->set_version(this->tls, version)) + { + DBG1(DBG_TLS, "negotiated version %N not supported", + tls_version_names, version); + this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION); + return NEED_MORE; + } + count = ciphers.len / sizeof(u_int16_t); + suites = alloca(count * sizeof(tls_cipher_suite_t)); + DBG2(DBG_TLS, "received %d TLS cipher suites:", count); + for (i = 0; i < count; i++) + { + suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]); + DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]); + } + + if (!select_suite_and_key(this, suites, count)) + { + this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE); + return NEED_MORE; + } + DBG1(DBG_TLS, "negotiated TLS version %N with suite %N", + tls_version_names, this->tls->get_version(this->tls), + tls_cipher_suite_names, this->suite); + this->client_version = version; + this->state = STATE_HELLO_RECEIVED; + return NEED_MORE; +} + +/** + * Process certificate + */ +static status_t process_certificate(private_tls_server_t *this, + tls_reader_t *reader) +{ + certificate_t *cert; + tls_reader_t *certs; + chunk_t data; + bool first = TRUE; + + this->crypto->append_handshake(this->crypto, + TLS_CERTIFICATE, reader->peek(reader)); + + if (!reader->read_data24(reader, &data)) + { + DBG1(DBG_TLS, "certificate message header invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + certs = tls_reader_create(data); + while (certs->remaining(certs)) + { + if (!certs->read_data24(certs, &data)) + { + DBG1(DBG_TLS, "certificate message invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + certs->destroy(certs); + return NEED_MORE; + } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, data, BUILD_END); + if (cert) + { + if (first) + { + this->peer_auth->add(this->peer_auth, + AUTH_HELPER_SUBJECT_CERT, cert); + DBG1(DBG_TLS, "received TLS peer certificate '%Y'", + cert->get_subject(cert)); + first = FALSE; + } + else + { + DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'", + cert->get_subject(cert)); + this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert); + } + } + else + { + DBG1(DBG_TLS, "parsing TLS certificate failed, skipped"); + this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE); + } + } + certs->destroy(certs); + this->state = STATE_CERT_RECEIVED; + return NEED_MORE; +} + +/** + * Process Client Key Exchange, using premaster encryption + */ +static status_t process_key_exchange_encrypted(private_tls_server_t *this, + tls_reader_t *reader) +{ + chunk_t encrypted, decrypted; + char premaster[48]; + rng_t *rng; + + this->crypto->append_handshake(this->crypto, + TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader)); + + if (!reader->read_data16(reader, &encrypted)) + { + DBG1(DBG_TLS, "received invalid Client Key Exchange"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + + htoun16(premaster, this->client_version); + /* pre-randomize premaster for failure cases */ + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!rng) + { + DBG1(DBG_TLS, "creating RNG failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2); + rng->destroy(rng); + + if (this->private && + this->private->decrypt(this->private, + ENCRYPT_RSA_PKCS1, encrypted, &decrypted)) + { + if (decrypted.len == sizeof(premaster) && + untoh16(decrypted.ptr) == this->client_version) + { + memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2); + } + else + { + DBG1(DBG_TLS, "decrypted premaster has invalid length/version"); + } + chunk_clear(&decrypted); + } + else + { + DBG1(DBG_TLS, "decrypting Client Key Exchange failed"); + } + + this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster), + chunk_from_thing(this->client_random), + chunk_from_thing(this->server_random)); + + this->state = STATE_KEY_EXCHANGE_RECEIVED; + return NEED_MORE; +} + +/** + * Process client key exchange, using DHE exchange + */ +static status_t process_key_exchange_dhe(private_tls_server_t *this, + tls_reader_t *reader) +{ + chunk_t premaster, pub; + bool ec; + + this->crypto->append_handshake(this->crypto, + TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader)); + + ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh)); + if ((ec && !reader->read_data8(reader, &pub)) || + (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0))) + { + DBG1(DBG_TLS, "received invalid Client Key Exchange"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + + if (ec) + { + if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED) + { + DBG1(DBG_TLS, "DH point format '%N' not supported", + tls_ansi_point_format_names, pub.ptr[0]); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + pub = chunk_skip(pub, 1); + } + this->dh->set_other_public_value(this->dh, pub); + if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS) + { + DBG1(DBG_TLS, "calculating premaster from DH failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + + this->crypto->derive_secrets(this->crypto, premaster, + chunk_from_thing(this->client_random), + chunk_from_thing(this->server_random)); + chunk_clear(&premaster); + + this->state = STATE_KEY_EXCHANGE_RECEIVED; + return NEED_MORE; +} + +/** + * Process Client Key Exchange + */ +static status_t process_key_exchange(private_tls_server_t *this, + tls_reader_t *reader) +{ + if (this->dh) + { + return process_key_exchange_dhe(this, reader); + } + return process_key_exchange_encrypted(this, reader); +} + +/** + * Process Certificate verify + */ +static status_t process_cert_verify(private_tls_server_t *this, + tls_reader_t *reader) +{ + bool verified = FALSE; + enumerator_t *enumerator; + public_key_t *public; + auth_cfg_t *auth; + tls_reader_t *sig; + + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + KEY_ANY, this->peer, this->peer_auth); + while (enumerator->enumerate(enumerator, &public, &auth)) + { + sig = tls_reader_create(reader->peek(reader)); + verified = this->crypto->verify_handshake(this->crypto, public, sig); + sig->destroy(sig); + if (verified) + { + break; + } + DBG1(DBG_TLS, "signature verification failed, trying another key"); + } + enumerator->destroy(enumerator); + + if (!verified) + { + DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer", + this->peer); + this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN); + return NEED_MORE; + } + + this->crypto->append_handshake(this->crypto, + TLS_CERTIFICATE_VERIFY, reader->peek(reader)); + this->state = STATE_CERT_VERIFY_RECEIVED; + return NEED_MORE; +} + +/** + * Process finished message + */ +static status_t process_finished(private_tls_server_t *this, + tls_reader_t *reader) +{ + chunk_t received; + char buf[12]; + + if (!reader->read_data(reader, sizeof(buf), &received)) + { + DBG1(DBG_TLS, "received client finished too short"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } + if (!this->crypto->calculate_finished(this->crypto, "client finished", buf)) + { + DBG1(DBG_TLS, "calculating client finished failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + if (!chunk_equals(received, chunk_from_thing(buf))) + { + DBG1(DBG_TLS, "received client finished invalid"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR); + return NEED_MORE; + } + + this->crypto->append_handshake(this->crypto, TLS_FINISHED, received); + this->state = STATE_FINISHED_RECEIVED; + return NEED_MORE; +} + +METHOD(tls_handshake_t, process, status_t, + private_tls_server_t *this, tls_handshake_type_t type, tls_reader_t *reader) +{ + tls_handshake_type_t expected; + + switch (this->state) + { + case STATE_INIT: + if (type == TLS_CLIENT_HELLO) + { + return process_client_hello(this, reader); + } + expected = TLS_CLIENT_HELLO; + break; + case STATE_HELLO_DONE: + if (type == TLS_CERTIFICATE) + { + return process_certificate(this, reader); + } + if (this->peer) + { + expected = TLS_CERTIFICATE; + break; + } + /* otherwise fall through to next state */ + case STATE_CERT_RECEIVED: + if (type == TLS_CLIENT_KEY_EXCHANGE) + { + return process_key_exchange(this, reader); + } + expected = TLS_CLIENT_KEY_EXCHANGE; + break; + case STATE_KEY_EXCHANGE_RECEIVED: + if (type == TLS_CERTIFICATE_VERIFY) + { + return process_cert_verify(this, reader); + } + if (this->peer) + { + expected = TLS_CERTIFICATE_VERIFY; + break; + } + else + { + return INVALID_STATE; + } + case STATE_CIPHERSPEC_CHANGED_IN: + if (type == TLS_FINISHED) + { + return process_finished(this, reader); + } + expected = TLS_FINISHED; + break; + default: + DBG1(DBG_TLS, "TLS %N not expected in current state", + tls_handshake_type_names, type); + this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE); + return NEED_MORE; + } + DBG1(DBG_TLS, "TLS %N expected, but received %N", + tls_handshake_type_names, expected, tls_handshake_type_names, type); + this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE); + return NEED_MORE; +} + +/** + * Send ServerHello message + */ +static status_t send_server_hello(private_tls_server_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + tls_version_t version; + rng_t *rng; + + htoun32(&this->server_random, time(NULL)); + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!rng) + { + DBG1(DBG_TLS, "no suitable RNG found to generate server random"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return FAILED; + } + rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4); + rng->destroy(rng); + + /* TLS version */ + version = this->tls->get_version(this->tls); + writer->write_uint16(writer, version); + writer->write_data(writer, chunk_from_thing(this->server_random)); + + /* session identifier => none, we don't support session resumption */ + writer->write_data8(writer, chunk_empty); + + /* add selected TLS cipher suite */ + writer->write_uint16(writer, this->suite); + + /* NULL compression only */ + writer->write_uint8(writer, 0); + + *type = TLS_SERVER_HELLO; + this->state = STATE_HELLO_SENT; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +/** + * Send Certificate + */ +static status_t send_certificate(private_tls_server_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + enumerator_t *enumerator; + certificate_t *cert; + auth_rule_t rule; + tls_writer_t *certs; + chunk_t data; + + /* generate certificate payload */ + certs = tls_writer_create(256); + cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT); + if (cert) + { + if (cert->get_encoding(cert, CERT_ASN1_DER, &data)) + { + DBG1(DBG_TLS, "sending TLS server certificate '%Y'", + cert->get_subject(cert)); + certs->write_data24(certs, data); + free(data.ptr); + } + } + enumerator = this->server_auth->create_enumerator(this->server_auth); + while (enumerator->enumerate(enumerator, &rule, &cert)) + { + if (rule == AUTH_RULE_IM_CERT) + { + if (cert->get_encoding(cert, CERT_ASN1_DER, &data)) + { + DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'", + cert->get_subject(cert)); + certs->write_data24(certs, data); + free(data.ptr); + } + } + } + enumerator->destroy(enumerator); + + writer->write_data24(writer, certs->get_buf(certs)); + certs->destroy(certs); + + *type = TLS_CERTIFICATE; + this->state = STATE_CERT_SENT; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +/** + * Send Certificate Request + */ +static status_t send_certificate_request(private_tls_server_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + tls_writer_t *authorities, *supported; + enumerator_t *enumerator; + certificate_t *cert; + x509_t *x509; + identification_t *id; + + supported = tls_writer_create(4); + /* we propose both RSA and ECDSA */ + supported->write_uint8(supported, TLS_RSA_SIGN); + supported->write_uint8(supported, TLS_ECDSA_SIGN); + writer->write_data8(writer, supported->get_buf(supported)); + supported->destroy(supported); + if (this->tls->get_version(this->tls) >= TLS_1_2) + { + this->crypto->get_signature_algorithms(this->crypto, writer); + } + + authorities = tls_writer_create(64); + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509, KEY_RSA, NULL, TRUE); + while (enumerator->enumerate(enumerator, &cert)) + { + x509 = (x509_t*)cert; + if (x509->get_flags(x509) & X509_CA) + { + id = cert->get_subject(cert); + DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id); + authorities->write_data16(authorities, id->get_encoding(id)); + } + } + enumerator->destroy(enumerator); + writer->write_data16(writer, authorities->get_buf(authorities)); + authorities->destroy(authorities); + + *type = TLS_CERTIFICATE_REQUEST; + this->state = STATE_CERTREQ_SENT; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +/** + * Get the TLS curve of a given EC DH group + */ +static tls_named_curve_t ec_group_to_curve(private_tls_server_t *this, + diffie_hellman_group_t group) +{ + diffie_hellman_group_t current; + tls_named_curve_t curve; + enumerator_t *enumerator; + + enumerator = this->crypto->create_ec_enumerator(this->crypto); + while (enumerator->enumerate(enumerator, ¤t, &curve)) + { + if (current == group) + { + enumerator->destroy(enumerator); + return curve; + } + } + enumerator->destroy(enumerator); + return 0; +} + +/** + * Check if the peer supports a given TLS curve + */ +bool peer_supports_curve(private_tls_server_t *this, tls_named_curve_t curve) +{ + tls_reader_t *reader; + u_int16_t current; + + if (!this->curves_received) + { /* none received, assume yes */ + return TRUE; + } + reader = tls_reader_create(this->curves); + while (reader->remaining(reader) && reader->read_uint16(reader, ¤t)) + { + if (current == curve) + { + reader->destroy(reader); + return TRUE; + } + } + reader->destroy(reader); + return FALSE; +} + +/** + * Try to find a curve supported by both, client and server + */ +static bool find_supported_curve(private_tls_server_t *this, + tls_named_curve_t *curve) +{ + tls_named_curve_t current; + enumerator_t *enumerator; + + enumerator = this->crypto->create_ec_enumerator(this->crypto); + while (enumerator->enumerate(enumerator, NULL, ¤t)) + { + if (peer_supports_curve(this, current)) + { + *curve = current; + enumerator->destroy(enumerator); + return TRUE; + } + } + enumerator->destroy(enumerator); + return FALSE; +} + +/** + * Send Server key Exchange + */ +static status_t send_server_key_exchange(private_tls_server_t *this, + tls_handshake_type_t *type, tls_writer_t *writer, + diffie_hellman_group_t group) +{ + diffie_hellman_params_t *params = NULL; + tls_named_curve_t curve; + chunk_t chunk; + + if (diffie_hellman_group_is_ec(group)) + { + curve = ec_group_to_curve(this, group); + if (!curve || (!peer_supports_curve(this, curve) && + !find_supported_curve(this, &curve))) + { + DBG1(DBG_TLS, "no EC group supported by client and server"); + this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE); + return NEED_MORE; + } + DBG2(DBG_TLS, "selected ECDH group %N", tls_named_curve_names, curve); + writer->write_uint8(writer, TLS_ECC_NAMED_CURVE); + writer->write_uint16(writer, curve); + } + else + { + params = diffie_hellman_get_params(group); + if (!params) + { + DBG1(DBG_TLS, "no parameters found for DH group %N", + diffie_hellman_group_names, group); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group); + writer->write_data16(writer, params->prime); + writer->write_data16(writer, params->generator); + } + this->dh = lib->crypto->create_dh(lib->crypto, group); + if (!this->dh) + { + DBG1(DBG_TLS, "DH group %N not supported", + diffie_hellman_group_names, group); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + this->dh->get_my_public_value(this->dh, &chunk); + if (params) + { + writer->write_data16(writer, chunk); + } + else + { /* ECP uses 8bit length header only, but a point format */ + writer->write_uint8(writer, chunk.len + 1); + writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED); + writer->write_data(writer, chunk); + } + free(chunk.ptr); + + chunk = chunk_cat("ccc", chunk_from_thing(this->client_random), + chunk_from_thing(this->server_random), writer->get_buf(writer)); + if (!this->private || !this->crypto->sign(this->crypto, this->private, + writer, chunk, this->hashsig)) + { + DBG1(DBG_TLS, "signing DH parameters failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + free(chunk.ptr); + return NEED_MORE; + } + free(chunk.ptr); + *type = TLS_SERVER_KEY_EXCHANGE; + this->state = STATE_KEY_EXCHANGE_SENT; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +/** + * Send Hello Done + */ +static status_t send_hello_done(private_tls_server_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + *type = TLS_SERVER_HELLO_DONE; + this->state = STATE_HELLO_DONE; + this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); + return NEED_MORE; +} + +/** + * Send Finished + */ +static status_t send_finished(private_tls_server_t *this, + tls_handshake_type_t *type, tls_writer_t *writer) +{ + char buf[12]; + + if (!this->crypto->calculate_finished(this->crypto, "server finished", buf)) + { + DBG1(DBG_TLS, "calculating server finished data failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return FAILED; + } + + writer->write_data(writer, chunk_from_thing(buf)); + + *type = TLS_FINISHED; + this->state = STATE_FINISHED_SENT; + this->crypto->derive_eap_msk(this->crypto, + chunk_from_thing(this->client_random), + chunk_from_thing(this->server_random)); + return NEED_MORE; +} + +METHOD(tls_handshake_t, build, status_t, + private_tls_server_t *this, tls_handshake_type_t *type, tls_writer_t *writer) +{ + diffie_hellman_group_t group; + + switch (this->state) + { + case STATE_HELLO_RECEIVED: + return send_server_hello(this, type, writer); + case STATE_HELLO_SENT: + return send_certificate(this, type, writer); + case STATE_CERT_SENT: + group = this->crypto->get_dh_group(this->crypto); + if (group) + { + return send_server_key_exchange(this, type, writer, group); + } + /* otherwise fall through to next state */ + case STATE_KEY_EXCHANGE_SENT: + if (this->peer) + { + return send_certificate_request(this, type, writer); + } + /* otherwise fall through to next state */ + case STATE_CERTREQ_SENT: + return send_hello_done(this, type, writer); + case STATE_CIPHERSPEC_CHANGED_OUT: + return send_finished(this, type, writer); + case STATE_FINISHED_SENT: + return INVALID_STATE; + default: + return INVALID_STATE; + } +} + +METHOD(tls_handshake_t, cipherspec_changed, bool, + private_tls_server_t *this) +{ + if (this->state == STATE_FINISHED_RECEIVED) + { + this->crypto->change_cipher(this->crypto, FALSE); + this->state = STATE_CIPHERSPEC_CHANGED_OUT; + return TRUE; + } + return FALSE; +} + +METHOD(tls_handshake_t, change_cipherspec, bool, + private_tls_server_t *this) +{ + if ((this->peer && this->state == STATE_CERT_VERIFY_RECEIVED) || + (!this->peer && this->state == STATE_KEY_EXCHANGE_RECEIVED)) + { + this->crypto->change_cipher(this->crypto, TRUE); + this->state = STATE_CIPHERSPEC_CHANGED_IN; + return TRUE; + } + return FALSE; +} + +METHOD(tls_handshake_t, finished, bool, + private_tls_server_t *this) +{ + return this->state == STATE_FINISHED_SENT; +} + +METHOD(tls_handshake_t, destroy, void, + private_tls_server_t *this) +{ + DESTROY_IF(this->private); + DESTROY_IF(this->dh); + this->peer_auth->destroy(this->peer_auth); + this->server_auth->destroy(this->server_auth); + free(this->hashsig.ptr); + free(this->curves.ptr); + free(this); +} + +/** + * See header + */ +tls_server_t *tls_server_create(tls_t *tls, + tls_crypto_t *crypto, tls_alert_t *alert, + identification_t *server, identification_t *peer) +{ + private_tls_server_t *this; + + INIT(this, + .public = { + .handshake = { + .process = _process, + .build = _build, + .cipherspec_changed = _cipherspec_changed, + .change_cipherspec = _change_cipherspec, + .finished = _finished, + .destroy = _destroy, + }, + }, + .tls = tls, + .crypto = crypto, + .alert = alert, + .server = server, + .peer = peer, + .state = STATE_INIT, + .peer_auth = auth_cfg_create(), + .server_auth = auth_cfg_create(), + ); + + return &this->public; +} diff --git a/src/libtls/tls_server.h b/src/libtls/tls_server.h new file mode 100644 index 000000000..6289dc8eb --- /dev/null +++ b/src/libtls/tls_server.h @@ -0,0 +1,55 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_server tls_server + * @{ @ingroup libtls + */ + +#ifndef TLS_SERVER_H_ +#define TLS_SERVER_H_ + +typedef struct tls_server_t tls_server_t; + +#include "tls_handshake.h" +#include "tls_crypto.h" + +#include <library.h> + +/** + * TLS handshake protocol handler as peer. + */ +struct tls_server_t { + + /** + * Implements the TLS handshake protocol handler. + */ + tls_handshake_t handshake; +}; + +/** + * Create a tls_server instance. + * + * @param tls TLS stack + * @param crypto TLS crypto helper + * @param alert TLS alert handler + * @param server server identity + * @param peer peer identity + */ +tls_server_t *tls_server_create(tls_t *tls, + tls_crypto_t *crypto, tls_alert_t *alert, + identification_t *server, identification_t *peer); + +#endif /** TLS_SERVER_H_ @}*/ diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c new file mode 100644 index 000000000..e0c440a4c --- /dev/null +++ b/src/libtls/tls_socket.c @@ -0,0 +1,219 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_socket.h" + +#include <unistd.h> + +#include <debug.h> + +typedef struct private_tls_socket_t private_tls_socket_t; +typedef struct private_tls_application_t private_tls_application_t; + +struct private_tls_application_t { + + /** + * Implements tls_application layer. + */ + tls_application_t application; + + /** + * Chunk of data to send + */ + chunk_t out; + + /** + * Chunk of data received + */ + chunk_t in; +}; + +/** + * Private data of an tls_socket_t object. + */ +struct private_tls_socket_t { + + /** + * Public tls_socket_t interface. + */ + tls_socket_t public; + + /** + * TLS application implementation + */ + private_tls_application_t app; + + /** + * TLS stack + */ + tls_t *tls; + + /** + * Underlying OS socket + */ + int fd; +}; + +METHOD(tls_application_t, process, status_t, + private_tls_application_t *this, tls_reader_t *reader) +{ + chunk_t data; + + if (!reader->read_data(reader, reader->remaining(reader), &data)) + { + return FAILED; + } + this->in = chunk_cat("mc", this->in, data); + return NEED_MORE; +} + +METHOD(tls_application_t, build, status_t, + private_tls_application_t *this, tls_writer_t *writer) +{ + if (this->out.len) + { + writer->write_data(writer, this->out); + this->out = chunk_empty; + return NEED_MORE; + } + return INVALID_STATE; +} + +/** + * TLS data exchange loop + */ +static bool exchange(private_tls_socket_t *this, bool wr) +{ + char buf[1024]; + ssize_t len; + int round = 0; + + for (round = 0; TRUE; round++) + { + while (TRUE) + { + len = sizeof(buf); + switch (this->tls->build(this->tls, buf, &len, NULL)) + { + case NEED_MORE: + case ALREADY_DONE: + len = write(this->fd, buf, len); + if (len == -1) + { + return FALSE; + } + continue; + case INVALID_STATE: + break; + default: + return FALSE; + } + break; + } + if (wr) + { + if (this->app.out.len == 0) + { /* all data written */ + return TRUE; + } + } + else + { + if (this->app.in.len) + { /* some data received */ + return TRUE; + } + if (round > 0) + { /* did some handshaking, return empty chunk to not block */ + return TRUE; + } + } + len = read(this->fd, buf, sizeof(buf)); + if (len <= 0) + { + return FALSE; + } + if (this->tls->process(this->tls, buf, len) != NEED_MORE) + { + return FALSE; + } + } +} + +METHOD(tls_socket_t, read_, bool, + private_tls_socket_t *this, chunk_t *buf) +{ + if (exchange(this, FALSE)) + { + *buf = this->app.in; + this->app.in = chunk_empty; + return TRUE; + } + return FALSE; +} + +METHOD(tls_socket_t, write_, bool, + private_tls_socket_t *this, chunk_t buf) +{ + this->app.out = buf; + if (exchange(this, TRUE)) + { + return TRUE; + } + return FALSE; +} + +METHOD(tls_socket_t, destroy, void, + private_tls_socket_t *this) +{ + this->tls->destroy(this->tls); + free(this->app.in.ptr); + free(this); +} + +/** + * See header + */ +tls_socket_t *tls_socket_create(bool is_server, identification_t *server, + identification_t *peer, int fd) +{ + private_tls_socket_t *this; + + INIT(this, + .public = { + .read = _read_, + .write = _write_, + .destroy = _destroy, + }, + .app = { + .application = { + .build = _build, + .process = _process, + .destroy = (void*)nop, + }, + }, + .fd = fd, + ); + + this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC, + &this->app.application); + if (!this->tls) + { + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h new file mode 100644 index 000000000..ac714a385 --- /dev/null +++ b/src/libtls/tls_socket.h @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_socket tls_socket + * @{ @ingroup libtls + */ + +#ifndef TLS_SOCKET_H_ +#define TLS_SOCKET_H_ + +#include "tls.h" + +typedef struct tls_socket_t tls_socket_t; + +/** + * TLS secured socket. + * + * Wraps a blocking (socket) file descriptor for a reliable transport into a + * TLS secured socket. TLS negotiation happens on demand, certificates and + * private keys are fetched from any registered credential set. + */ +struct tls_socket_t { + + /** + * Read data from secured socket, return allocated chunk. + * + * This call is blocking, you may use select() on the underlying socket to + * wait for data. If the there was non-application data available, the + * read function can return an empty chunk. + * + * @param data pointer to allocate received data + * @return TRUE if data received successfully + */ + bool (*read)(tls_socket_t *this, chunk_t *data); + + /** + * Write a chunk of data over the secured socket. + * + * @param data data to send + * @return TRUE if data sent successfully + */ + bool (*write)(tls_socket_t *this, chunk_t data); + + /** + * Destroy a tls_socket_t. + */ + void (*destroy)(tls_socket_t *this); +}; + +/** + * Create a tls_socket instance. + * + * @param is_server TRUE to act as TLS server + * @param server server identity + * @param peer client identity, NULL for no client authentication + * @param fd socket to read/write from + * @return TLS socket wrapper + */ +tls_socket_t *tls_socket_create(bool is_server, identification_t *server, + identification_t *peer, int fd); + +#endif /** TLS_SOCKET_H_ @}*/ diff --git a/src/libtls/tls_writer.c b/src/libtls/tls_writer.c new file mode 100644 index 000000000..235dc2cdf --- /dev/null +++ b/src/libtls/tls_writer.c @@ -0,0 +1,237 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_writer.h" + +typedef struct private_tls_writer_t private_tls_writer_t; + +/** + * Private data of an tls_writer_t object. + */ +struct private_tls_writer_t { + + /** + * Public tls_writer_t interface. + */ + tls_writer_t public; + + /** + * Allocated buffer + */ + chunk_t buf; + + /** + * Used bytes in buffer + */ + size_t used; + + /** + * Number of bytes to increase buffer size + */ + size_t increase; +}; + +/** + * Increase buffer size + */ +static void increase(private_tls_writer_t *this) +{ + this->buf.len += this->increase; + this->buf.ptr = realloc(this->buf.ptr, this->buf.len); +} + +METHOD(tls_writer_t, write_uint8, void, + private_tls_writer_t *this, u_int8_t value) +{ + if (this->used + 1 > this->buf.len) + { + increase(this); + } + this->buf.ptr[this->used] = value; + this->used += 1; +} + +METHOD(tls_writer_t, write_uint16, void, + private_tls_writer_t *this, u_int16_t value) +{ + if (this->used + 2 > this->buf.len) + { + increase(this); + } + htoun16(this->buf.ptr + this->used, value); + this->used += 2; +} + +METHOD(tls_writer_t, write_uint24, void, + private_tls_writer_t *this, u_int32_t value) +{ + if (this->used + 3 > this->buf.len) + { + increase(this); + } + value = htonl(value); + memcpy(this->buf.ptr + this->used, ((char*)&value) + 1, 3); + this->used += 3; +} + +METHOD(tls_writer_t, write_uint32, void, + private_tls_writer_t *this, u_int32_t value) +{ + if (this->used + 4 > this->buf.len) + { + increase(this); + } + htoun32(this->buf.ptr + this->used, value); + this->used += 4; +} + +METHOD(tls_writer_t, write_data, void, + private_tls_writer_t *this, chunk_t value) +{ + while (this->used + value.len > this->buf.len) + { + increase(this); + } + memcpy(this->buf.ptr + this->used, value.ptr, value.len); + this->used += value.len; +} + +METHOD(tls_writer_t, write_data8, void, + private_tls_writer_t *this, chunk_t value) +{ + write_uint8(this, value.len); + write_data(this, value); +} + +METHOD(tls_writer_t, write_data16, void, + private_tls_writer_t *this, chunk_t value) +{ + write_uint16(this, value.len); + write_data(this, value); +} + +METHOD(tls_writer_t, write_data24, void, + private_tls_writer_t *this, chunk_t value) +{ + write_uint24(this, value.len); + write_data(this, value); +} + +METHOD(tls_writer_t, write_data32, void, + private_tls_writer_t *this, chunk_t value) +{ + write_uint32(this, value.len); + write_data(this, value); +} + +METHOD(tls_writer_t, wrap8, void, + private_tls_writer_t *this) +{ + if (this->used + 1 > this->buf.len) + { + increase(this); + } + memmove(this->buf.ptr + 1, this->buf.ptr, 1); + this->buf.ptr[0] = this->used; + this->used += 1; +} + +METHOD(tls_writer_t, wrap16, void, + private_tls_writer_t *this) +{ + if (this->used + 2 > this->buf.len) + { + increase(this); + } + memmove(this->buf.ptr + 2, this->buf.ptr, 2); + htoun16(this->buf.ptr, this->used); + this->used += 2; +} + +METHOD(tls_writer_t, wrap24, void, + private_tls_writer_t *this) +{ + u_int32_t len; + + if (this->used + 3 > this->buf.len) + { + increase(this); + } + memmove(this->buf.ptr + 3, this->buf.ptr, 3); + + len = htonl(this->used); + memcpy(this->buf.ptr, ((char*)&len) + 1, 3); + this->used += 3; +} + +METHOD(tls_writer_t, wrap32, void, + private_tls_writer_t *this) +{ + if (this->used + 4 > this->buf.len) + { + increase(this); + } + memmove(this->buf.ptr + 4, this->buf.ptr, 4); + htoun32(this->buf.ptr, this->used); + this->used += 4; +} + +METHOD(tls_writer_t, get_buf, chunk_t, + private_tls_writer_t *this) +{ + return chunk_create(this->buf.ptr, this->used); +} + +METHOD(tls_writer_t, destroy, void, + private_tls_writer_t *this) +{ + free(this->buf.ptr); + free(this); +} + +/** + * See header + */ +tls_writer_t *tls_writer_create(u_int32_t bufsize) +{ + private_tls_writer_t *this; + + INIT(this, + .public = { + .write_uint8 = _write_uint8, + .write_uint16 = _write_uint16, + .write_uint24 = _write_uint24, + .write_uint32 = _write_uint32, + .write_data = _write_data, + .write_data8 = _write_data8, + .write_data16 = _write_data16, + .write_data24 = _write_data24, + .write_data32 = _write_data32, + .wrap8 = _wrap8, + .wrap16 = _wrap16, + .wrap24 = _wrap24, + .wrap32 = _wrap32, + .get_buf = _get_buf, + .destroy = _destroy, + }, + .increase = bufsize ?: 32, + ); + if (bufsize) + { + this->buf = chunk_alloc(bufsize); + } + + return &this->public; +} diff --git a/src/libtls/tls_writer.h b/src/libtls/tls_writer.h new file mode 100644 index 000000000..d3f09d5da --- /dev/null +++ b/src/libtls/tls_writer.h @@ -0,0 +1,136 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_writer tls_writer + * @{ @ingroup libtls + */ + +#ifndef TLS_WRITER_H_ +#define TLS_WRITER_H_ + +typedef struct tls_writer_t tls_writer_t; + +#include <library.h> + +/** + * TLS record generator. + */ +struct tls_writer_t { + + /** + * Append a 8-bit integer to the buffer. + * + * @param value value to append + */ + void (*write_uint8)(tls_writer_t *this, u_int8_t value); + + /** + * Append a 16-bit integer to the buffer. + * + * @param value value to append + */ + void (*write_uint16)(tls_writer_t *this, u_int16_t value); + + /** + * Append a 24-bit integer to the buffer. + * + * @param value value to append + */ + void (*write_uint24)(tls_writer_t *this, u_int32_t value); + + /** + * Append a 32-bit integer to the buffer. + * + * @param value value to append + */ + void (*write_uint32)(tls_writer_t *this, u_int32_t value); + + /** + * Append a chunk of data without a length header. + * + * @param value value to append + */ + void (*write_data)(tls_writer_t *this, chunk_t value); + + /** + * Append a chunk of data with a 8-bit length header. + * + * @param value value to append + */ + void (*write_data8)(tls_writer_t *this, chunk_t value); + + /** + * Append a chunk of data with a 16-bit length header. + * + * @param value value to append + */ + void (*write_data16)(tls_writer_t *this, chunk_t value); + + /** + * Append a chunk of data with a 24-bit length header. + * + * @param value value to append + */ + void (*write_data24)(tls_writer_t *this, chunk_t value); + + /** + * Append a chunk of data with a 32-bit length header. + * + * @param value value to append + */ + void (*write_data32)(tls_writer_t *this, chunk_t value); + + /** + * Prepend a 8-bit length header to existing data. + */ + void (*wrap8)(tls_writer_t *this); + + /** + * Prepend a 16-bit length header to existing data. + */ + void (*wrap16)(tls_writer_t *this); + + /** + * Prepend a 24-bit length header to existing data. + */ + void (*wrap24)(tls_writer_t *this); + + /** + * Prepend a 32-bit length header to existing data. + */ + void (*wrap32)(tls_writer_t *this); + + /** + * Get the encoded data buffer. + * + * @return chunk to internal buffer + */ + chunk_t (*get_buf)(tls_writer_t *this); + + /** + * Destroy a tls_writer_t. + */ + void (*destroy)(tls_writer_t *this); +}; + +/** + * Create a tls_writer instance. + * + * @param bufsize initially allocated buffer size + */ +tls_writer_t *tls_writer_create(u_int32_t bufsize); + +#endif /** TLS_WRITER_H_ @}*/ diff --git a/src/manager/Makefile.am b/src/manager/Makefile.am index e67335673..045c77896 100644 --- a/src/manager/Makefile.am +++ b/src/manager/Makefile.am @@ -17,7 +17,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_C AM_CFLAGS = -rdynamic \ -DIPSECDIR=\"${ipsecdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ - -DPLUGINS=\""${libstrongswan_plugins}\"" + -DPLUGINS=\""${manager_plugins}\"" # Don't forget to add templates to EXTRA_DIST !!! How to automate? manager_templatesdir = ${managerdir}/templates diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 63a892ee7..5073d9686 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -181,6 +182,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -212,14 +215,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -234,24 +240,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -259,7 +272,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -285,7 +301,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_C AM_CFLAGS = -rdynamic \ -DIPSECDIR=\"${ipsecdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ - -DPLUGINS=\""${libstrongswan_plugins}\"" + -DPLUGINS=\""${manager_plugins}\"" # Don't forget to add templates to EXTRA_DIST !!! How to automate? diff --git a/src/medsrv/Makefile.am b/src/medsrv/Makefile.am index bdec08190..171b086cf 100644 --- a/src/medsrv/Makefile.am +++ b/src/medsrv/Makefile.am @@ -14,7 +14,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast AM_CFLAGS = -rdynamic \ -DIPSECDIR=\"${ipsecdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ - -DPLUGINS=\""${libstrongswan_plugins}\"" + -DPLUGINS=\""${medsrv_plugins}\"" # Don't forget to add templates to EXTRA_DIST !!! How to automate? medsrv_templatesdir = ${medsrvdir}/templates diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 415c35e79..07315cfd2 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -202,14 +205,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -249,7 +262,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -272,7 +288,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast AM_CFLAGS = -rdynamic \ -DIPSECDIR=\"${ipsecdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ - -DPLUGINS=\""${libstrongswan_plugins}\"" + -DPLUGINS=\""${medsrv_plugins}\"" # Don't forget to add templates to EXTRA_DIST !!! How to automate? diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am index a278cdd17..0be040e87 100644 --- a/src/openac/Makefile.am +++ b/src/openac/Makefile.am @@ -5,6 +5,6 @@ dist_man_MANS = openac.8 INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ - -DPLUGINS=\""${libstrongswan_plugins}\"" + -DPLUGINS=\""${openac_plugins}\"" openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la openac.o : $(top_builddir)/config.status diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index 578ab7d39..fcac66226 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -260,7 +276,7 @@ dist_man_MANS = openac.8 INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ - -DPLUGINS=\""${libstrongswan_plugins}\"" + -DPLUGINS=\""${openac_plugins}\"" openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la all: all-am diff --git a/src/openac/openac.c b/src/openac/openac.c index 3f28b0ac4..5de8f5b7c 100755 --- a/src/openac/openac.c +++ b/src/openac/openac.c @@ -36,6 +36,7 @@ #include <credentials/certificates/x509.h> #include <credentials/certificates/ac.h> #include <credentials/keys/private_key.h> +#include <credentials/sets/mem_cred.h> #include <utils/optionsfrom.h> #define OPENAC_PATH IPSEC_CONFDIR "/openac" @@ -437,10 +438,19 @@ int main(int argc, char **argv) /* load the signer's RSA private key */ if (keyfile != NULL) { + mem_cred_t *mem; + shared_key_t *shared; + + mem = mem_cred_create(); + lib->credmgr->add_set(lib->credmgr, &mem->set); + shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, + chunk_clone(passphrase)); + mem->add_shared(mem, shared, NULL); signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, BUILD_FROM_FILE, keyfile, - BUILD_PASSPHRASE, passphrase, BUILD_END); + lib->credmgr->remove_set(lib->credmgr, &mem->set); + mem->destroy(mem); if (signerKey == NULL) { goto end; diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am index 99e9bc581..482f83834 100644 --- a/src/pki/Makefile.am +++ b/src/pki/Makefile.am @@ -16,4 +16,4 @@ pki.o : $(top_builddir)/config.status INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ - -DPLUGINS=\""${libstrongswan_plugins}\"" + -DPLUGINS=\""${pki_plugins}\"" diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 8f08777bb..0ec6f9c0b 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -142,6 +143,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -173,14 +176,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -195,24 +201,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -220,7 +233,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -246,7 +262,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \ pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ - -DPLUGINS=\""${libstrongswan_plugins}\"" + -DPLUGINS=\""${pki_plugins}\"" all: all-am diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 2002cd555..8ea852e31 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -35,7 +35,7 @@ static int issue() public_key_t *public = NULL; bool pkcs10 = FALSE; char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL; - char *error = NULL; + char *error = NULL, *keyid = NULL; identification_t *id = NULL; linked_list_t *san, *cdps, *ocsp; int lifetime = 1095; @@ -85,6 +85,9 @@ static int issue() case 'k': cakey = arg; continue; + case 'x': + keyid = arg; + continue; case 'd': dn = arg; continue; @@ -153,9 +156,9 @@ static int issue() error = "--cacert is required"; goto usage; } - if (!cakey) + if (!cakey && !keyid) { - error = "--cakey is required"; + error = "--cakey or --keyid is required"; goto usage; } if (dn) @@ -190,12 +193,24 @@ static int issue() } DBG2(DBG_LIB, "Reading ca private key:"); - private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, - public->get_type(public), - BUILD_FROM_FILE, cakey, BUILD_END); + if (cakey) + { + private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + public->get_type(public), + BUILD_FROM_FILE, cakey, BUILD_END); + } + else + { + chunk_t chunk; + + chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); + private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + free(chunk.ptr); + } if (!private) { - error = "parsing CA private key failed"; + error = "loading CA private key failed"; goto end; } if (!private->belongs_to(private, public)) @@ -354,8 +369,8 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { issue, 'i', "issue", "issue a certificate using a CA certificate and key", - {"[--in file] [--type pub|pkcs10]", - " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+", + {"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex", + " --cacert file --dn subject-dn [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+", "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, @@ -365,6 +380,7 @@ static void __attribute__ ((constructor))reg() {"type", 't', 1, "type of input, default: pub"}, {"cacert", 'c', 1, "CA certificate file"}, {"cakey", 'k', 1, "CA private key file"}, + {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, {"dn", 'd', 1, "distinguished name to include as subject"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index 6d5462783..870dca920 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -17,6 +17,7 @@ #include <credentials/certificates/certificate.h> #include <credentials/certificates/x509.h> +#include <credentials/certificates/crl.h> #include <selectors/traffic_selector.h> #include <time.h> @@ -29,7 +30,7 @@ static void print_pubkey(public_key_t *key) chunk_t chunk; printf("pubkey: %N %d bits\n", key_type_names, key->get_type(key), - key->get_keysize(key) * 8); + key->get_keysize(key)); if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) { printf("keyid: %#B\n", &chunk); @@ -202,6 +203,44 @@ static void print_x509(x509_t *x509) } /** + * Print CRL specific information + */ +static void print_crl(crl_t *crl) +{ + enumerator_t *enumerator; + time_t ts; + crl_reason_t reason; + chunk_t chunk; + int count = 0; + char buf[64]; + struct tm tm; + + chunk = crl->get_serial(crl); + printf("serial: %#B\n", &chunk); + chunk = crl->get_authKeyIdentifier(crl); + printf("authKeyId: %#B\n", &chunk); + + enumerator = crl->create_enumerator(crl); + while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) + { + count++; + } + enumerator->destroy(enumerator); + + printf("%d revoked certificate%s%s\n", count, + count == 1 ? "" : "s", count ? ":" : ""); + enumerator = crl->create_enumerator(crl); + while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) + { + localtime_r(&ts, &tm); + strftime(buf, sizeof(buf), "%F %T", &tm); + printf(" %#B %N %s\n", &chunk, crl_reason_names, reason, buf); + count++; + } + enumerator->destroy(enumerator); +} + +/** * Print certificate information */ static void print_cert(certificate_t *cert) @@ -212,7 +251,10 @@ static void print_cert(certificate_t *cert) now = time(NULL); printf("cert: %N\n", certificate_type_names, cert->get_type(cert)); - printf("subject: \"%Y\"\n", cert->get_subject(cert)); + if (cert->get_type(cert) != CERT_X509_CRL) + { + printf("subject: \"%Y\"\n", cert->get_subject(cert)); + } printf("issuer: \"%Y\"\n", cert->get_issuer(cert)); cert->get_validity(cert, &now, ¬Before, ¬After); @@ -240,22 +282,20 @@ static void print_cert(certificate_t *cert) case CERT_X509: print_x509((x509_t*)cert); break; + case CERT_X509_CRL: + print_crl((crl_t*)cert); + break; default: printf("parsing certificate subtype %N not implemented\n", certificate_type_names, cert->get_type(cert)); break; } - key = cert->get_public_key(cert); if (key) { print_pubkey(key); key->destroy(key); } - else - { - printf("unable to extract public key\n"); - } } /** @@ -280,6 +320,11 @@ static int print() type = CRED_CERTIFICATE; subtype = CERT_X509; } + else if (streq(arg, "crl")) + { + type = CRED_CERTIFICATE; + subtype = CERT_X509_CRL; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -358,7 +403,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { print, 'a', "print", "print a credential in a human readable form", - {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509]"}, + {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c index fc2614c7d..30078a8fa 100644 --- a/src/pki/commands/pub.c +++ b/src/pki/commands/pub.c @@ -30,7 +30,7 @@ static int pub() private_key_t *private; public_key_t *public; chunk_t encoding; - char *file = NULL; + char *file = NULL, *keyid = NULL; void *cred; char *arg; @@ -75,6 +75,9 @@ static int pub() case 'i': file = arg; continue; + case 'x': + keyid = arg; + continue; case EOF: break; default: @@ -87,6 +90,15 @@ static int pub() cred = lib->creds->create(lib->creds, type, subtype, BUILD_FROM_FILE, file, BUILD_END); } + else if (keyid) + { + chunk_t chunk; + + chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); + cred = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + free(chunk.ptr); + } else { cred = lib->creds->create(lib->creds, type, subtype, @@ -145,10 +157,12 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { pub, 'p', "pub", "extract the public key from a private key/certificate", - {"[--in file] [--type rsa|ecdsa|pkcs10|x509] [--outform der|pem|pgp]"}, + {"[--in file|--keyid hex] [--type rsa|ecdsa|pkcs10|x509]", + "[--outform der|pem|pgp]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, + {"keyid", 'x', 1, "keyid on smartcard of private key"}, {"type", 't', 1, "type of credential, default: rsa"}, {"outform", 'f', 1, "encoding of extracted public key"}, } diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index a1ae2f515..d1ca45e1a 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -127,7 +127,7 @@ static int req() BUILD_SIGNING_KEY, private, BUILD_SUBJECT, id, BUILD_SUBJECT_ALTNAMES, san, - BUILD_PASSPHRASE, challenge_password, + BUILD_CHALLENGE_PWD, challenge_password, BUILD_DIGEST_ALG, digest, BUILD_END); if (!cert) diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index 71776c745..5e6f0bd14 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -32,7 +32,7 @@ static int self() certificate_t *cert = NULL; private_key_t *private = NULL; public_key_t *public = NULL; - char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL; + char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL; identification_t *id = NULL; linked_list_t *san, *ocsp; int lifetime = 1095; @@ -78,6 +78,9 @@ static int self() case 'i': file = arg; continue; + case 'x': + keyid = arg; + continue; case 'd': dn = arg; continue; @@ -149,6 +152,15 @@ static int self() private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, BUILD_FROM_FILE, file, BUILD_END); } + else if (keyid) + { + chunk_t chunk; + + chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); + private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + free(chunk.ptr); + } else { private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, @@ -156,7 +168,7 @@ static int self() } if (!private) { - error = "parsing private key failed"; + error = "loading private key failed"; goto end; } public = private->get_public_key(private); @@ -242,7 +254,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { self, 's', "self", "create a self signed certificate", - {"[--in file] [--type rsa|ecdsa]", + {"[--in file | --keyid hex] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", "[--flag serverAuth|clientAuth|ocspSigning]+", @@ -250,6 +262,7 @@ static void __attribute__ ((constructor))reg() { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, + {"keyid", 'x', 1, "keyid on smartcard of private key"}, {"type", 't', 1, "type of input key, default: rsa"}, {"dn", 'd', 1, "subject and issuer distinguished name"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index b7163a153..24bf9123f 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -110,7 +110,7 @@ static int sign_crl() x509_t *x509; hash_algorithm_t digest = HASH_SHA1; char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; - char serial[512], crl_serial[8]; + char serial[512], crl_serial[8], *keyid = NULL; int serial_len = 0; crl_reason_t reason = CRL_REASON_UNSPECIFIED; time_t thisUpdate, nextUpdate, date = time(NULL); @@ -143,6 +143,9 @@ static int sign_crl() case 'k': cakey = arg; continue; + case 'x': + keyid = arg; + continue; case 'a': lastupdate = arg; continue; @@ -245,9 +248,9 @@ static int sign_crl() error = "--cacert is required"; goto usage; } - if (!cakey) + if (!cakey && !keyid) { - error = "--cakey is required"; + error = "--cakey or --keyid is required"; goto usage; } @@ -270,12 +273,24 @@ static int sign_crl() error = "extracting CA certificate public key failed"; goto error; } - private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, - public->get_type(public), - BUILD_FROM_FILE, cakey, BUILD_END); + if (cakey) + { + private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + public->get_type(public), + BUILD_FROM_FILE, cakey, BUILD_END); + } + else + { + chunk_t chunk; + + chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); + private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + free(chunk.ptr); + } if (!private) { - error = "parsing CA private key failed"; + error = "loading CA private key failed"; goto error; } if (!private->belongs_to(private, public)) @@ -359,7 +374,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { sign_crl, 'c', "signcrl", "issue a CRL using a CA certificate and key", - {"--cacert file --cakey file --lifetime days", + {"--cacert file --cakey file | --cakeyid hex --lifetime days", "[ [--reason key-compromise|ca-compromise|affiliation-changed|", " superseded|cessation-of-operation|certificate-hold]", " [--date timestamp]", @@ -369,6 +384,7 @@ static void __attribute__ ((constructor))reg() {"help", 'h', 0, "show usage information"}, {"cacert", 'c', 1, "CA certificate file"}, {"cakey", 'k', 1, "CA private key file"}, + {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, {"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"}, {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"}, {"cert", 'z', 1, "certificate file to revoke"}, diff --git a/src/pki/pki.c b/src/pki/pki.c index d5dd03fa0..3005d2fcd 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -16,7 +16,10 @@ #include "command.h" #include "pki.h" +#include <unistd.h> + #include <debug.h> +#include <credentials/sets/callback_cred.h> /** * Convert a form string to a encoding type @@ -109,6 +112,67 @@ hash_algorithm_t get_digest(char *name) } /** + * Callback credential set pki uses + */ +static callback_cred_t *cb_set; + +/** + * Callback function to receive credentials + */ +static shared_key_t* cb(void *data, shared_key_type_t type, + identification_t *me, identification_t *other, + id_match_t *match_me, id_match_t *match_other) +{ + char buf[64], *label, *secret; + + switch (type) + { + case SHARED_PIN: + label = "Smartcard PIN"; + break; + case SHARED_PRIVATE_KEY_PASS: + label = "Private key passphrase"; + break; + default: + return NULL; + } + snprintf(buf, sizeof(buf), "%s: ", label); + secret = getpass(buf); + if (secret) + { + if (match_me) + { + *match_me = ID_MATCH_PERFECT; + } + if (match_other) + { + *match_other = ID_MATCH_NONE; + } + return shared_key_create(type, + chunk_clone(chunk_create(secret, strlen(secret)))); + } + return NULL; +} + +/** + * Register PIN/Passphrase callback function + */ +static void add_callback() +{ + cb_set = callback_cred_create_shared(cb, NULL); + lib->credmgr->add_set(lib->credmgr, &cb_set->set); +} + +/** + * Unregister PIN/Passphrase callback function + */ +static void remove_callback() +{ + lib->credmgr->remove_set(lib->credmgr, &cb_set->set); + cb_set->destroy(cb_set); +} + +/** * Library initialization and operation parsing */ int main(int argc, char *argv[]) @@ -129,6 +193,9 @@ int main(int argc, char *argv[]) { exit(SS_RC_INITIALIZATION_FAILED); } + + add_callback(); + atexit(remove_callback); return command_dispatch(argc, argv); } diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index 9f631ca28..934b11a46 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -18,6 +18,7 @@ db_ops.c db_ops.h \ defs.c defs.h \ demux.c demux.h \ dnskey.c dnskey.h \ +event_queue.c event_queue.h \ fetch.c fetch.h \ foodgroups.c foodgroups.h \ ike_alg.c ike_alg.h \ @@ -25,8 +26,6 @@ ipsec_doi.c ipsec_doi.h \ kameipsec.h \ kernel.c kernel.h \ kernel_alg.c kernel_alg.h \ -kernel_netlink.c kernel_netlink.h \ -kernel_noklips.c kernel_noklips.h \ kernel_pfkey.c kernel_pfkey.h \ keys.c keys.h \ lex.c lex.h \ @@ -74,10 +73,10 @@ AM_CFLAGS = -rdynamic \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \ --DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \ +-DPLUGINS=\""${pluto_plugins}\"" \ -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \ -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \ --DPLUTO -DKLIPS -DDEBUG +-DPLUTO -DDEBUG pluto_LDADD = \ $(LIBSTRONGSWANDIR)/libstrongswan.la \ @@ -89,9 +88,7 @@ _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) -CLEANFILES = ipsec.secrets.5 -dist_man_MANS = pluto.8 ipsec.secrets.5 -EXTRA_DIST = ipsec.secrets.5.in +dist_man_MANS = pluto.8 # compile options ################# @@ -138,8 +135,3 @@ if USE_XAUTH SUBDIRS += plugins/xauth endif -ipsec.secrets.5 : ipsec.secrets.5.in - sed \ - -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ - $(srcdir)/$@.in > $@ - diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 41fc4927e..080530f86 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -71,14 +71,14 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \ - "$(DESTDIR)$(man8dir)" +am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" PROGRAMS = $(ipsec_PROGRAMS) am__pluto_adns_OBJECTS = adns.$(OBJEXT) _pluto_adns_OBJECTS = $(am__pluto_adns_OBJECTS) @@ -89,17 +89,17 @@ am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \ certs.$(OBJEXT) connections.$(OBJEXT) constants.$(OBJEXT) \ cookie.$(OBJEXT) crl.$(OBJEXT) crypto.$(OBJEXT) \ db_ops.$(OBJEXT) defs.$(OBJEXT) demux.$(OBJEXT) \ - dnskey.$(OBJEXT) fetch.$(OBJEXT) foodgroups.$(OBJEXT) \ - ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) kernel.$(OBJEXT) \ - kernel_alg.$(OBJEXT) kernel_netlink.$(OBJEXT) \ - kernel_noklips.$(OBJEXT) kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) \ - lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) modecfg.$(OBJEXT) \ - nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) packet.$(OBJEXT) \ - pkcs7.$(OBJEXT) pluto.$(OBJEXT) plutomain.$(OBJEXT) \ - rcv_whack.$(OBJEXT) server.$(OBJEXT) smartcard.$(OBJEXT) \ - spdb.$(OBJEXT) state.$(OBJEXT) timer.$(OBJEXT) \ - vendor.$(OBJEXT) virtual.$(OBJEXT) whack_attribute.$(OBJEXT) \ - xauth_manager.$(OBJEXT) x509.$(OBJEXT) builder.$(OBJEXT) + dnskey.$(OBJEXT) event_queue.$(OBJEXT) fetch.$(OBJEXT) \ + foodgroups.$(OBJEXT) ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) \ + kernel.$(OBJEXT) kernel_alg.$(OBJEXT) kernel_pfkey.$(OBJEXT) \ + keys.$(OBJEXT) lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) \ + modecfg.$(OBJEXT) nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) \ + packet.$(OBJEXT) pkcs7.$(OBJEXT) pluto.$(OBJEXT) \ + plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) server.$(OBJEXT) \ + smartcard.$(OBJEXT) spdb.$(OBJEXT) state.$(OBJEXT) \ + timer.$(OBJEXT) vendor.$(OBJEXT) virtual.$(OBJEXT) \ + whack_attribute.$(OBJEXT) xauth_manager.$(OBJEXT) \ + x509.$(OBJEXT) builder.$(OBJEXT) pluto_OBJECTS = $(am_pluto_OBJECTS) pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \ $(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \ @@ -148,7 +148,6 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff MANS = $(dist_man_MANS) @@ -251,6 +250,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -282,14 +283,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -304,24 +308,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -329,7 +340,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -355,6 +369,7 @@ db_ops.c db_ops.h \ defs.c defs.h \ demux.c demux.h \ dnskey.c dnskey.h \ +event_queue.c event_queue.h \ fetch.c fetch.h \ foodgroups.c foodgroups.h \ ike_alg.c ike_alg.h \ @@ -362,8 +377,6 @@ ipsec_doi.c ipsec_doi.h \ kameipsec.h \ kernel.c kernel.h \ kernel_alg.c kernel_alg.h \ -kernel_netlink.c kernel_netlink.h \ -kernel_noklips.c kernel_noklips.h \ kernel_pfkey.c kernel_pfkey.h \ keys.c keys.h \ lex.c lex.h \ @@ -405,11 +418,11 @@ INCLUDES = \ AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \ - -DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \ + -DPLUGINS=\""${pluto_plugins}\"" \ -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" -DKERNEL26_SUPPORT \ - -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \ - $(am__append_1) $(am__append_2) $(am__append_3) \ - $(am__append_4) $(am__append_5) $(am__append_7) + -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DDEBUG $(am__append_1) \ + $(am__append_2) $(am__append_3) $(am__append_4) \ + $(am__append_5) $(am__append_7) pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \ $(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \ -lresolv $(PTHREADLIB) $(DLLIB) $(am__append_6) @@ -417,9 +430,7 @@ _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) -CLEANFILES = ipsec.secrets.5 -dist_man_MANS = pluto.8 ipsec.secrets.5 -EXTRA_DIST = ipsec.secrets.5.in +dist_man_MANS = pluto.8 # build optional plugins ######################## @@ -529,14 +540,13 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/defs.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/demux.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/event_queue.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/foodgroups.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_doi.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_alg.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_noklips.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keys.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.Po@am__quote@ @@ -601,44 +611,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(dist_man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" - @list=''; test -n "$(man5dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.5[a-z]*$$/p'; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ - done; } - -uninstall-man5: - @$(NORMAL_UNINSTALL) - @list=''; test -n "$(man5dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.5[a-z]*$$/p'; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man5dir)" && rm -f $$files; } install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" @@ -889,7 +861,7 @@ check: check-recursive all-am: Makefile $(PROGRAMS) $(MANS) installdirs: installdirs-recursive installdirs-am: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-recursive @@ -909,7 +881,6 @@ install-strip: mostlyclean-generic: clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -957,7 +928,7 @@ install-info: install-info-recursive install-info-am: -install-man: install-man5 install-man8 +install-man: install-man8 install-pdf: install-pdf-recursive @@ -989,7 +960,7 @@ ps-am: uninstall-am: uninstall-ipsecPROGRAMS uninstall-man -uninstall-man: uninstall-man5 uninstall-man8 +uninstall-man: uninstall-man8 .MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \ install-am install-strip tags-recursive @@ -1002,24 +973,18 @@ uninstall-man: uninstall-man5 uninstall-man8 html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ - install-info-am install-ipsecPROGRAMS install-man install-man5 \ - install-man8 install-pdf install-pdf-am install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs installdirs-am maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am \ - uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \ + install-info-am install-ipsecPROGRAMS install-man install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + installdirs-am maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ + uninstall uninstall-am uninstall-ipsecPROGRAMS uninstall-man \ uninstall-man8 plutomain.o : $(top_builddir)/config.status -ipsec.secrets.5 : ipsec.secrets.5.in - sed \ - -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ - $(srcdir)/$@.in > $@ - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c index 32fd46ef4..d06e09007 100644 --- a/src/pluto/alg_info.c +++ b/src/pluto/alg_info.c @@ -414,7 +414,7 @@ struct alg_info_esp *alg_info_esp_create_from_str(char *alg_str) alg_info_esp = malloc_thing (struct alg_info_esp); zero(alg_info_esp); - pfs_name=index (alg_str, ';'); + pfs_name=strchr(alg_str, ';'); if (pfs_name) { memcpy(esp_buf, alg_str, pfs_name-alg_str); diff --git a/src/pluto/builder.c b/src/pluto/builder.c index 0cba32bcf..d7ec3feb9 100644 --- a/src/pluto/builder.c +++ b/src/pluto/builder.c @@ -136,9 +136,9 @@ static x509crl_t *builder_load_crl(certificate_type_t type, va_list args) void init_builder(void) { - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, FALSE, (builder_function_t)builder_load_cert); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, FALSE, (builder_function_t)builder_load_crl); } diff --git a/src/pluto/certs.c b/src/pluto/certs.c index 24e8ffb27..e866022df 100644 --- a/src/pluto/certs.c +++ b/src/pluto/certs.c @@ -74,20 +74,21 @@ void cert_free(cert_t *cert) cert_t* cert_add(cert_t *cert) { certificate_t *certificate = cert->cert; - cert_t *c = certs; + cert_t *c; - while (c != NULL) + lock_certs_and_keys("cert_add"); + + for (c = certs; c != NULL; c = c->next) { - if (certificate->equals(certificate, c->cert)) /* already in chain, free cert */ - { + if (certificate->equals(certificate, c->cert)) + { /* already in chain, free cert */ + unlock_certs_and_keys("cert_add"); cert_free(cert); return c; } - c = c->next; } /* insert new cert at the root of the chain */ - lock_certs_and_keys("cert_add"); cert->next = certs; certs = cert; DBG(DBG_CONTROL | DBG_PARSING, @@ -98,90 +99,6 @@ cert_t* cert_add(cert_t *cert) } /** - * Passphrase callback to read from whack fd - */ -chunk_t whack_pass_cb(prompt_pass_t *pass, int try) -{ - int n; - - if (try > MAX_PROMPT_PASS_TRIALS) - { - whack_log(RC_LOG_SERIOUS, "invalid passphrase, too many trials"); - return chunk_empty; - } - if (try == 1) - { - whack_log(RC_ENTERSECRET, "need passphrase for 'private key'"); - } - else - { - whack_log(RC_ENTERSECRET, "invalid passphrase, please try again"); - } - - n = read(pass->fd, pass->secret, PROMPT_PASS_LEN); - - if (n == -1) - { - whack_log(RC_LOG_SERIOUS, "read(whackfd) failed"); - return chunk_empty; - } - - pass->secret[n-1] = '\0'; - - if (strlen(pass->secret) == 0) - { - whack_log(RC_LOG_SERIOUS, "no passphrase entered, aborted"); - return chunk_empty; - } - return chunk_create(pass->secret, strlen(pass->secret)); -} - -/** - * Loads a PKCS#1 or PGP private key file - */ -private_key_t* load_private_key(char* filename, prompt_pass_t *pass, - key_type_t type) -{ - private_key_t *key = NULL; - char *path; - - path = concatenate_paths(PRIVATE_KEY_PATH, filename); - if (pass && pass->prompt && pass->fd != NULL_FD) - { /* use passphrase callback */ - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, - BUILD_FROM_FILE, path, - BUILD_PASSPHRASE_CALLBACK, whack_pass_cb, pass, - BUILD_END); - if (key) - { - whack_log(RC_SUCCESS, "valid passphrase"); - } - } - else if (pass) - { /* use a given passphrase */ - chunk_t password = chunk_create(pass->secret, strlen(pass->secret)); - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, - BUILD_FROM_FILE, path, - BUILD_PASSPHRASE, password, BUILD_END); - } - else - { /* no passphrase */ - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, - BUILD_FROM_FILE, path, BUILD_END); - - } - if (key) - { - plog(" loaded private key from '%s'", filename); - } - else - { - plog(" syntax error in private key file"); - } - return key; -} - -/** * Loads a X.509 or OpenPGP certificate */ cert_t* load_cert(char *filename, const char *label, x509_flag_t flags) @@ -316,7 +233,7 @@ void list_pgp_end_certs(bool utc) whack_log(RC_COMMENT, " pubkey: %N %4d bits%s", key_type_names, key->get_type(key), - key->get_keysize(key) * BITS_PER_BYTE, + key->get_keysize(key), has_private_key(cert)? ", has private key" : ""); if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid)) { diff --git a/src/pluto/certs.h b/src/pluto/certs.h index 21e856a3c..b31c4c3ed 100644 --- a/src/pluto/certs.h +++ b/src/pluto/certs.h @@ -65,8 +65,6 @@ extern const cert_t cert_empty; */ extern bool no_cr_send; -extern private_key_t* load_private_key(char* filename, prompt_pass_t *pass, - key_type_t type); extern cert_t* load_cert(char *filename, const char *label, x509_flag_t flags); extern cert_t* load_host_cert(char *filename); extern cert_t* load_ca_cert(char *filename); diff --git a/src/pluto/connections.c b/src/pluto/connections.c index e1f47f2d6..9f277e135 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -297,6 +297,7 @@ void delete_connection(connection_t *c, bool relations) { modecfg_attribute_t *ca; connection_t *old_cur_connection; + identification_t *client_id; old_cur_connection = cur_connection == c? NULL : cur_connection; #ifdef DEBUG @@ -367,12 +368,14 @@ void delete_connection(connection_t *c, bool relations) free(c->spd.that.virt); } + client_id = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id; + /* release virtual IP address lease if any */ if (c->spd.that.modecfg && c->spd.that.pool && !c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) { hydra->attributes->release_address(hydra->attributes, c->spd.that.pool, - c->spd.that.host_srcip, c->spd.that.id); + c->spd.that.host_srcip, client_id); } /* release requested attributes if any */ @@ -388,7 +391,7 @@ void delete_connection(connection_t *c, bool relations) while (c->attributes->remove_last(c->attributes, (void **)&ca) == SUCCESS) { hydra->attributes->release(hydra->attributes, ca->handler, - c->spd.that.id, ca->type, ca->value); + client_id, ca->type, ca->value); modecfg_attribute_destroy(ca); } c->attributes->destroy(c->attributes); @@ -536,7 +539,7 @@ void check_orientations(void) for (hp = host_pairs; hp != NULL; hp = hp->next) { if (sameaddr(&hp->him.addr, &i->addr) - && (!no_klips || hp->him.port == pluto_port)) + && hp->him.port == pluto_port) { /* bad news: the whole chain of connections * hanging off this host pair has both sides @@ -871,7 +874,8 @@ static void load_end_certificate(char *filename, struct end *dst) /* cache the certificate that was last retrieved from the smartcard */ if (dst->sc) { - if (!certificate->equals(certificate, dst->sc->last_cert->cert)) + if (!dst->sc->last_cert || + !certificate->equals(certificate, dst->sc->last_cert->cert)) { lock_certs_and_keys("load_end_certificates"); cert_release(dst->sc->last_cert); @@ -1077,7 +1081,7 @@ void add_connection(const whack_message_t *wm) if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp) { loglog(RC_COMMENT - , "ignoring --compress in \"%s\" because KLIPS is not configured to do IPCOMP" + , "ignoring --compress in \"%s\" because kernel does not support IPCOMP" , c->name); } @@ -1191,7 +1195,12 @@ void add_connection(const whack_message_t *wm) } c->spd.next = NULL; - c->spd.reqid = gen_reqid(); + c->spd.reqid = wm->reqid ?: gen_reqid(); + + c->spd.mark_in.value = wm->mark_in.value; + c->spd.mark_in.mask = wm->mark_in.mask; + c->spd.mark_out.value = wm->mark_out.value; + c->spd.mark_out.mask = wm->mark_out.mask; /* set internal fields */ c->instance_serial = 0; @@ -1884,7 +1893,7 @@ bool orient(connection_t *c) { /* check if this interface matches this end */ if (sameaddr(&sr->this.host_addr, &p->addr) - && (!no_klips || sr->this.host_port == pluto_port)) + && sr->this.host_port == pluto_port) { if (oriented(*c)) { @@ -1903,7 +1912,7 @@ bool orient(connection_t *c) /* done with this interface if it doesn't match that end */ if (!(sameaddr(&sr->that.host_addr, &p->addr) - && (!no_klips || sr->that.host_port == pluto_port))) + && sr->that.host_port == pluto_port)) break; /* swap ends and try again. @@ -2146,27 +2155,6 @@ static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh) } return; } - -#ifdef KLIPS - if (b->held) - { - /* Replace HOLD with b->failure_shunt. - * If no b->failure_shunt specified, use SPI_PASS -- THIS MAY CHANGE. - */ - if (b->failure_shunt == 0) - { - DBG(DBG_OPPO, DBG_log("no explicit failure shunt for %s to %s; installing %%pass" - , ocb, pcb)); - } - - (void) replace_bare_shunt(&b->our_client, &b->peer_client - , b->policy_prio - , b->failure_shunt - , b->failure_shunt != 0 - , b->transport_proto - , ugh); - } -#endif } static void initiate_opportunistic_body(struct find_oppo_bundle *b @@ -2203,16 +2191,6 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh) */ whack_log_fd = whackfd; -#ifdef KLIPS - /* Discover and record whether %hold has gone away. - * This could have happened while we were awaiting DNS. - * We must check BEFORE any call to cannot_oppo. - */ - if (was_held) - cr->b.held = has_bare_hold(&cr->b.our_client, &cr->b.peer_client - , cr->b.transport_proto); -#endif - #ifdef DEBUG /* if we're going to ignore the error, at least note it in debugging log */ if (cr->b.failure_ok && ugh) @@ -2424,7 +2402,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, /* We've found a connection that can serve. * Do we have to initiate it? * Not if there is currently an IPSEC SA. - * But if there is an IPSEC SA, then KLIPS would not + * But if there is an IPSEC SA, then the kernel would not * have generated the acquire. So we assume that there isn't one. * This may be redundant if a non-opportunistic * negotiation is already being attempted. @@ -2445,13 +2423,11 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, /* otherwise, there is some kind of static conn that can handle * this connection, so we initiate it */ -#ifdef KLIPS if (b->held) { /* what should we do on failure? */ (void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client); } -#endif ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY); b->whackfd = NULL_FD; /* protect from close */ } @@ -2816,21 +2792,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, "no suitable connection for opportunism " "between %s and %s with %Y as peer", ocb, pcb, ac->gateways_from_dns->gw_id); - -#ifdef KLIPS - if (b->held) - { - /* Replace HOLD with PASS. - * The type of replacement *ought* to be - * specified by policy. - */ - (void) replace_bare_shunt(&b->our_client, &b->peer_client - , BOTTOM_PRIO - , SPI_PASS /* fail into PASS */ - , TRUE, b->transport_proto - , "no suitable connection"); - } -#endif } else { @@ -2839,7 +2800,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, passert(c->gw_info != NULL); passert(HAS_IPSEC_POLICY(c->policy)); passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing)); -#ifdef KLIPS if (b->held) { /* what should we do on failure? */ @@ -2847,7 +2807,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, , b->transport_proto , &b->our_client, &b->peer_client); } -#endif c->gw_info->key->last_tried_time = now(); ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY); b->whackfd = NULL_FD; /* protect from close */ @@ -3161,6 +3120,10 @@ connection_t *route_owner(connection_t *c, struct spd_route **srp, { continue; } + if (src->mark_out.value != srd->mark_out.value) + { + continue; + } passert(oriented(*d)); if (srd->routing > best_routing) { @@ -3181,6 +3144,10 @@ connection_t *route_owner(connection_t *c, struct spd_route **srp, { continue; } + if (src->mark_in.value != srd->mark_in.value) + { + continue; + } if (srd->routing > best_erouting) { best_ero = d; diff --git a/src/pluto/connections.h b/src/pluto/connections.h index b67f0b562..e3775fcb0 100644 --- a/src/pluto/connections.h +++ b/src/pluto/connections.h @@ -168,6 +168,8 @@ struct spd_route { so_serial_t eroute_owner; enum routing_t routing; /* level of routing in place */ uint32_t reqid; + mark_t mark_in; + mark_t mark_out; }; typedef struct connection connection_t; @@ -294,7 +296,7 @@ extern connection_t* find_connection_for_clients(struct spd_route **srp, const ip_address *peer_client, int transport_proto); extern void get_peer_ca_and_groups(connection_t *c, - identification_t **peer_ca, + identification_t **peer_ca, ietf_attributes_t **peer_attributes); /* instantiating routines diff --git a/src/pluto/constants.c b/src/pluto/constants.c index 63a37009b..ec7bfaf78 100644 --- a/src/pluto/constants.c +++ b/src/pluto/constants.c @@ -77,7 +77,6 @@ ENUM(dpd_action_names, DPD_ACTION_NONE, DPD_ACTION_RESTART, ENUM(timer_event_names, EVENT_NULL, EVENT_LOG_DAILY, "EVENT_NULL", "EVENT_REINIT_SECRET", - "EVENT_SHUNT_SCAN", "EVENT_SO_DISCARD", "EVENT_RETRANSMIT", "EVENT_SA_REPLACE", @@ -112,7 +111,7 @@ const char *const debug_bit_names[] = { "emitting", "control", "lifecycle", - "klips", + "kernel", "dns", "natt", "oppo", @@ -132,6 +131,8 @@ const char *const debug_bit_names[] = { /* State of exchanges */ static const char *const state_name[] = { + "STATE_UNDEFINED", + "STATE_MAIN_R0", "STATE_MAIN_I1", "STATE_MAIN_R1", @@ -171,11 +172,12 @@ static const char *const state_name[] = { }; enum_names state_names = - { STATE_MAIN_R0, STATE_IKE_ROOF-1, state_name, NULL }; + { STATE_UNDEFINED, STATE_IKE_ROOF-1, state_name, NULL }; /* story for state */ const char *const state_story[] = { + "undefined state after error", /* STATE_UNDEFINED */ "expecting MI1", /* STATE_MAIN_R0 */ "sent MI1, expecting MR1", /* STATE_MAIN_I1 */ "sent MR1, expecting MI2", /* STATE_MAIN_R1 */ @@ -411,7 +413,7 @@ enum_names esp_transform_names = static const char *const ipcomp_transform_name[] = { "IPCOMP_OUI", - "IPCOMP_DEFLAT", + "IPCOMP_DEFLATE", "IPCOMP_LZS", "IPCOMP_LZJH", }; diff --git a/src/pluto/constants.h b/src/pluto/constants.h index 790bbefa6..075579d6d 100644 --- a/src/pluto/constants.h +++ b/src/pluto/constants.h @@ -18,6 +18,8 @@ #include <freeswan.h> +#include <kernel/kernel_ipsec.h> + #include <utils.h> #include <utils/identification.h> #include <crypto/hashers/hasher.h> @@ -193,16 +195,9 @@ extern enum_names esp_transform_names; /* IPCOMP transform values * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5 + * now defined in kernel/kernel_ipsec.h */ -enum ipsec_comp_algo { - IPSCOMP_NONE = 0, - IPCOMP_OUI = 1, - IPCOMP_DEFLATE = 2, - IPCOMP_LZS = 3, - IPCOMP_LZJH = 4 -}; - extern enum_names ipcomp_transformid_names; /* Certificate type values @@ -251,9 +246,6 @@ extern enum_name_t *timer_event_names; enum event_type { EVENT_NULL, /* non-event */ EVENT_REINIT_SECRET, /* Refresh cookie secret */ -#ifdef KLIPS - EVENT_SHUNT_SCAN, /* scan shunt eroutes known to kernel */ -#endif EVENT_SO_DISCARD, /* discard unfinished state object */ EVENT_RETRANSMIT, /* Retransmit packet */ EVENT_SA_REPLACE, /* SA replacement event */ @@ -325,7 +317,7 @@ extern const char *const debug_bit_names[]; #define DBG_EMITTING LELEM(3) /* show encoding of messages */ #define DBG_CONTROL LELEM(4) /* control flow within Pluto */ #define DBG_LIFECYCLE LELEM(5) /* SA lifecycle */ -#define DBG_KLIPS LELEM(6) /* messages to KLIPS */ +#define DBG_KERNEL LELEM(6) /* messages to kernel */ #define DBG_DNS LELEM(7) /* DNS activity */ #define DBG_NATT LELEM(8) /* NAT-T */ #define DBG_OPPO LELEM(9) /* opportunism */ @@ -376,11 +368,6 @@ extern const char *const state_story[]; enum state_kind { STATE_UNDEFINED, /* 0 -- most likely accident */ - /* Opportunism states: see "Opportunistic Encryption" 2.2 */ - - OPPO_ACQUIRE, /* got an ACQUIRE message for this pair */ - OPPO_GW_DISCOVERED, /* got TXT specifying gateway */ - /* IKE states */ STATE_MAIN_R0, diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c index a62e7632d..0684de618 100644 --- a/src/pluto/crypto.c +++ b/src/pluto/crypto.c @@ -1,6 +1,10 @@ /* crypto interfaces + * + * Copyright (C) 2010 Tobias Brunner + * Copyright (C) 2007-2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 1998-2001 D. Hugh Redelmeier - * Copyright (C) 2007-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -26,10 +30,10 @@ static struct encrypt_desc encrypt_desc_3des = algo_id: OAKLEY_3DES_CBC, algo_next: NULL, - enc_blocksize: DES_BLOCK_SIZE, - keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, - keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, - keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + enc_blocksize: DES_BLOCK_SIZE, + keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, }; #define AES_KEY_MIN_LEN 128 @@ -38,14 +42,14 @@ static struct encrypt_desc encrypt_desc_3des = static struct encrypt_desc encrypt_desc_aes = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_AES_CBC, - algo_next: NULL, - - enc_blocksize: AES_BLOCK_SIZE, - keyminlen: AES_KEY_MIN_LEN, - keydeflen: AES_KEY_DEF_LEN, - keymaxlen: AES_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_AES_CBC, + algo_next: NULL, + + enc_blocksize: AES_BLOCK_SIZE, + keyminlen: AES_KEY_MIN_LEN, + keydeflen: AES_KEY_DEF_LEN, + keymaxlen: AES_KEY_MAX_LEN, }; #define CAMELLIA_KEY_MIN_LEN 128 @@ -54,14 +58,14 @@ static struct encrypt_desc encrypt_desc_aes = static struct encrypt_desc encrypt_desc_camellia = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_CAMELLIA_CBC, - algo_next: NULL, - - enc_blocksize: CAMELLIA_BLOCK_SIZE, - keyminlen: CAMELLIA_KEY_MIN_LEN, - keydeflen: CAMELLIA_KEY_DEF_LEN, - keymaxlen: CAMELLIA_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_CAMELLIA_CBC, + algo_next: NULL, + + enc_blocksize: CAMELLIA_BLOCK_SIZE, + keyminlen: CAMELLIA_KEY_MIN_LEN, + keydeflen: CAMELLIA_KEY_DEF_LEN, + keymaxlen: CAMELLIA_KEY_MAX_LEN, }; #define BLOWFISH_KEY_MIN_LEN 128 @@ -73,10 +77,10 @@ static struct encrypt_desc encrypt_desc_blowfish = algo_id: OAKLEY_BLOWFISH_CBC, algo_next: NULL, - enc_blocksize: BLOWFISH_BLOCK_SIZE, - keyminlen: BLOWFISH_KEY_MIN_LEN, - keydeflen: BLOWFISH_KEY_MIN_LEN, - keymaxlen: BLOWFISH_KEY_MAX_LEN, + enc_blocksize: BLOWFISH_BLOCK_SIZE, + keyminlen: BLOWFISH_KEY_MIN_LEN, + keydeflen: BLOWFISH_KEY_MIN_LEN, + keymaxlen: BLOWFISH_KEY_MAX_LEN, }; #define SERPENT_KEY_MIN_LEN 128 @@ -85,14 +89,14 @@ static struct encrypt_desc encrypt_desc_blowfish = static struct encrypt_desc encrypt_desc_serpent = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_SERPENT_CBC, - algo_next: NULL, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_SERPENT_CBC, + algo_next: NULL, enc_blocksize: SERPENT_BLOCK_SIZE, - keyminlen: SERPENT_KEY_MIN_LEN, - keydeflen: SERPENT_KEY_DEF_LEN, - keymaxlen: SERPENT_KEY_MAX_LEN, + keyminlen: SERPENT_KEY_MIN_LEN, + keydeflen: SERPENT_KEY_DEF_LEN, + keymaxlen: SERPENT_KEY_MAX_LEN, }; #define TWOFISH_KEY_MIN_LEN 128 @@ -101,62 +105,62 @@ static struct encrypt_desc encrypt_desc_serpent = static struct encrypt_desc encrypt_desc_twofish = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_TWOFISH_CBC, - algo_next: NULL, - - enc_blocksize: TWOFISH_BLOCK_SIZE, - keydeflen: TWOFISH_KEY_MIN_LEN, - keyminlen: TWOFISH_KEY_DEF_LEN, - keymaxlen: TWOFISH_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_TWOFISH_CBC, + algo_next: NULL, + + enc_blocksize: TWOFISH_BLOCK_SIZE, + keydeflen: TWOFISH_KEY_MIN_LEN, + keyminlen: TWOFISH_KEY_DEF_LEN, + keymaxlen: TWOFISH_KEY_MAX_LEN, }; static struct encrypt_desc encrypt_desc_twofish_ssh = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_TWOFISH_CBC_SSH, - algo_next: NULL, - - enc_blocksize: TWOFISH_BLOCK_SIZE, - keydeflen: TWOFISH_KEY_MIN_LEN, - keyminlen: TWOFISH_KEY_DEF_LEN, - keymaxlen: TWOFISH_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_TWOFISH_CBC_SSH, + algo_next: NULL, + + enc_blocksize: TWOFISH_BLOCK_SIZE, + keydeflen: TWOFISH_KEY_MIN_LEN, + keyminlen: TWOFISH_KEY_DEF_LEN, + keymaxlen: TWOFISH_KEY_MAX_LEN, }; static struct hash_desc hash_desc_md5 = { - algo_type: IKE_ALG_HASH, - algo_id: OAKLEY_MD5, - algo_next: NULL, + algo_type: IKE_ALG_HASH, + algo_id: OAKLEY_MD5, + algo_next: NULL, hash_digest_size: HASH_SIZE_MD5, }; static struct hash_desc hash_desc_sha1 = { - algo_type: IKE_ALG_HASH, - algo_id: OAKLEY_SHA, - algo_next: NULL, + algo_type: IKE_ALG_HASH, + algo_id: OAKLEY_SHA, + algo_next: NULL, hash_digest_size: HASH_SIZE_SHA1, }; static struct hash_desc hash_desc_sha2_256 = { - algo_type: IKE_ALG_HASH, - algo_id: OAKLEY_SHA2_256, - algo_next: NULL, + algo_type: IKE_ALG_HASH, + algo_id: OAKLEY_SHA2_256, + algo_next: NULL, hash_digest_size: HASH_SIZE_SHA256, }; static struct hash_desc hash_desc_sha2_384 = { - algo_type: IKE_ALG_HASH, - algo_id: OAKLEY_SHA2_384, - algo_next: NULL, + algo_type: IKE_ALG_HASH, + algo_id: OAKLEY_SHA2_384, + algo_next: NULL, hash_digest_size: HASH_SIZE_SHA384, }; static struct hash_desc hash_desc_sha2_512 = { - algo_type: IKE_ALG_HASH, - algo_id: OAKLEY_SHA2_512, - algo_next: NULL, + algo_type: IKE_ALG_HASH, + algo_id: OAKLEY_SHA2_512, + algo_next: NULL, hash_digest_size: HASH_SIZE_SHA512, }; @@ -518,107 +522,117 @@ signature_scheme_t oakley_to_signature_scheme(int method) } /** + * Table to map IKEv2 encryption algorithms to IKEv1 (or IKEv1 ESP) and back + */ +struct { + encryption_algorithm_t alg; + int oakley; + int esp; +} encr_map[] = { + {ENCR_DES, OAKLEY_DES_CBC, ESP_DES }, + {ENCR_3DES, OAKLEY_3DES_CBC, ESP_3DES }, + {ENCR_RC5, OAKLEY_RC5_R16_B64_CBC, ESP_RC5 }, + {ENCR_IDEA, OAKLEY_IDEA_CBC, ESP_IDEA }, + {ENCR_CAST, OAKLEY_CAST_CBC, ESP_CAST }, + {ENCR_BLOWFISH, OAKLEY_BLOWFISH_CBC, ESP_BLOWFISH }, + {ENCR_AES_CBC, OAKLEY_AES_CBC, ESP_AES }, + {ENCR_CAMELLIA_CBC, OAKLEY_CAMELLIA_CBC, ESP_CAMELLIA }, + {ENCR_SERPENT_CBC, OAKLEY_SERPENT_CBC, ESP_SERPENT }, + {ENCR_TWOFISH_CBC, OAKLEY_TWOFISH_CBC, ESP_TWOFISH }, + {ENCR_NULL, 0, ESP_NULL }, + {ENCR_AES_CTR, 0, ESP_AES_CTR }, + {ENCR_AES_CCM_ICV8, 0, ESP_AES_CCM_8 }, + {ENCR_AES_CCM_ICV12, 0, ESP_AES_CCM_12}, + {ENCR_AES_CCM_ICV16, 0, ESP_AES_CCM_16}, + {ENCR_AES_GCM_ICV8, 0, ESP_AES_GCM_8 }, + {ENCR_AES_GCM_ICV12, 0, ESP_AES_GCM_12}, + {ENCR_AES_GCM_ICV16, 0, ESP_AES_GCM_16}, + {ENCR_NULL_AUTH_AES_GMAC, 0, ESP_AES_GMAC }, +}; + +/** * Converts IKEv2 encryption to IKEv1 encryption algorithm */ int oakley_from_encryption_algorithm(encryption_algorithm_t alg) { - switch (alg) + int i; + for (i = 0; i < countof(encr_map); i++) { - case ENCR_DES: - return OAKLEY_DES_CBC; - case ENCR_3DES: - return OAKLEY_3DES_CBC; - case ENCR_RC5: - return OAKLEY_RC5_R16_B64_CBC; - case ENCR_IDEA: - return OAKLEY_IDEA_CBC; - case ENCR_CAST: - return OAKLEY_CAST_CBC; - case ENCR_BLOWFISH: - return OAKLEY_BLOWFISH_CBC; - case ENCR_AES_CBC: - return OAKLEY_AES_CBC; - case ENCR_CAMELLIA_CBC: - return OAKLEY_CAMELLIA_CBC; - case ENCR_SERPENT_CBC: - return OAKLEY_SERPENT_CBC; - case ENCR_TWOFISH_CBC: - return OAKLEY_TWOFISH_CBC; - default: - return 0; + if (encr_map[i].alg == alg) + { + return encr_map[i].oakley; + } } + return 0; } /** - * Converts IKEv2 integrity to IKEv1 hash algorithm + * Converts IKEv2 encryption to IKEv1 ESP encryption algorithm */ -int oakley_from_integrity_algorithm(integrity_algorithm_t alg) +int esp_from_encryption_algorithm(encryption_algorithm_t alg) { - switch (alg) + int i; + for (i = 0; i < countof(encr_map); i++) { - case AUTH_HMAC_MD5_96: - return OAKLEY_MD5; - case AUTH_HMAC_SHA1_96: - return OAKLEY_SHA; - case AUTH_HMAC_SHA2_256_128: - return OAKLEY_SHA2_256; - case AUTH_HMAC_SHA2_384_192: - return OAKLEY_SHA2_384; - case AUTH_HMAC_SHA2_512_256: - return OAKLEY_SHA2_512; - default: - return 0; + if (encr_map[i].alg == alg) + { + return encr_map[i].esp; + } } + return 0; } /** - * Converts IKEv2 encryption to IKEv1 ESP encryption algorithm + * Converts IKEv1 ESP encryption to IKEv2 algorithm */ -int esp_from_encryption_algorithm(encryption_algorithm_t alg) +encryption_algorithm_t encryption_algorithm_from_esp(int esp) { - switch (alg) + int i; + for (i = 0; i < countof(encr_map); i++) { - case ENCR_DES: - return ESP_DES; - case ENCR_3DES: - return ESP_3DES; - case ENCR_RC5: - return ESP_RC5; - case ENCR_IDEA: - return ESP_IDEA; - case ENCR_CAST: - return ESP_CAST; - case ENCR_BLOWFISH: - return ESP_BLOWFISH; - case ENCR_NULL: - return ESP_NULL; - case ENCR_AES_CBC: - return ESP_AES; - case ENCR_AES_CTR: - return ESP_AES_CTR; - case ENCR_AES_CCM_ICV8: - return ESP_AES_CCM_8; - case ENCR_AES_CCM_ICV12: - return ESP_AES_CCM_12; - case ENCR_AES_CCM_ICV16: - return ESP_AES_CCM_16; - case ENCR_AES_GCM_ICV8: - return ESP_AES_GCM_8; - case ENCR_AES_GCM_ICV12: - return ESP_AES_GCM_12; - case ENCR_AES_GCM_ICV16: - return ESP_AES_GCM_16; - case ENCR_CAMELLIA_CBC: - return ESP_CAMELLIA; - case ENCR_NULL_AUTH_AES_GMAC: - return ESP_AES_GMAC; - case ENCR_SERPENT_CBC: - return ESP_SERPENT; - case ENCR_TWOFISH_CBC: - return ESP_TWOFISH; - default: - return 0; + if (encr_map[i].esp == esp) + { + return encr_map[i].alg; + } + } + return 0; +} + +/** + * Table to map IKEv2 integrity algorithms to IKEv1 (or IKEv1 ESP) and back + */ +struct { + integrity_algorithm_t alg; + int oakley; + int esp; +} auth_map[] = { + {AUTH_HMAC_MD5_96, OAKLEY_MD5, AUTH_ALGORITHM_HMAC_MD5 }, + {AUTH_HMAC_SHA1_96, OAKLEY_SHA, AUTH_ALGORITHM_HMAC_SHA1 }, + {AUTH_HMAC_SHA2_256_96, 0, AUTH_ALGORITHM_HMAC_SHA2_256_96}, + {AUTH_HMAC_SHA2_256_128, OAKLEY_SHA2_256, AUTH_ALGORITHM_HMAC_SHA2_256 }, + {AUTH_HMAC_SHA2_384_192, OAKLEY_SHA2_384, AUTH_ALGORITHM_HMAC_SHA2_384 }, + {AUTH_HMAC_SHA2_512_256, OAKLEY_SHA2_512, AUTH_ALGORITHM_HMAC_SHA2_512 }, + {AUTH_AES_XCBC_96, 0, AUTH_ALGORITHM_AES_XCBC_MAC }, + {AUTH_AES_128_GMAC, 0, AUTH_ALGORITHM_AES_128_GMAC }, + {AUTH_AES_192_GMAC, 0, AUTH_ALGORITHM_AES_192_GMAC }, + {AUTH_AES_256_GMAC, 0, AUTH_ALGORITHM_AES_256_GMAC }, +}; + + +/** + * Converts IKEv2 integrity to IKEv1 hash algorithm + */ +int oakley_from_integrity_algorithm(integrity_algorithm_t alg) +{ + int i; + for (i = 0; i < countof(auth_map); i++) + { + if (auth_map[i].alg == alg) + { + return auth_map[i].oakley; + } } + return 0; } /** @@ -626,29 +640,30 @@ int esp_from_encryption_algorithm(encryption_algorithm_t alg) */ int esp_from_integrity_algorithm(integrity_algorithm_t alg) { - switch (alg) + int i; + for (i = 0; i < countof(auth_map); i++) { - case AUTH_HMAC_MD5_96: - return AUTH_ALGORITHM_HMAC_MD5; - case AUTH_HMAC_SHA1_96: - return AUTH_ALGORITHM_HMAC_SHA1; - case AUTH_AES_XCBC_96: - return AUTH_ALGORITHM_AES_XCBC_MAC; - case AUTH_HMAC_SHA2_256_96: - return AUTH_ALGORITHM_HMAC_SHA2_256_96; - case AUTH_HMAC_SHA2_256_128: - return AUTH_ALGORITHM_HMAC_SHA2_256; - case AUTH_HMAC_SHA2_384_192: - return AUTH_ALGORITHM_HMAC_SHA2_384; - case AUTH_HMAC_SHA2_512_256: - return AUTH_ALGORITHM_HMAC_SHA2_512; - case AUTH_AES_128_GMAC: - return AUTH_ALGORITHM_AES_128_GMAC; - case AUTH_AES_192_GMAC: - return AUTH_ALGORITHM_AES_192_GMAC; - case AUTH_AES_256_GMAC: - return AUTH_ALGORITHM_AES_256_GMAC; - default: - return 0; + if (auth_map[i].alg == alg) + { + return auth_map[i].esp; + } } + return 0; } + +/** + * Converts IKEv1 ESP authentication to IKEv2 integrity algorithm + */ +integrity_algorithm_t integrity_algorithm_from_esp(int esp) +{ + int i; + for (i = 0; i < countof(auth_map); i++) + { + if (auth_map[i].esp == esp) + { + return auth_map[i].alg; + } + } + return 0; +} + diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h index 019ba5764..16ad12780 100644 --- a/src/pluto/crypto.h +++ b/src/pluto/crypto.h @@ -1,4 +1,9 @@ /* crypto interfaces + * + * Copyright (C) 2010 Tobias Brunner + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 1998, 1999 D. Hugh Redelmeier. * * This program is free software; you can redistribute it and/or modify it @@ -54,4 +59,6 @@ extern int oakley_from_encryption_algorithm(encryption_algorithm_t alg); extern int oakley_from_integrity_algorithm(integrity_algorithm_t alg); extern int esp_from_encryption_algorithm(encryption_algorithm_t alg); extern int esp_from_integrity_algorithm(integrity_algorithm_t alg); +extern encryption_algorithm_t encryption_algorithm_from_esp(int esp); +extern integrity_algorithm_t integrity_algorithm_from_esp(int esp); diff --git a/src/pluto/defs.h b/src/pluto/defs.h index 8491f4ae8..532652e5b 100644 --- a/src/pluto/defs.h +++ b/src/pluto/defs.h @@ -21,12 +21,6 @@ #include <chunk.h> -#ifdef KLIPS -# define USED_BY_KLIPS /* ignore */ -#else -# define USED_BY_KLIPS UNUSED -#endif - #ifdef DEBUG # define USED_BY_DEBUG /* ignore */ #else @@ -66,15 +60,6 @@ extern const char* check_expiry(time_t expiration_date, #define MAX_PROMPT_PASS_TRIALS 5 #define PROMPT_PASS_LEN 64 -/* struct used to prompt for a secret passphrase - * from a console with file descriptor fd - */ -typedef struct { - char secret[PROMPT_PASS_LEN+1]; - bool prompt; - int fd; -} prompt_pass_t; - /* filter eliminating the directory entries '.' and '..' */ typedef struct dirent dirent_t; extern int file_select(const dirent_t *entry); diff --git a/src/pluto/demux.c b/src/pluto/demux.c index 617353c6c..0590a3585 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -1782,7 +1782,7 @@ process_packet(struct msg_digest **mdp) * the last phase 1 block, not the last block sent. */ { - size_t crypter_block_size; + size_t crypter_block_size, crypter_iv_size; encryption_algorithm_t enc_alg; crypter_t *crypter; chunk_t data, iv; @@ -1791,6 +1791,7 @@ process_packet(struct msg_digest **mdp) enc_alg = oakley_to_encryption_algorithm(st->st_oakley.encrypt); crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len); crypter_block_size = crypter->get_block_size(crypter); + crypter_iv_size = crypter->get_iv_size(crypter); if (pbs_left(&md->message_pbs) % crypter_block_size != 0) { @@ -1817,17 +1818,17 @@ process_packet(struct msg_digest **mdp) } /* form iv by truncation */ - st->st_new_iv_len = crypter_block_size; + st->st_new_iv_len = crypter_iv_size; iv = chunk_create(st->st_new_iv, st->st_new_iv_len); - new_iv = alloca(crypter_block_size); - memcpy(new_iv, data.ptr + data.len - crypter_block_size, - crypter_block_size); + new_iv = alloca(crypter_iv_size); + memcpy(new_iv, data.ptr + data.len - crypter_iv_size, + crypter_iv_size); crypter->set_key(crypter, st->st_enc_key); crypter->decrypt(crypter, data, iv, NULL); crypter->destroy(crypter); - memcpy(st->st_new_iv, new_iv, crypter_block_size); + memcpy(st->st_new_iv, new_iv, crypter_iv_size); if (restore_iv) { memcpy(st->st_new_iv, new_iv, new_iv_len); @@ -2307,7 +2308,7 @@ complete_state_transition(struct msg_digest **mdp, stf_status result) /* tell whack and log of progress */ { - const char *story = state_story[st->st_state - STATE_MAIN_R0]; + const char *story = state_story[st->st_state]; enum rc_type w = RC_NEW_STATE + st->st_state; char sadetails[128]; diff --git a/src/pluto/event_queue.c b/src/pluto/event_queue.c new file mode 100644 index 000000000..55d064f26 --- /dev/null +++ b/src/pluto/event_queue.c @@ -0,0 +1,195 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <unistd.h> +#include <fcntl.h> + +#include "event_queue.h" + +#include <debug.h> +#include <threading/mutex.h> +#include <utils/linked_list.h> + +typedef struct private_event_queue_t private_event_queue_t; + +/** + * Private data of event_queue_t class. + */ +struct private_event_queue_t { + /** + * Public event_queue_t interface. + */ + event_queue_t public; + + /** + * List of queued events (event_t*). + */ + linked_list_t *events; + + /** + * Mutex for event list. + */ + mutex_t *mutex; + + /** + * Read end of the notification pipe. + */ + int read_fd; + + /** + * Write end of the notification pipe. + */ + int write_fd; + +}; + +typedef struct event_t event_t; + +struct event_t { + /** + * Callback function. + */ + void (*callback)(void *data); + + /** + * Data to supply to the callback. + */ + void *data; + + /** + * Cleanup function. + */ + void (*cleanup)(void *data); +}; + +static event_t *event_create(void (*callback)(void *data), void *data, + void (*cleanup)(void *data)) +{ + event_t *this; + INIT(this, + .callback = callback, + .data = data, + .cleanup = cleanup, + ); + return this; +} + +static void event_destroy(event_t *this) +{ + if (this->cleanup) + { + this->cleanup(this->data); + } + free(this); +} + +METHOD(event_queue_t, get_event_fd, int, + private_event_queue_t *this) +{ + return this->read_fd; +} + +METHOD(event_queue_t, handle, void, + private_event_queue_t *this) +{ + char buf[10]; + linked_list_t *events; + event_t *event; + this->mutex->lock(this->mutex); + /* flush pipe */ + while (read(this->read_fd, &buf, sizeof(buf)) == sizeof(buf)); + /* replace the list, so we can unlock the mutex while executing the jobs */ + events = this->events; + this->events = linked_list_create(); + this->mutex->unlock(this->mutex); + + while (events->remove_first(events, (void**)&event) == SUCCESS) + { + event->callback(event->data); + event_destroy(event); + } + events->destroy(events); +} + +METHOD(event_queue_t, queue, void, + private_event_queue_t *this, void (*callback)(void *data), void *data, + void (*cleanup)(void *data)) +{ + event_t *event = event_create(callback, data, cleanup); + char c = 0; + this->mutex->lock(this->mutex); + this->events->insert_last(this->events, event); + ignore_result(write(this->write_fd, &c, 1)); + this->mutex->unlock(this->mutex); +} + +METHOD(event_queue_t, destroy, void, + private_event_queue_t *this) +{ + this->mutex->lock(this->mutex); + this->events->destroy_function(this->events, (void*)event_destroy); + this->mutex->unlock(this->mutex); + this->mutex->destroy(this->mutex); + close(this->read_fd); + close(this->write_fd); + free(this); +} + +bool set_nonblock(int socket) +{ + int flags = fcntl(socket, F_GETFL); + return flags != -1 && fcntl(socket, F_SETFL, flags | O_NONBLOCK) != -1; +} + +bool set_cloexec(int socket) +{ + int flags = fcntl(socket, F_GETFD); + return flags != -1 && fcntl(socket, F_SETFD, flags | FD_CLOEXEC) != -1; +} + +/* + * Described in header. + */ +event_queue_t *event_queue_create() +{ + private_event_queue_t *this; + int fd[2]; + + INIT(this, + .public = { + .get_event_fd = _get_event_fd, + .handle = _handle, + .queue = _queue, + .destroy = _destroy, + }, + .events = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + if (pipe(fd) == -1 || + !set_nonblock(fd[0]) || !set_cloexec(fd[0]) || + !set_nonblock(fd[1]) || !set_cloexec(fd[1])) + { + DBG1(DBG_JOB, "failed to create pipe for job queue"); + _destroy(this); + return NULL; + } + + this->read_fd = fd[0]; + this->write_fd = fd[1]; + + return &this->public; +} + diff --git a/src/pluto/event_queue.h b/src/pluto/event_queue.h new file mode 100644 index 000000000..343729e25 --- /dev/null +++ b/src/pluto/event_queue.h @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup event_queue event_queue + * @{ @ingroup pluto + */ + +#ifndef EVENT_QUEUE_H_ +#define EVENT_QUEUE_H_ + +typedef struct event_queue_t event_queue_t; + +/** + * The event queue facility can be used to synchronize thread-pool threads + * with the pluto main thread. That is, all queued callbacks are executed + * asynchronously by the pluto main thread. + */ +struct event_queue_t { + + /** + * Returns the file descriptor used to notify the main thread. + * + * @return fd to use in the main thread + */ + int (*get_event_fd) (event_queue_t *this); + + /** + * Handle all queued events. + */ + void (*handle) (event_queue_t *this); + + /** + * Add an event to the queue. + * + * @param callback callback function to add to the queue + * @param data data supplied to the callback function + * @param cleanup optional cleanup function + */ + void (*queue) (event_queue_t *this, void (*callback)(void *data), + void *data, void (*cleanup)(void *data)); + + /** + * Destroy this instance. + */ + void (*destroy) (event_queue_t *this); + +}; + +/** + * Create the event queue. + * + * @return created object + */ +event_queue_t *event_queue_create(); + +#endif /** EVENT_QUEUE_H_ @}*/ diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c index 7521dd33b..08353907e 100644 --- a/src/pluto/ike_alg.c +++ b/src/pluto/ike_alg.c @@ -194,18 +194,16 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy) if (policy & POLICY_PUBKEY) { - int auth_method = 0; - size_t key_size = 0; + int auth_method = 0, key_size = 0; key_type_t key_type = KEY_ANY; - if (c->spd.this.cert) { certificate_t *certificate = c->spd.this.cert->cert; public_key_t *key = certificate->get_public_key(certificate); if (key == NULL) - { + { plog("ike alg: unable to retrieve my public key"); continue; } @@ -233,13 +231,13 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy) case KEY_ECDSA: switch (key_size) { - case 32: + case 256: auth_method = OAKLEY_ECDSA_256; break; - case 48: + case 384: auth_method = OAKLEY_ECDSA_384; break; - case 66: + case 521: auth_method = OAKLEY_ECDSA_521; break; default: diff --git a/src/pluto/ipsec.secrets.5 b/src/pluto/ipsec.secrets.5 deleted file mode 100644 index 6c39f86e1..000000000 --- a/src/pluto/ipsec.secrets.5 +++ /dev/null @@ -1,175 +0,0 @@ -.TH IPSEC.SECRETS 5 "2010-05-30" "4.4.1rc3" "strongSwan" -.SH NAME -ipsec.secrets \- secrets for IKE/IPsec authentication -.SH DESCRIPTION -The file \fIipsec.secrets\fP holds a table of secrets. -These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons -pluto (IKEv1) and charon (IKEv2) to authenticate other hosts. -.LP -It is vital that these secrets be protected. The file should be owned -by the super-user, -and its permissions should be set to block all access by others. -.LP -The file is a sequence of entries and include directives. -Here is an example. -.LP -.RS -.nf -# /etc/ipsec.secrets - strongSwan IPsec secrets file -192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL" - -: RSA moonKey.pem - -alice@strongswan.org : EAP "x3.dEhgN" - -: XAUTH carol "4iChxLT3" - -: XAUTH dave "ryftzG4A" - -# get secrets from other files -include ipsec.*.secrets -.fi -.RE -.LP -Each entry in the file is a list of optional ID selectors, followed by a secret. -The two parts are separated by a colon (\fB:\fP) that is surrounded -by whitespace. If no ID selectors are specified the line must start with a -colon. -.LP -A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, -\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written -in the familiar dotted quad form or as a domain name to be looked up -when the file is loaded. -In many cases it is a bad idea to use domain names because -the name server may not be running or may be insecure. To denote a -Fully Qualified Domain Name (as opposed to an IP address denoted by -its domain name), precede the name with an at sign (\fB@\fP). -.LP -Matching IDs with selectors is fairly straightforward: they have to be -equal. In the case of a ``Road Warrior'' connection, if an equal -match is not found for the Peer's ID, and it is in the form of an IP -address, a selector of \fB%any\fP will match the peer's IP address if IPV4 -and \fB%any6\fP will match a the peer's IP address if IPV6. -Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of -\fB%any\fP. -.LP -In IKEv1 an additional complexity -arises in the case of authentication by preshared secret: the -responder will need to look up the secret before the Peer's ID payload has -been decoded, so the ID used will be the IP address. -.LP -To authenticate a connection between two hosts, the entry that most -specifically matches the host and peer IDs is used. An entry with no -selectors will match any host and peer. More specifically, an entry with one -selector will match a host and peer if the selector matches the host's ID (the -peer isn't considered). Still more specifically, an entry with multiple -selectors will match a host and peer if the host ID and peer ID each match one -of the selectors. If the key is for an asymmetric authentication technique -(i.e. a public key system such as RSA), an entry with multiple selectors will -match a host and peer even if only the host ID matches a selector (it is -presumed that the selectors are all identities of the host). -It is acceptable for two entries to be the best match as -long as they agree about the secret or private key. -.LP -Authentication by preshared secret requires that both systems find the -identical secret (the secret is not actually transmitted by the IKE -protocol). If both the host and peer appear in the selector list, the -same entry will be suitable for both systems so verbatim copying -between systems can be used. This naturally extends to larger groups -sharing the same secret. Thus multiple-selector entries are best for PSK -authentication. -.LP -Authentication by public key systems such as RSA requires that each host -have its own private key. A host could reasonably use a different private keys -for different interfaces and for different peers. But it would not -be normal to share entries between systems. Thus thus no-selector and -one-selector forms of entry often make sense for public key authentication. -.LP -The key part of an entry must start with a token indicating the kind of -key. The following types of secrets are currently supported: -.TP -.B PSK -defines a pre-shared key -.TP -.B RSA -defines an RSA private key -.TP -.B ECDSA -defines an ECDSA private key -.TP -.B EAP -defines EAP credentials -.TP -.B XAUTH -defines XAUTH credentials -.TP -.B PIN -defines a smartcard PIN -.LP -Details on each type of secret are given below. -.LP -Whitespace at the end of a line is ignored. At the start of a line or -after whitespace, \fB#\fP and the following text up to the end of the -line is treated as a comment. -.LP -An include directive causes the contents of the named file to be processed -before continuing with the current file. The filename is subject to -``globbing'' as in \fIsh\fP(1), so every file with a matching name -is processed. Includes may be nested to a modest -depth (10, currently). If the filename doesn't start with a \fB/\fP, the -directory containing the current file is prepended to the name. The -include directive is a line that starts with the word \fBinclude\fP, -followed by whitespace, followed by the filename (which must not contain -whitespace). -.SS TYPES OF SECRETS -.TP -.B [ <selectors> ] : PSK <secret> -A preshared secret is most conveniently represented as a sequence of -characters, delimited by double-quote characters (\fB"\fP). -The sequence cannot contain a newline or double-quote. -Strictly speaking, the secret is actually the sequence -of bytes that is used in the file to represent the sequence of -characters (excluding the delimiters). -.TP -.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ] -.TQ -.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ] -For the private key file both absolute paths or paths relative to -\fI/etc/ipsec.d/private\fP are accepted. If the private key file is -encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase -.B %prompt -can be used which then causes the daemons to ask the user for the password -whenever it is required to decrypt the key. -.TP -.B <user id> : EAP <secret> -As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters, -delimited by double-quote characters (\fB"\fP). -.br -\fBEAP\fP secrets are IKEv2 only. -.TP -.B : XAUTH <username> <password> -\fBXAUTH\fP secrets are IKEv1 only. -.TP -.B : PIN <smartcard selector> <pin code> | %prompt -The format -.B "%smartcard[<slot nr>[:<key id>]]" -is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1, -instead of specifying the pin code statically, -.B %prompt -can be specified, which causes the pluto daemon to ask the user for the pin -code. -.LP - -.SH FILES -/etc/ipsec.secrets -.SH SEE ALSO -\fIipsec.conf\fP(5), -\fIipsec\fP(8) -.br -.SH HISTORY -Originally written for the FreeS/WAN project by D. Hugh Redelmeier. -Updated and extended for the strongSwan project <http://www.strongswan.org> by -Tobias Brunner and Andreas Steffen. -.SH BUGS -If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP; -if it is \fB0::0\fP, it will match \fB%any6\fP. diff --git a/src/pluto/ipsec.secrets.5.in b/src/pluto/ipsec.secrets.5.in deleted file mode 100644 index adb915e4d..000000000 --- a/src/pluto/ipsec.secrets.5.in +++ /dev/null @@ -1,175 +0,0 @@ -.TH IPSEC.SECRETS 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" -.SH NAME -ipsec.secrets \- secrets for IKE/IPsec authentication -.SH DESCRIPTION -The file \fIipsec.secrets\fP holds a table of secrets. -These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons -pluto (IKEv1) and charon (IKEv2) to authenticate other hosts. -.LP -It is vital that these secrets be protected. The file should be owned -by the super-user, -and its permissions should be set to block all access by others. -.LP -The file is a sequence of entries and include directives. -Here is an example. -.LP -.RS -.nf -# /etc/ipsec.secrets - strongSwan IPsec secrets file -192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL" - -: RSA moonKey.pem - -alice@strongswan.org : EAP "x3.dEhgN" - -: XAUTH carol "4iChxLT3" - -: XAUTH dave "ryftzG4A" - -# get secrets from other files -include ipsec.*.secrets -.fi -.RE -.LP -Each entry in the file is a list of optional ID selectors, followed by a secret. -The two parts are separated by a colon (\fB:\fP) that is surrounded -by whitespace. If no ID selectors are specified the line must start with a -colon. -.LP -A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, -\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written -in the familiar dotted quad form or as a domain name to be looked up -when the file is loaded. -In many cases it is a bad idea to use domain names because -the name server may not be running or may be insecure. To denote a -Fully Qualified Domain Name (as opposed to an IP address denoted by -its domain name), precede the name with an at sign (\fB@\fP). -.LP -Matching IDs with selectors is fairly straightforward: they have to be -equal. In the case of a ``Road Warrior'' connection, if an equal -match is not found for the Peer's ID, and it is in the form of an IP -address, a selector of \fB%any\fP will match the peer's IP address if IPV4 -and \fB%any6\fP will match a the peer's IP address if IPV6. -Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of -\fB%any\fP. -.LP -In IKEv1 an additional complexity -arises in the case of authentication by preshared secret: the -responder will need to look up the secret before the Peer's ID payload has -been decoded, so the ID used will be the IP address. -.LP -To authenticate a connection between two hosts, the entry that most -specifically matches the host and peer IDs is used. An entry with no -selectors will match any host and peer. More specifically, an entry with one -selector will match a host and peer if the selector matches the host's ID (the -peer isn't considered). Still more specifically, an entry with multiple -selectors will match a host and peer if the host ID and peer ID each match one -of the selectors. If the key is for an asymmetric authentication technique -(i.e. a public key system such as RSA), an entry with multiple selectors will -match a host and peer even if only the host ID matches a selector (it is -presumed that the selectors are all identities of the host). -It is acceptable for two entries to be the best match as -long as they agree about the secret or private key. -.LP -Authentication by preshared secret requires that both systems find the -identical secret (the secret is not actually transmitted by the IKE -protocol). If both the host and peer appear in the selector list, the -same entry will be suitable for both systems so verbatim copying -between systems can be used. This naturally extends to larger groups -sharing the same secret. Thus multiple-selector entries are best for PSK -authentication. -.LP -Authentication by public key systems such as RSA requires that each host -have its own private key. A host could reasonably use a different private keys -for different interfaces and for different peers. But it would not -be normal to share entries between systems. Thus thus no-selector and -one-selector forms of entry often make sense for public key authentication. -.LP -The key part of an entry must start with a token indicating the kind of -key. The following types of secrets are currently supported: -.TP -.B PSK -defines a pre-shared key -.TP -.B RSA -defines an RSA private key -.TP -.B ECDSA -defines an ECDSA private key -.TP -.B EAP -defines EAP credentials -.TP -.B XAUTH -defines XAUTH credentials -.TP -.B PIN -defines a smartcard PIN -.LP -Details on each type of secret are given below. -.LP -Whitespace at the end of a line is ignored. At the start of a line or -after whitespace, \fB#\fP and the following text up to the end of the -line is treated as a comment. -.LP -An include directive causes the contents of the named file to be processed -before continuing with the current file. The filename is subject to -``globbing'' as in \fIsh\fP(1), so every file with a matching name -is processed. Includes may be nested to a modest -depth (10, currently). If the filename doesn't start with a \fB/\fP, the -directory containing the current file is prepended to the name. The -include directive is a line that starts with the word \fBinclude\fP, -followed by whitespace, followed by the filename (which must not contain -whitespace). -.SS TYPES OF SECRETS -.TP -.B [ <selectors> ] : PSK <secret> -A preshared secret is most conveniently represented as a sequence of -characters, delimited by double-quote characters (\fB"\fP). -The sequence cannot contain a newline or double-quote. -Strictly speaking, the secret is actually the sequence -of bytes that is used in the file to represent the sequence of -characters (excluding the delimiters). -.TP -.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ] -.TQ -.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ] -For the private key file both absolute paths or paths relative to -\fI/etc/ipsec.d/private\fP are accepted. If the private key file is -encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase -.B %prompt -can be used which then causes the daemons to ask the user for the password -whenever it is required to decrypt the key. -.TP -.B <user id> : EAP <secret> -As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters, -delimited by double-quote characters (\fB"\fP). -.br -\fBEAP\fP secrets are IKEv2 only. -.TP -.B : XAUTH <username> <password> -\fBXAUTH\fP secrets are IKEv1 only. -.TP -.B : PIN <smartcard selector> <pin code> | %prompt -The format -.B "%smartcard[<slot nr>[:<key id>]]" -is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1, -instead of specifying the pin code statically, -.B %prompt -can be specified, which causes the pluto daemon to ask the user for the pin -code. -.LP - -.SH FILES -/etc/ipsec.secrets -.SH SEE ALSO -\fIipsec.conf\fP(5), -\fIipsec\fP(8) -.br -.SH HISTORY -Originally written for the FreeS/WAN project by D. Hugh Redelmeier. -Updated and extended for the strongSwan project <http://www.strongswan.org> by -Tobias Brunner and Andreas Steffen. -.SH BUGS -If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP; -if it is \fB0::0\fP, it will match \fB%any6\fP. diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 4a6a7c872..7ec547b0c 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -1753,7 +1753,7 @@ bool encrypt_message(pb_stream *pbs, struct state *st) size_t enc_len = pbs_offset(pbs) - sizeof(struct isakmp_hdr); chunk_t data, iv; char *new_iv; - size_t crypter_block_size; + size_t crypter_block_size, crypter_iv_size; encryption_algorithm_t enc_alg; crypter_t *crypter; @@ -1761,6 +1761,7 @@ bool encrypt_message(pb_stream *pbs, struct state *st) enc_alg = oakley_to_encryption_algorithm(st->st_oakley.encrypt); crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len); crypter_block_size = crypter->get_block_size(crypter); + crypter_iv_size = crypter->get_iv_size(crypter); /* Pad up to multiple of encryption blocksize. * See the description associated with the definition of @@ -1781,15 +1782,15 @@ bool encrypt_message(pb_stream *pbs, struct state *st) data = chunk_create(enc_start, enc_len); /* form iv by truncation */ - st->st_new_iv_len = crypter_block_size; + st->st_new_iv_len = crypter_iv_size; iv = chunk_create(st->st_new_iv, st->st_new_iv_len); crypter->set_key(crypter, st->st_enc_key); crypter->encrypt(crypter, data, iv, NULL); crypter->destroy(crypter); - new_iv = data.ptr + data.len - crypter_block_size; - memcpy(st->st_new_iv, new_iv, crypter_block_size); + new_iv = data.ptr + data.len - crypter_iv_size; + memcpy(st->st_new_iv, new_iv, crypter_iv_size); update_iv(st); DBG_cond_dump(DBG_CRYPT, "next IV:", st->st_iv, st->st_iv_len); close_message(pbs); diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index dd7ed8893..e57822ffb 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -1,7 +1,11 @@ /* routines that interface with the kernel's IPsec mechanism - * Copyright (C) 1997 Angelos D. Keromytis. - * Copyright (C) 1998-2002 D. Hugh Redelmeier. - * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2010 Tobias Brunner + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * Copyright (C) 1998-2002 D. Hugh Redelmeier + * Copyright (C) 1997 Angelos D. Keromytis * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -32,16 +36,16 @@ #include <freeswan.h> #include <library.h> +#include <hydra.h> #include <crypto/rngs/rng.h> +#include <kernel/kernel_listener.h> -#ifdef KLIPS #include <signal.h> #include <sys/time.h> /* for select(2) */ #include <sys/types.h> /* for select(2) */ #include <pfkeyv2.h> #include <pfkey.h> #include "kameipsec.h" -#endif /* KLIPS */ #include "constants.h" #include "defs.h" @@ -49,28 +53,21 @@ #include "state.h" #include "timer.h" #include "kernel.h" -#include "kernel_netlink.h" #include "kernel_pfkey.h" -#include "kernel_noklips.h" #include "log.h" #include "ca.h" #include "server.h" #include "whack.h" /* for RC_LOG_SERIOUS */ #include "keys.h" +#include "crypto.h" #include "nat_traversal.h" #include "alg_info.h" #include "kernel_alg.h" +#include "pluto.h" bool can_do_IPcomp = TRUE; /* can system actually perform IPCOMP? */ -/* How far can IPsec messages arrive out of order before the anti-replay - * logic loses track and swats them? 64 is the best KLIPS can do. - * And 32 is the best XFRM can do... - */ -#define REPLAY_WINDOW 64 -#define REPLAY_WINDOW_XFRM 32 - /* test if the routes required for two different connections agree * It is assumed that the destination subnets agree; we are only * testing that the interfaces and nexthops match. @@ -78,282 +75,115 @@ bool can_do_IPcomp = TRUE; /* can system actually perform IPCOMP? */ #define routes_agree(c, d) ((c)->interface == (d)->interface \ && sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop)) -#ifndef KLIPS - -bool no_klips = TRUE; /* don't actually use KLIPS */ - -#else /* !KLIPS */ - -/* bare (connectionless) shunt (eroute) table - * - * Bare shunts are those that don't "belong" to a connection. - * This happens because some %trapped traffic hasn't yet or cannot be - * assigned to a connection. The usual reason is that we cannot discover - * the peer SG. Another is that even when the peer has been discovered, - * it may be that no connection matches all the particulars. - * We record them so that, with scanning, we can discover - * which %holds are news and which others should expire. - */ +/* forward declaration */ +static bool shunt_eroute(connection_t *c, struct spd_route *sr, + enum routing_t rt_kind, unsigned int op, + const char *opname); -#define SHUNT_SCAN_INTERVAL (60 * 2) /* time between scans of eroutes */ +static void set_text_said(char *text_said, const ip_address *dst, + ipsec_spi_t spi, int proto); -/* SHUNT_PATIENCE only has resolution down to a multiple of the sample rate, - * SHUNT_SCAN_INTERVAL. - * By making SHUNT_PATIENCE an odd multiple of half of SHUNT_SCAN_INTERVAL, - * we minimize the effects of jitter. +/** + * Default IPsec SA config (e.g. to install trap policies). */ -#define SHUNT_PATIENCE (SHUNT_SCAN_INTERVAL * 15 / 2) /* inactivity timeout */ - -struct bare_shunt { - policy_prio_t policy_prio; - ip_subnet ours; - ip_subnet his; - ip_said said; - int transport_proto; - unsigned long count; - time_t last_activity; - char *why; - struct bare_shunt *next; +static ipsec_sa_cfg_t null_ipsec_sa = { + .mode = MODE_TRANSPORT, + .esp = { + .use = TRUE, + }, }; -static struct bare_shunt *bare_shunts = NULL; - -#ifdef DEBUG -static void DBG_bare_shunt(const char *op, const struct bare_shunt *bs) +/** + * Helper function that converts an ip_subnet to a traffic_selector_t. + */ +static traffic_selector_t *traffic_selector_from_subnet(const ip_subnet *client, + const u_int8_t proto) { - DBG(DBG_KLIPS, - { - int ourport = ntohs(portof(&(bs)->ours.addr)); - int hisport = ntohs(portof(&(bs)->his.addr)); - char ourst[SUBNETTOT_BUF]; - char hist[SUBNETTOT_BUF]; - char sat[SATOT_BUF]; - char prio[POLICY_PRIO_BUF]; - - subnettot(&(bs)->ours, 0, ourst, sizeof(ourst)); - subnettot(&(bs)->his, 0, hist, sizeof(hist)); - satot(&(bs)->said, 0, sat, sizeof(sat)); - fmt_policy_prio(bs->policy_prio, prio); - DBG_log("%s bare shunt %p %s:%d -> %s:%d => %s:%d %s %s" - , op, (const void *)(bs), ourst, ourport, hist, hisport - , sat, (bs)->transport_proto, prio, (bs)->why); - }); + traffic_selector_t *ts; + host_t *net; + net = host_create_from_sockaddr((sockaddr_t*)&client->addr); + ts = traffic_selector_create_from_subnet(net, client->maskbits, proto, + net->get_port(net)); + return ts; } -#else /* !DEBUG */ -#define DBG_bare_shunt(op, bs) {} -#endif /* !DEBUG */ -/* The orphaned_holds table records %holds for which we - * scan_proc_shunts found no representation of in any connection. - * The corresponding ACQUIRE message might have been lost. +/** + * Helper function that converts a traffic_selector_t to an ip_subnet. */ -struct eroute_info *orphaned_holds = NULL; - -/* forward declaration */ -static bool shunt_eroute(connection_t *c, struct spd_route *sr, - enum routing_t rt_kind, unsigned int op, - const char *opname); - -static void set_text_said(char *text_said, const ip_address *dst, - ipsec_spi_t spi, int proto); - -bool no_klips = FALSE; /* don't actually use KLIPS */ +static ip_subnet subnet_from_traffic_selector(traffic_selector_t *ts) +{ + ip_subnet subnet; + host_t *net; + u_int8_t mask; + ts->to_subnet(ts, &net, &mask); + subnet.addr = *(ip_address*)net->get_sockaddr(net); + subnet.maskbits = mask; + net->destroy(net); + return subnet; +} -static const struct pfkey_proto_info null_proto_info[2] = { - { - proto: IPPROTO_ESP, - encapsulation: ENCAPSULATION_MODE_TRANSPORT, - reqid: 0 - }, - { - proto: 0, - encapsulation: 0, - reqid: 0 - } -}; void record_and_initiate_opportunistic(const ip_subnet *ours, const ip_subnet *his, int transport_proto, const char *why) { + ip_address src, dst; passert(samesubnettype(ours, his)); - /* Add to bare shunt list. - * We need to do this because the shunt was installed by KLIPS - * which can't do this itself. - */ - { - struct bare_shunt *bs = malloc_thing(struct bare_shunt); - - bs->why = clone_str(why); - bs->ours = *ours; - bs->his = *his; - bs->transport_proto = transport_proto; - bs->policy_prio = BOTTOM_PRIO; - - bs->said.proto = SA_INT; - bs->said.spi = htonl(SPI_HOLD); - bs->said.dst = *aftoinfo(subnettypeof(ours))->any; - - bs->count = 0; - bs->last_activity = now(); - - bs->next = bare_shunts; - bare_shunts = bs; - DBG_bare_shunt("add", bs); - } - /* actually initiate opportunism */ - { - ip_address src, dst; - - networkof(ours, &src); - networkof(his, &dst); - initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD); - } - - /* if present, remove from orphaned_holds list. - * NOTE: we do this last in case ours or his is a pointer into a member. - */ - { - struct eroute_info **pp, *p; - - for (pp = &orphaned_holds; (p = *pp) != NULL; pp = &p->next) - { - if (samesubnet(ours, &p->ours) - && samesubnet(his, &p->his) - && transport_proto == p->transport_proto - && portof(&ours->addr) == portof(&p->ours.addr) - && portof(&his->addr) == portof(&p->his.addr)) - { - *pp = p->next; - free(p); - break; - } - } - } -} - -#endif /* KLIPS */ - -static unsigned get_proto_reqid(unsigned base, int proto) -{ - switch (proto) - { - default: - case IPPROTO_COMP: - base++; - /* fall through */ - case IPPROTO_ESP: - base++; - /* fall through */ - case IPPROTO_AH: - break; - } - - return base; + networkof(ours, &src); + networkof(his, &dst); + initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD); } /* Generate Unique SPI numbers. * - * The specs say that the number must not be less than IPSEC_DOI_SPI_MIN. - * Pluto generates numbers not less than IPSEC_DOI_SPI_OUR_MIN, - * reserving numbers in between for manual keying (but we cannot so - * restrict numbers generated by our peer). - * XXX This should be replaced by a call to the kernel when - * XXX we get an API. * The returned SPI is in network byte order. - * We use a random number as the initial SPI so that there is - * a good chance that different Pluto instances will choose - * different SPIs. This is good for two reasons. - * - the keying material for the initiator and responder only - * differs if the SPIs differ. - * - if Pluto is restarted, it would otherwise recycle the SPI - * numbers and confuse everything. When the kernel generates - * SPIs, this will no longer matter. - * We then allocate numbers sequentially. Thus we don't have to - * check if the number was previously used (assuming that no - * SPI lives longer than 4G of its successors). */ ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr, bool tunnel) { - static ipsec_spi_t spi = 0; /* host order, so not returned directly! */ - char text_said[SATOT_BUF]; - rng_t *rng; + host_t *host_src, *host_dst; + u_int32_t spi; - set_text_said(text_said, &sr->this.host_addr, 0, proto); + host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr); + host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr); - if (kernel_ops->get_spi) + if (hydra->kernel_interface->get_spi(hydra->kernel_interface, host_src, + host_dst, proto, sr->reqid, &spi) != SUCCESS) { - return kernel_ops->get_spi(&sr->that.host_addr - , &sr->this.host_addr, proto, tunnel - , get_proto_reqid(sr->reqid, proto) - , IPSEC_DOI_SPI_OUR_MIN, 0xffffffff - , text_said); + spi = 0; } - spi++; - rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - while (spi < IPSEC_DOI_SPI_OUR_MIN || spi == ntohl(avoid)) - { - rng->get_bytes(rng, sizeof(spi), (u_char *)&spi); - } - rng->destroy(rng); - DBG(DBG_CONTROL, - { - ipsec_spi_t spi_net = htonl(spi); - - DBG_dump("generate SPI:", (u_char *)&spi_net, sizeof(spi_net)); - }); + host_src->destroy(host_src); + host_dst->destroy(host_dst); - return htonl(spi); + return spi; } /* Generate Unique CPI numbers. * The result is returned as an SPI (4 bytes) in network order! * The real bits are in the nework-low-order 2 bytes. - * Modelled on get_ipsec_spi, but range is more limited: - * 256-61439. - * If we can't find one easily, return 0 (a bad SPI, - * no matter what order) indicating failure. */ ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel) { - static cpi_t first_busy_cpi = 0, latest_cpi; - char text_said[SATOT_BUF]; - rng_t *rng; + host_t *host_src, *host_dst; + u_int16_t cpi; - set_text_said(text_said, &sr->this.host_addr, 0, IPPROTO_COMP); + host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr); + host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr); - if (kernel_ops->get_spi) - { - return kernel_ops->get_spi(&sr->that.host_addr - , &sr->this.host_addr, IPPROTO_COMP, tunnel - , get_proto_reqid(sr->reqid, IPPROTO_COMP) - , IPCOMP_FIRST_NEGOTIATED, IPCOMP_LAST_NEGOTIATED - , text_said); - } + if (hydra->kernel_interface->get_cpi(hydra->kernel_interface, host_src, + host_dst, sr->reqid, &cpi) != SUCCESS) - rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - while (!(IPCOMP_FIRST_NEGOTIATED <= first_busy_cpi && first_busy_cpi < IPCOMP_LAST_NEGOTIATED)) { - rng->get_bytes(rng, sizeof(first_busy_cpi), (u_char *)&first_busy_cpi); - latest_cpi = first_busy_cpi; + cpi = 0; } - rng->destroy(rng); - latest_cpi++; + host_src->destroy(host_src); + host_dst->destroy(host_dst); - if (latest_cpi == first_busy_cpi) - { - find_my_cpi_gap(&latest_cpi, &first_busy_cpi); - } - if (latest_cpi > IPCOMP_LAST_NEGOTIATED) - { - latest_cpi = IPCOMP_FIRST_NEGOTIATED; - } - return htonl((ipsec_spi_t)latest_cpi); + return htonl((u_int32_t)ntohs(cpi)); } /* Replace the shell metacharacters ', \, ", `, and $ in a character string @@ -420,7 +250,7 @@ static void escape_metachar(const char *src, char *dst, size_t dstlen) # define DEFAULT_UPDOWN "ipsec _updown" #endif -static bool do_command(connection_t *c, struct spd_route *sr, +static bool do_command(connection_t *c, struct spd_route *sr, struct state *st, const char *verb) { char cmd[1536]; /* arbitrary limit on shell command length */ @@ -464,6 +294,9 @@ static bool do_command(connection_t *c, struct spd_route *sr, peerclientnet_str[ADDRTOT_BUF], peerclientmask_str[ADDRTOT_BUF], peerca_str[BUF_LEN], + mark_in[BUF_LEN] = "", + mark_out[BUF_LEN] = "", + udp_encap[BUF_LEN] = "", xauth_id_str[BUF_LEN] = "", secure_myid_str[BUF_LEN] = "", secure_peerid_str[BUF_LEN] = "", @@ -491,11 +324,29 @@ static bool do_command(connection_t *c, struct spd_route *sr, strcpy(srcip_str, "PLUTO_MY_SOURCEIP='"); n = srcip_str + strlen(srcip_str); - snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H", + snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H", sr->this.host_srcip); strncat(srcip_str, "' ", sizeof(srcip_str)); } + if (sr->mark_in.value) + { + snprintf(mark_in, sizeof(mark_in), "PLUTO_MARK_IN='%u/0x%08x' ", + sr->mark_in.value, sr->mark_in.mask); + } + + if (sr->mark_out.value) + { + snprintf(mark_out, sizeof(mark_out), "PLUTO_MARK_OUT='%u/0x%08x' ", + sr->mark_out.value, sr->mark_out.mask); + } + + if (st && (st->nat_traversal & NAT_T_DETECTED)) + { + snprintf(udp_encap, sizeof(udp_encap), "PLUTO_UDP_ENC='%u' ", + sr->that.host_port); + } + addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str)); snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id); escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str)); @@ -536,7 +387,7 @@ static bool do_command(connection_t *c, struct spd_route *sr, { if (key->issuer) { - snprintf(peerca_str, BUF_LEN, "%Y", key->issuer); + snprintf(peerca_str, BUF_LEN, "%Y", key->issuer); escape_metachar(peerca_str, secure_peerca_str, BUF_LEN); } else @@ -573,13 +424,16 @@ static bool do_command(connection_t *c, struct spd_route *sr, "PLUTO_PEER_CA='%s' " "%s" /* optional PLUTO_MY_SRCIP */ "%s" /* optional PLUTO_XAUTH_ID */ + "%s" /* optional PLUTO_MARK_IN */ + "%s" /* optional PLUTO_MARK_OUT */ + "%s" /* optional PLUTO_UDP_ENC */ "%s" /* actual script */ , verb, verb_suffix , c->name , nexthop_str , c->interface->vname , sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : "" - , sr->reqid + 1 /* ESP requid */ + , sr->reqid , me_str , secure_myid_str , myclient_str @@ -597,6 +451,9 @@ static bool do_command(connection_t *c, struct spd_route *sr, , secure_peerca_str , srcip_str , xauth_id_str + , mark_in + , mark_out + , udp_encap , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown)) { loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix); @@ -607,88 +464,83 @@ static bool do_command(connection_t *c, struct spd_route *sr, DBG(DBG_CONTROL, DBG_log("executing %s%s: %s" , verb, verb_suffix, cmd)); -#ifdef KLIPS - if (!no_klips) + /* invoke the script, catching stderr and stdout + * It may be of concern that some file descriptors will + * be inherited. For the ones under our control, we + * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this. + * Any used by library routines (perhaps the resolver or syslog) + * will remain. + */ + FILE *f = popen(cmd, "r"); + + if (f == NULL) { - /* invoke the script, catching stderr and stdout - * It may be of concern that some file descriptors will - * be inherited. For the ones under our control, we - * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this. - * Any used by library routines (perhaps the resolver or syslog) - * will remain. - */ - FILE *f = popen(cmd, "r"); + loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix); + return FALSE; + } - if (f == NULL) - { - loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix); - return FALSE; - } + /* log any output */ + for (;;) + { + /* if response doesn't fit in this buffer, it will be folded */ + char resp[256]; - /* log any output */ - for (;;) + if (fgets(resp, sizeof(resp), f) == NULL) { - /* if response doesn't fit in this buffer, it will be folded */ - char resp[256]; - - if (fgets(resp, sizeof(resp), f) == NULL) + if (ferror(f)) { - if (ferror(f)) - { - log_errno((e, "fgets failed on output of %s%s command" - , verb, verb_suffix)); - return FALSE; - } - else - { - passert(feof(f)); - break; - } + log_errno((e, "fgets failed on output of %s%s command" + , verb, verb_suffix)); + return FALSE; } else { - char *e = resp + strlen(resp); - - if (e > resp && e[-1] == '\n') - e[-1] = '\0'; /* trim trailing '\n' */ - plog("%s%s output: %s", verb, verb_suffix, resp); + passert(feof(f)); + break; } } - - /* report on and react to return code */ + else { - int r = pclose(f); + char *e = resp + strlen(resp); - if (r == -1) - { - log_errno((e, "pclose failed for %s%s command" - , verb, verb_suffix)); - return FALSE; - } - else if (WIFEXITED(r)) - { - if (WEXITSTATUS(r) != 0) - { - loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d" - , verb, verb_suffix, WEXITSTATUS(r)); - return FALSE; - } - } - else if (WIFSIGNALED(r)) - { - loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d" - , verb, verb_suffix, WTERMSIG(r)); - return FALSE; - } - else + if (e > resp && e[-1] == '\n') + e[-1] = '\0'; /* trim trailing '\n' */ + plog("%s%s output: %s", verb, verb_suffix, resp); + } + } + + /* report on and react to return code */ + { + int r = pclose(f); + + if (r == -1) + { + log_errno((e, "pclose failed for %s%s command" + , verb, verb_suffix)); + return FALSE; + } + else if (WIFEXITED(r)) + { + if (WEXITSTATUS(r) != 0) { - loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d" - , verb, verb_suffix, r); + loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d" + , verb, verb_suffix, WEXITSTATUS(r)); return FALSE; } } + else if (WIFSIGNALED(r)) + { + loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d" + , verb, verb_suffix, WTERMSIG(r)); + return FALSE; + } + else + { + loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d" + , verb, verb_suffix, r); + return FALSE; + } } -#endif /* KLIPS */ return TRUE; } @@ -731,10 +583,9 @@ static enum routability could_route(connection_t *c) } /* if routing would affect IKE messages, reject */ - if (!no_klips - && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT - && c->spd.this.host_port != IKE_UDP_PORT - && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client)) + if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT + && c->spd.this.host_port != IKE_UDP_PORT + && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client)) { loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client"); return route_impossible; @@ -754,7 +605,6 @@ static enum routability could_route(connection_t *c) using the eroute */ } -#ifdef KLIPS /* if there is an eroute for another connection, there is a problem */ if (ero != NULL && ero != c) { @@ -838,10 +688,9 @@ static enum routability could_route(connection_t *c) loglog(RC_LOG_SERIOUS , "cannot install eroute -- it is in use for \"%s\"%s #%lu" , ero->name, inst, esr->eroute_owner); - return FALSE; /* another connection already using the eroute */ + return route_impossible; } } -#endif /* KLIPS */ return route_easy; } @@ -886,9 +735,7 @@ void unroute_connection(connection_t *c) { /* cannot handle a live one */ passert(sr->routing != RT_ROUTED_TUNNEL); -#ifdef KLIPS shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete"); -#endif } sr->routing = RT_UNROUTED; /* do now so route_owner won't find us */ @@ -896,14 +743,12 @@ void unroute_connection(connection_t *c) /* only unroute if no other connection shares it */ if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL) { - (void) do_command(c, sr, "unroute"); + (void) do_command(c, sr, NULL, "unroute"); } } } -#ifdef KLIPS - static void set_text_said(char *text_said, const ip_address *dst, ipsec_spi_t spi, int proto) { @@ -913,99 +758,36 @@ static void set_text_said(char *text_said, const ip_address *dst, satot(&said, 0, text_said, SATOT_BUF); } -/* find an entry in the bare_shunt table. - * Trick: return a pointer to the pointer to the entry; - * this allows the entry to be deleted. - */ -static struct bare_shunt** bare_shunt_ptr(const ip_subnet *ours, - const ip_subnet *his, - int transport_proto) -{ - struct bare_shunt *p, **pp; - for (pp = &bare_shunts; (p = *pp) != NULL; pp = &p->next) - { - if (samesubnet(ours, &p->ours) - && samesubnet(his, &p->his) - && transport_proto == p->transport_proto - && portof(&ours->addr) == portof(&p->ours.addr) - && portof(&his->addr) == portof(&p->his.addr)) - return pp; - } - return NULL; -} - -/* free a bare_shunt entry, given a pointer to the pointer */ -static void free_bare_shunt(struct bare_shunt **pp) -{ - if (pp == NULL) - { - DBG(DBG_CONTROL, - DBG_log("delete bare shunt: null pointer") - ) - } - else - { - struct bare_shunt *p = *pp; - - *pp = p->next; - DBG_bare_shunt("delete", p); - free(p->why); - free(p); - } -} - -void -show_shunt_status(void) -{ - struct bare_shunt *bs; - - for (bs = bare_shunts; bs != NULL; bs = bs->next) - { - /* Print interesting fields. Ignore count and last_active. */ - - int ourport = ntohs(portof(&bs->ours.addr)); - int hisport = ntohs(portof(&bs->his.addr)); - char ourst[SUBNETTOT_BUF]; - char hist[SUBNETTOT_BUF]; - char sat[SATOT_BUF]; - char prio[POLICY_PRIO_BUF]; - - subnettot(&(bs)->ours, 0, ourst, sizeof(ourst)); - subnettot(&(bs)->his, 0, hist, sizeof(hist)); - satot(&(bs)->said, 0, sat, sizeof(sat)); - fmt_policy_prio(bs->policy_prio, prio); - - whack_log(RC_COMMENT, "%s:%d -> %s:%d => %s:%d %s %s" - , ourst, ourport, hist, hisport, sat, bs->transport_proto - , prio, bs->why); - } - if (bare_shunts != NULL) - whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */ -} - -/* Setup an IPsec route entry. +/** + * Setup an IPsec route entry. * op is one of the ERO_* operators. */ - static bool raw_eroute(const ip_address *this_host, const ip_subnet *this_client, const ip_address *that_host, const ip_subnet *that_client, + mark_t mark, ipsec_spi_t spi, unsigned int proto, unsigned int satype, unsigned int transport_proto, - const struct pfkey_proto_info *proto_info, - time_t use_lifetime, + ipsec_sa_cfg_t *sa, unsigned int op, const char *opname USED_BY_DEBUG) { + traffic_selector_t *ts_src, *ts_dst; + host_t *host_src, *host_dst; + policy_type_t type = POLICY_IPSEC; + policy_dir_t dir = POLICY_OUT; char text_said[SATOT_BUF]; + bool ok = TRUE, routed = FALSE, + deleting = (op & ERO_MASK) == ERO_DELETE, + replacing = op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT); set_text_said(text_said, that_host, spi, proto); - DBG(DBG_CONTROL | DBG_KLIPS, + DBG(DBG_CONTROL | DBG_KERNEL, { int sport = ntohs(portof(&this_client->addr)); int dport = ntohs(portof(&that_client->addr)); @@ -1019,104 +801,86 @@ static bool raw_eroute(const ip_address *this_host, , text_said, transport_proto); }); - return kernel_ops->raw_eroute(this_host, this_client - , that_host, that_client, spi, satype, transport_proto, proto_info - , use_lifetime, op, text_said); -} - -/* test to see if %hold remains */ -bool has_bare_hold(const ip_address *src, const ip_address *dst, - int transport_proto) -{ - ip_subnet this_client, that_client; - struct bare_shunt **bspp; - - passert(addrtypeof(src) == addrtypeof(dst)); - happy(addrtosubnet(src, &this_client)); - happy(addrtosubnet(dst, &that_client)); - bspp = bare_shunt_ptr(&this_client, &that_client, transport_proto); - return bspp != NULL - && (*bspp)->said.proto == SA_INT && (*bspp)->said.spi == htonl(SPI_HOLD); -} + if (satype == SADB_X_SATYPE_INT) + { + switch (ntohl(spi)) + { + case SPI_PASS: + type = POLICY_PASS; + break; + case SPI_DROP: + case SPI_REJECT: + type = POLICY_DROP; + break; + case SPI_TRAP: + case SPI_TRAPSUBNET: + case SPI_HOLD: + if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT)) + { + return TRUE; + } + routed = TRUE; + break; + } + } + if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT)) + { + dir = POLICY_IN; + } -/* Replace (or delete) a shunt that is in the bare_shunts table. - * Issues the PF_KEY commands and updates the bare_shunts table. - */ -bool replace_bare_shunt(const ip_address *src, const ip_address *dst, - policy_prio_t policy_prio, ipsec_spi_t shunt_spi, - bool repl, unsigned int transport_proto, const char *why) -{ - ip_subnet this_client, that_client; - ip_subnet this_broad_client, that_broad_client; - const ip_address *null_host = aftoinfo(addrtypeof(src))->any; + host_src = host_create_from_sockaddr((sockaddr_t*)this_host); + host_dst = host_create_from_sockaddr((sockaddr_t*)that_host); + ts_src = traffic_selector_from_subnet(this_client, transport_proto); + ts_dst = traffic_selector_from_subnet(that_client, transport_proto); - passert(addrtypeof(src) == addrtypeof(dst)); - happy(addrtosubnet(src, &this_client)); - happy(addrtosubnet(dst, &that_client)); - this_broad_client = this_client; - that_broad_client = that_client; - setportof(0, &this_broad_client.addr); - setportof(0, &that_broad_client.addr); + if (deleting || replacing) + { + hydra->kernel_interface->del_policy(hydra->kernel_interface, + ts_src, ts_dst, dir, mark, routed); + } - if (repl) + if (!deleting) { - struct bare_shunt **bs_pp = bare_shunt_ptr(&this_broad_client - , &that_broad_client, 0); + ok = hydra->kernel_interface->add_policy(hydra->kernel_interface, + host_src, host_dst, ts_src, ts_dst, dir, type, sa, + mark, routed) == SUCCESS; + } - /* is there already a broad host-to-host bare shunt? */ - if (bs_pp == NULL) + if (dir == POLICY_IN) + { /* handle forward policy */ + dir = POLICY_FWD; + if (deleting || replacing) { - if (raw_eroute(null_host, &this_broad_client, null_host, &that_broad_client - , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT - , 0, null_proto_info - , SHUNT_PATIENCE, ERO_ADD, why)) - { - struct bare_shunt *bs = malloc_thing(struct bare_shunt); - - bs->ours = this_broad_client; - bs->his = that_broad_client; - bs->transport_proto = 0; - bs->said.proto = SA_INT; - bs->why = clone_str(why); - bs->policy_prio = policy_prio; - bs->said.spi = htonl(shunt_spi); - bs->said.dst = *null_host; - bs->count = 0; - bs->last_activity = now(); - bs->next = bare_shunts; - bare_shunts = bs; - DBG_bare_shunt("add", bs); - } + hydra->kernel_interface->del_policy(hydra->kernel_interface, + ts_src, ts_dst, dir, mark, routed); + } + + if (!deleting && ok && + (sa->mode == MODE_TUNNEL || satype == SADB_X_SATYPE_INT)) + { + ok = hydra->kernel_interface->add_policy(hydra->kernel_interface, + host_src, host_dst, ts_src, ts_dst, dir, type, sa, + mark, routed) == SUCCESS; } - shunt_spi = SPI_HOLD; } - if (raw_eroute(null_host, &this_client, null_host, &that_client - , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT - , transport_proto, null_proto_info - , SHUNT_PATIENCE, ERO_DELETE, why)) - { - struct bare_shunt **bs_pp = bare_shunt_ptr(&this_client, &that_client - , transport_proto); + host_src->destroy(host_src); + host_dst->destroy(host_dst); + ts_src->destroy(ts_src); + ts_dst->destroy(ts_dst); - /* delete bare eroute */ - free_bare_shunt(bs_pp); - return TRUE; - } - else - { - return FALSE; - } + return ok; } static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi, unsigned int proto, unsigned int satype, - const struct pfkey_proto_info *proto_info, - unsigned int op, const char *opname) + ipsec_sa_cfg_t *sa, unsigned int op, + const char *opname) { const ip_address *peer = &sr->that.host_addr; char buf2[256]; + bool ok; snprintf(buf2, sizeof(buf2) , "eroute_connection %s", opname); @@ -1125,11 +889,13 @@ static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi, { peer = aftoinfo(addrtypeof(peer))->any; } - return raw_eroute(&sr->this.host_addr, &sr->this.client - , peer - , &sr->that.client - , spi, proto, satype - , sr->this.protocol, proto_info, 0, op, buf2); + ok = raw_eroute(peer, &sr->that.client, + &sr->this.host_addr, &sr->this.client, sr->mark_in, + spi, proto, satype, sr->this.protocol, + sa, op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), buf2); + return raw_eroute(&sr->this.host_addr, &sr->this.client, peer, + &sr->that.client, sr->mark_out, spi, proto, satype, + sr->this.protocol, sa, op, buf2) && ok; } /* assign a bare hold to a connection */ @@ -1162,31 +928,24 @@ bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr, break; } - /* we need a broad %hold, not the narrow one. + /* We need a broad %hold * First we ensure that there is a broad %hold. * There may already be one (race condition): no need to create one. * There may already be a %trap: replace it. * There may not be any broad eroute: add %hold. - * Once the broad %hold is in place, delete the narrow one. */ if (rn != ro) { if (erouted(ro) - ? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT - , null_proto_info - , ERO_REPLACE, "replace %trap with broad %hold") - : !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT - , null_proto_info - , ERO_ADD, "add broad %hold")) + ? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT, + &null_ipsec_sa, ERO_REPLACE, + "replace %trap with broad %hold") + : !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT, + &null_ipsec_sa, ERO_ADD, "add broad %hold")) { return FALSE; } } - if (!replace_bare_shunt(src, dst, BOTTOM_PRIO, SPI_HOLD, FALSE - , transport_proto, "delete narrow %hold")) - { - return FALSE; - } sr->routing = rn; return TRUE; } @@ -1195,32 +954,21 @@ bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr, static bool sag_eroute(struct state *st, struct spd_route *sr, unsigned op, const char *opname) { - u_int inner_proto = 0; - u_int inner_satype = 0; + u_int inner_proto, inner_satype; ipsec_spi_t inner_spi = 0; - struct pfkey_proto_info proto_info[4]; - int i; - bool tunnel; - - /* figure out the SPI and protocol (in two forms) - * for the innermost transformation. - */ - - i = sizeof(proto_info) / sizeof(proto_info[0]) - 1; - proto_info[i].proto = 0; - tunnel = FALSE; + ipsec_sa_cfg_t sa = { + .mode = MODE_TRANSPORT, + }; + bool tunnel = FALSE; if (st->st_ah.present) { inner_spi = st->st_ah.attrs.spi; inner_proto = SA_AH; inner_satype = SADB_SATYPE_AH; - - i--; - proto_info[i].proto = IPPROTO_AH; - proto_info[i].encapsulation = st->st_ah.attrs.encapsulation; - tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL; - proto_info[i].reqid = sr->reqid; + sa.ah.use = TRUE; + sa.ah.spi = inner_spi; + tunnel |= st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL; } if (st->st_esp.present) @@ -1228,12 +976,9 @@ static bool sag_eroute(struct state *st, struct spd_route *sr, inner_spi = st->st_esp.attrs.spi; inner_proto = SA_ESP; inner_satype = SADB_SATYPE_ESP; - - i--; - proto_info[i].proto = IPPROTO_ESP; - proto_info[i].encapsulation = st->st_esp.attrs.encapsulation; - tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL; - proto_info[i].reqid = sr->reqid + 1; + sa.esp.use = TRUE; + sa.esp.spi = inner_spi; + tunnel |= st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL; } if (st->st_ipcomp.present) @@ -1241,37 +986,28 @@ static bool sag_eroute(struct state *st, struct spd_route *sr, inner_spi = st->st_ipcomp.attrs.spi; inner_proto = SA_COMP; inner_satype = SADB_X_SATYPE_COMP; - - i--; - proto_info[i].proto = IPPROTO_COMP; - proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation; - tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL; - proto_info[i].reqid = sr->reqid + 2; + sa.ipcomp.transform = st->st_ipcomp.attrs.transid; + sa.ipcomp.cpi = htons(ntohl(inner_spi)); + tunnel |= st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL; } - if (i == sizeof(proto_info) / sizeof(proto_info[0]) - 1) + if (!sa.ah.use && !sa.esp.use && !sa.ipcomp.transform) { impossible(); /* no transform at all! */ } if (tunnel) { - int j; - inner_spi = st->st_tunnel_out_spi; inner_proto = SA_IPIP; inner_satype = SADB_X_SATYPE_IPIP; - - proto_info[i].encapsulation = ENCAPSULATION_MODE_TUNNEL; - for (j = i + 1; proto_info[j].proto; j++) - { - proto_info[j].encapsulation = ENCAPSULATION_MODE_TRANSPORT; - } + sa.mode = MODE_TUNNEL; } - return eroute_connection(sr - , inner_spi, inner_proto, inner_satype, proto_info + i - , op, opname); + sa.reqid = sr->reqid; + + return eroute_connection(sr, inner_spi, inner_proto, inner_satype, + &sa, op, opname); } /* compute a (host-order!) SPI to implement the policy in connection c */ @@ -1318,7 +1054,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr, * The SPI signifies the kind of shunt. */ ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE); - bool ok; if (spi == 0) { @@ -1377,599 +1112,120 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr, } } - ok = TRUE; - if (kernel_ops->inbound_eroute) - { - ok = raw_eroute(&c->spd.that.host_addr, &c->spd.that.client - , &c->spd.this.host_addr, &c->spd.this.client - , htonl(spi), SA_INT, SADB_X_SATYPE_INT - , 0, null_proto_info, 0 - , op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), opname); - } - return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT - , null_proto_info, op, opname) && ok; -} - - -/* - * This is only called when s is a likely SAID with trailing protocol i.e. - * it has the form :- - * - * %<keyword>:p - * <ip-proto><spi>@a.b.c.d:p - * - * The task here is to remove the ":p" part so that the rest can be read - * by another routine. - */ -static const char *read_proto(const char * s, size_t * len, int * transport_proto) -{ - const char * p; - const char * ugh; - unsigned long proto; - size_t l; - - l = *len; - p = memchr(s, ':', l); - if (p == 0) - { - *transport_proto = 0; - return 0; - } - ugh = ttoul(p+1, l-((p-s)+1), 10, &proto); - if (ugh != 0) - { - return ugh; - } - if (proto > 65535) - { - return "protocol number is too large, legal range is 0-65535"; - } - *len = p-s; - *transport_proto = proto; - return 0; + return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT, + &null_ipsec_sa, op, opname); } - -/* scan /proc/net/ipsec_eroute every once in a while, looking for: - * - * - %hold shunts of which Pluto isn't aware. This situation could - * be caused by lost ACQUIRE messages. When found, they will - * added to orphan_holds. This in turn will lead to Opportunistic - * initiation. - * - * - other kinds of shunts that haven't been used recently. These will be - * deleted. They represent OE failures. - * - * - recording recent uses of tunnel eroutes so that rekeying decisions - * can be made for OE connections. - * - * Here are some sample lines: - * 10 10.3.2.1.0/24 -> 0.0.0.0/0 => %trap - * 259 10.3.2.1.115/32 -> 10.19.75.161/32 => tun0x1002@10.19.75.145 - * 71 10.44.73.97/32 -> 0.0.0.0/0 => %trap - * 4119 10.44.73.97/32 -> 10.114.121.41/32 => %pass - * Newer versions of KLIPS start each line with a 32-bit packet count. - * If available, the count is used to detect whether a %pass shunt is in use. - * - * NOTE: execution time is quadratic in the number of eroutes since the - * searching for each is sequential. If this becomes a problem, faster - * searches could be implemented (hash or radix tree, for example). - */ -void scan_proc_shunts(void) -{ - static const char procname[] = "/proc/net/ipsec_eroute"; - FILE *f; - time_t nw = now(); - int lino; - struct eroute_info *expired = NULL; - - event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL); - - DBG(DBG_CONTROL, - DBG_log("scanning for shunt eroutes") - ) - - /* free any leftover entries: they will be refreshed if still current */ - while (orphaned_holds != NULL) - { - struct eroute_info *p = orphaned_holds; - - orphaned_holds = p->next; - free(orphaned_holds); - } - - /* decode the /proc file. Don't do anything strenuous to it - * (certainly no PF_KEY stuff) to minimize the chance that it - * might change underfoot. - */ - - f = fopen(procname, "r"); - if (f == NULL) - { - return; - } - - /* for each line... */ - for (lino = 1; ; lino++) - { - unsigned char buf[1024]; /* should be big enough */ - chunk_t field[10]; /* 10 is loose upper bound */ - chunk_t *ff = NULL; /* fixed fields (excluding optional count) */ - int fi; - struct eroute_info eri; - char *cp; - err_t context = "" - , ugh = NULL; - - cp = fgets(buf, sizeof(buf), f); - if (cp == NULL) - { - break; - } - - /* break out each field - * Note: if there are too many fields, just stop; - * it will be diagnosed a little later. - */ - for (fi = 0; fi < (int)countof(field); fi++) - { - static const char sep[] = " \t\n"; /* field-separating whitespace */ - size_t w; - - cp += strspn(cp, sep); /* find start of field */ - w = strcspn(cp, sep); /* find width of field */ - field[fi] = chunk_create(cp, w); - cp += w; - if (w == 0) - { - break; - } - } - - /* This odd do-hickey is to share error reporting code. - * A break will get to that common code. The setting - * of "ugh" and "context" parameterize it. - */ - do { - /* Old entries have no packet count; new ones do. - * check if things are as they should be. - */ - if (fi == 5) - { - ff = &field[0]; /* old form, with no count */ - } - else if (fi == 6) - { - ff = &field[1]; /* new form, with count */ - } - else - { - ugh = "has wrong number of fields"; - break; - } - - if (ff[1].len != 2 - || strncmp(ff[1].ptr, "->", 2) != 0 - || ff[3].len != 2 - || strncmp(ff[3].ptr, "=>", 2) != 0) - { - ugh = "is missing -> or =>"; - break; - } - - /* actually digest fields of interest */ - - /* packet count */ - - eri.count = 0; - if (ff != field) - { - context = "count field is malformed: "; - ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count); - if (ugh != NULL) - { - break; - } - } - - /* our client */ - - context = "source subnet field malformed: "; - ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours); - if (ugh != NULL) - { - break; - } - - /* his client */ - - context = "destination subnet field malformed: "; - ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his); - if (ugh != NULL) - { - break; - } - - /* SAID */ - - context = "SA ID field malformed: "; - ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto); - if (ugh != NULL) - { - break; - } - ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said); - } while (FALSE); - - if (ugh != NULL) - { - plog("INTERNAL ERROR: %s line %d %s%s" - , procname, lino, context, ugh); - continue; /* ignore rest of line */ - } - - /* Now we have decoded eroute, let's consider it. - * For shunt eroutes: - * - * %hold: if not known, add to orphaned_holds list for initiation - * because ACQUIRE might have been lost. - * - * %pass, %drop, %reject: determine if idle; if so, blast it away. - * Can occur bare (if DNS provided insufficient information) - * or with a connection (failure context). - * Could even be installed by ipsec manual. - * - * %trap: always welcome. - * - * For other eroutes: find state and record count change - */ - if (eri.said.proto == SA_INT) - { - /* shunt eroute */ - switch (ntohl(eri.said.spi)) - { - case SPI_HOLD: - if (bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto) == NULL - && shunt_owner(&eri.ours, &eri.his) == NULL) - { - int ourport = ntohs(portof(&eri.ours.addr)); - int hisport = ntohs(portof(&eri.his.addr)); - char ourst[SUBNETTOT_BUF]; - char hist[SUBNETTOT_BUF]; - char sat[SATOT_BUF]; - - subnettot(&eri.ours, 0, ourst, sizeof(ourst)); - subnettot(&eri.his, 0, hist, sizeof(hist)); - satot(&eri.said, 0, sat, sizeof(sat)); - - DBG(DBG_CONTROL, - DBG_log("add orphaned shunt %s:%d -> %s:%d => %s:%d" - , ourst, ourport, hist, hisport, sat, eri.transport_proto) - ) - eri.next = orphaned_holds; - orphaned_holds = clone_thing(eri); - } - break; - - case SPI_PASS: - case SPI_DROP: - case SPI_REJECT: - /* nothing sensible to do if we don't have counts */ - if (ff != field) - { - struct bare_shunt **bs_pp - = bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto); - - if (bs_pp != NULL) - { - struct bare_shunt *bs = *bs_pp; - - if (eri.count != bs->count) - { - bs->count = eri.count; - bs->last_activity = nw; - } - else if (nw - bs->last_activity > SHUNT_PATIENCE) - { - eri.next = expired; - expired = clone_thing(eri); - } - } - } - break; - - case SPI_TRAP: - break; - - default: - bad_case(ntohl(eri.said.spi)); - } - } - else - { - /* regular (non-shunt) eroute */ - state_eroute_usage(&eri.ours, &eri.his, eri.count, nw); - } - } /* for each line */ - fclose(f); - - /* Now that we've finished processing the /proc file, - * it is safe to delete the expired %pass shunts. - */ - while (expired != NULL) - { - struct eroute_info *p = expired; - ip_address src, dst; - - networkof(&p->ours, &src); - networkof(&p->his, &dst); - (void) replace_bare_shunt(&src, &dst - , BOTTOM_PRIO /* not used because we are deleting. This value is a filler */ - , SPI_PASS /* not used because we are deleting. This value is a filler */ - , FALSE, p->transport_proto, "delete expired bare shunts"); - expired = p->next; - free(p); - } -} - -static bool del_spi(ipsec_spi_t spi, int proto, - const ip_address *src, const ip_address *dest) -{ - char text_said[SATOT_BUF]; - struct kernel_sa sa; - - set_text_said(text_said, dest, spi, proto); - - DBG(DBG_KLIPS, DBG_log("delete %s", text_said)); - - memset(&sa, 0, sizeof(sa)); - sa.spi = spi; - sa.proto = proto; - sa.src = src; - sa.dst = dest; - sa.text_said = text_said; - - return kernel_ops->del_sa(&sa); -} - -/* Setup a pair of SAs. Code taken from setsa.c and spigrp.c, in - * ipsec-0.5. - */ - static bool setup_half_ipsec_sa(struct state *st, bool inbound) { - /* Build an inbound or outbound SA */ - + host_t *host_src, *host_dst; connection_t *c = st->st_connection; - ip_subnet src, dst; - ip_subnet src_client, dst_client; - ipsec_spi_t inner_spi = 0; - u_int proto = 0; - u_int satype = SADB_SATYPE_UNSPEC; - bool replace; - - /* SPIs, saved for spigrouping or undoing, if necessary */ - struct kernel_sa - said[EM_MAXRELSPIS], - *said_next = said; - - char text_said[SATOT_BUF]; - int encapsulation; - - replace = inbound && (kernel_ops->get_spi != NULL); - - src.maskbits = 0; - dst.maskbits = 0; - + struct end *src, *dst; + ipsec_mode_t mode = MODE_TRANSPORT; + ipsec_sa_cfg_t sa = { .mode = 0 }; + lifetime_cfg_t lt_none = { .time = { .rekey = 0 } }; + mark_t mark; + bool ok = TRUE; + /* SPIs, saved for undoing, if necessary */ + struct kernel_sa said[EM_MAXRELSPIS], *said_next = said; if (inbound) { - src.addr = c->spd.that.host_addr; - dst.addr = c->spd.this.host_addr; - src_client = c->spd.that.client; - dst_client = c->spd.this.client; + src = &c->spd.that; + dst = &c->spd.this; + mark = c->spd.mark_in; } else { - src.addr = c->spd.this.host_addr, - dst.addr = c->spd.that.host_addr; - src_client = c->spd.this.client; - dst_client = c->spd.that.client; + src = &c->spd.this; + dst = &c->spd.that; + mark = c->spd.mark_out; } - encapsulation = ENCAPSULATION_MODE_TRANSPORT; + host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr); + host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr); + if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL) { - encapsulation = ENCAPSULATION_MODE_TUNNEL; + mode = MODE_TUNNEL; } - memset(said, 0, sizeof(said)); - - /* If we are tunnelling, set up IP in IP pseudo SA */ - - if (kernel_ops->inbound_eroute) - { - inner_spi = 256; - proto = SA_IPIP; - satype = SADB_SATYPE_UNSPEC; - } - else if (encapsulation == ENCAPSULATION_MODE_TUNNEL) - { - /* XXX hack alert -- we SHOULD NOT HAVE TO HAVE A DIFFERENT SPI - * XXX FOR IP-in-IP ENCAPSULATION! - */ - - ipsec_spi_t ipip_spi; - - /* Allocate an SPI for the tunnel. - * Since our peer will never see this, - * and it comes from its own number space, - * it is purely a local implementation wart. - */ - { - static ipsec_spi_t last_tunnel_spi = IPSEC_DOI_SPI_OUR_MIN; - - ipip_spi = htonl(++last_tunnel_spi); - if (inbound) - { - st->st_tunnel_in_spi = ipip_spi; - } - else - { - st->st_tunnel_out_spi = ipip_spi; - } - } - - set_text_said(text_said - , &c->spd.that.host_addr, ipip_spi, SA_IPIP); - - said_next->src = &src.addr; - said_next->dst = &dst.addr; - said_next->src_client = &src_client; - said_next->dst_client = &dst_client; - said_next->spi = ipip_spi; - said_next->satype = SADB_X_SATYPE_IPIP; - said_next->text_said = text_said; - - if (!kernel_ops->add_sa(said_next, replace)) - goto fail; - - said_next++; + sa.mode = mode; + sa.reqid = c->spd.reqid; - inner_spi = ipip_spi; - proto = SA_IPIP; - satype = SADB_X_SATYPE_IPIP; - } + memset(said, 0, sizeof(said)); /* set up IPCOMP SA, if any */ if (st->st_ipcomp.present) { - ipsec_spi_t ipcomp_spi = inbound? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi; - unsigned compalg; + ipsec_spi_t ipcomp_spi = inbound ? st->st_ipcomp.our_spi + : st->st_ipcomp.attrs.spi; switch (st->st_ipcomp.attrs.transid) { case IPCOMP_DEFLATE: - compalg = SADB_X_CALG_DEFLATE; break; default: - loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented" - , enum_name(&ipcomp_transformid_names, st->st_ipcomp.attrs.transid)); + loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented", + enum_name(&ipcomp_transformid_names, + st->st_ipcomp.attrs.transid)); goto fail; } - set_text_said(text_said, &dst.addr, ipcomp_spi, SA_COMP); + sa.ipcomp.cpi = htons(ntohl(ipcomp_spi)); + sa.ipcomp.transform = st->st_ipcomp.attrs.transid; - said_next->src = &src.addr; - said_next->dst = &dst.addr; - said_next->src_client = &src_client; - said_next->dst_client = &dst_client; said_next->spi = ipcomp_spi; - said_next->satype = SADB_X_SATYPE_COMP; - said_next->compalg = compalg; - said_next->encapsulation = encapsulation; - said_next->reqid = c->spd.reqid + 2; - said_next->text_said = text_said; + said_next->proto = IPPROTO_COMP; - if (!kernel_ops->add_sa(said_next, replace)) + if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, + host_dst, ipcomp_spi, said_next->proto, c->spd.reqid, + mark, <_none, ENCR_UNDEFINED, chunk_empty, + AUTH_UNDEFINED, chunk_empty, mode, + st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, + inbound, NULL, NULL) != SUCCESS) { goto fail; } said_next++; - encapsulation = ENCAPSULATION_MODE_TRANSPORT; + mode = MODE_TRANSPORT; } /* set up ESP SA, if any */ if (st->st_esp.present) { - ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi; - u_char *esp_dst_keymat = inbound? st->st_esp.our_keymat : st->st_esp.peer_keymat; + ipsec_spi_t esp_spi = inbound ? st->st_esp.our_spi + : st->st_esp.attrs.spi; + u_char *esp_dst_keymat = inbound ? st->st_esp.our_keymat + : st->st_esp.peer_keymat; + bool encap = st->nat_traversal & NAT_T_DETECTED; + encryption_algorithm_t enc_alg; + integrity_algorithm_t auth_alg; const struct esp_info *ei; + chunk_t enc_key, auth_key; u_int16_t key_len; - static const struct esp_info esp_info[] = { - { ESP_NULL, AUTH_ALGORITHM_HMAC_MD5, - 0, HMAC_MD5_KEY_LEN, - SADB_EALG_NULL, SADB_AALG_MD5HMAC }, - { ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1, - 0, HMAC_SHA1_KEY_LEN, - SADB_EALG_NULL, SADB_AALG_SHA1HMAC }, - - { ESP_DES, AUTH_ALGORITHM_NONE, - DES_CBC_BLOCK_SIZE, 0, - SADB_EALG_DESCBC, SADB_AALG_NONE }, - { ESP_DES, AUTH_ALGORITHM_HMAC_MD5, - DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN, - SADB_EALG_DESCBC, SADB_AALG_MD5HMAC }, - { ESP_DES, AUTH_ALGORITHM_HMAC_SHA1, - DES_CBC_BLOCK_SIZE, - HMAC_SHA1_KEY_LEN, SADB_EALG_DESCBC, SADB_AALG_SHA1HMAC }, - - { ESP_3DES, AUTH_ALGORITHM_NONE, - DES_CBC_BLOCK_SIZE * 3, 0, - SADB_EALG_3DESCBC, SADB_AALG_NONE }, - { ESP_3DES, AUTH_ALGORITHM_HMAC_MD5, - DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN, - SADB_EALG_3DESCBC, SADB_AALG_MD5HMAC }, - { ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1, - DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN, - SADB_EALG_3DESCBC, SADB_AALG_SHA1HMAC }, - }; - - u_int8_t natt_type = 0; - u_int16_t natt_sport = 0; - u_int16_t natt_dport = 0; - ip_address natt_oa; - - if (st->nat_traversal & NAT_T_DETECTED) - { - natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ? - ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE; - natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port; - natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port; - natt_oa = st->nat_oa; - } - - for (ei = esp_info; ; ei++) + if ((ei = kernel_alg_esp_info(st->st_esp.attrs.transid, + st->st_esp.attrs.auth)) == NULL) { - if (ei == &esp_info[countof(esp_info)]) - { - /* Check for additional kernel alg */ - if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid, - st->st_esp.attrs.auth))!=NULL) - { - break; - } - - /* note: enum_show may use a static buffer, so two - * calls in one printf would be a mistake. - * enum_name does the same job, without a static buffer, - * assuming the name will be found. - */ - loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet" - , enum_name(&esp_transform_names, st->st_esp.attrs.transid) - , enum_name(&auth_alg_names, st->st_esp.attrs.auth)); - goto fail; - } - - if (st->st_esp.attrs.transid == ei->transid && - st->st_esp.attrs.auth == ei->auth) - { - break; - } + loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s" + " not implemented yet", + enum_name(&esp_transform_names, st->st_esp.attrs.transid), + enum_name(&auth_alg_names, st->st_esp.attrs.auth)); + goto fail; } - key_len = st->st_esp.attrs.key_len/8; + key_len = st->st_esp.attrs.key_len / 8; if (key_len) { /* XXX: must change to check valid _range_ key_len */ if (key_len > ei->enckeylen) { - loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d", + loglog(RC_LOG_SERIOUS, "ESP transform %s: key_len=%d > %d", enum_name(&esp_transform_names, st->st_esp.attrs.transid), (int)key_len, (int)ei->enckeylen); goto fail; @@ -2012,290 +1268,144 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) break; } - /* divide up keying material */ - set_text_said(text_said, &dst.addr, esp_spi, SA_ESP); - said_next->src = &src.addr; - said_next->dst = &dst.addr; - said_next->src_client = &src_client; - said_next->dst_client = &dst_client; - said_next->spi = esp_spi; - said_next->satype = SADB_SATYPE_ESP; - said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? - REPLAY_WINDOW : REPLAY_WINDOW_XFRM; - said_next->authalg = ei->authalg; - said_next->authkeylen = ei->authkeylen; - said_next->authkey = esp_dst_keymat + key_len; - said_next->encalg = ei->encryptalg; - said_next->enckeylen = key_len; - said_next->enckey = esp_dst_keymat; - said_next->encapsulation = encapsulation; - said_next->reqid = c->spd.reqid + 1; - said_next->natt_sport = natt_sport; - said_next->natt_dport = natt_dport; - said_next->transid = st->st_esp.attrs.transid; - said_next->natt_type = natt_type; - said_next->natt_oa = &natt_oa; - said_next->text_said = text_said; - - if (!kernel_ops->add_sa(said_next, replace)) + if (encap) { - goto fail; + host_src->set_port(host_src, src->host_port); + host_dst->set_port(host_dst, dst->host_port); + // st->nat_oa is currently unused } - said_next++; - encapsulation = ENCAPSULATION_MODE_TRANSPORT; - } - - /* set up AH SA, if any */ - if (st->st_ah.present) - { - ipsec_spi_t ah_spi = inbound? st->st_ah.our_spi : st->st_ah.attrs.spi; - u_char *ah_dst_keymat = inbound? st->st_ah.our_keymat : st->st_ah.peer_keymat; + /* divide up keying material */ + enc_alg = encryption_algorithm_from_esp(st->st_esp.attrs.transid); + enc_key.ptr = esp_dst_keymat; + enc_key.len = key_len; + auth_alg = integrity_algorithm_from_esp(st->st_esp.attrs.auth); + auth_alg = auth_alg ? : AUTH_UNDEFINED; + auth_key.ptr = esp_dst_keymat + key_len; + auth_key.len = ei->authkeylen; - unsigned char authalg; + sa.esp.use = TRUE; + sa.esp.spi = esp_spi; - switch (st->st_ah.attrs.auth) - { - case AUTH_ALGORITHM_HMAC_MD5: - authalg = SADB_AALG_MD5HMAC; - break; - case AUTH_ALGORITHM_HMAC_SHA1: - authalg = SADB_AALG_SHA1HMAC; - break; - default: - loglog(RC_LOG_SERIOUS, "%s not implemented yet", - enum_show(&auth_alg_names, st->st_ah.attrs.auth)); - goto fail; - } + said_next->spi = esp_spi; + said_next->proto = IPPROTO_ESP; - set_text_said(text_said, &dst.addr, ah_spi, SA_AH); - said_next->src = &src.addr; - said_next->dst = &dst.addr; - said_next->src_client = &src_client; - said_next->dst_client = &dst_client; - said_next->spi = ah_spi; - said_next->satype = SADB_SATYPE_AH; - said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? - REPLAY_WINDOW : REPLAY_WINDOW_XFRM; - said_next->authalg = authalg; - said_next->authkeylen = st->st_ah.keymat_len; - said_next->authkey = ah_dst_keymat; - said_next->encapsulation = encapsulation; - said_next->reqid = c->spd.reqid; - said_next->text_said = text_said; - - if (!kernel_ops->add_sa(said_next, replace)) + if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, + host_dst, esp_spi, said_next->proto, c->spd.reqid, + mark, <_none, enc_alg, enc_key, + auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, + encap, inbound, NULL, NULL) != SUCCESS) { goto fail; } said_next++; - encapsulation = ENCAPSULATION_MODE_TRANSPORT; + mode = MODE_TRANSPORT; } - if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL - || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL - || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL) - { - encapsulation = ENCAPSULATION_MODE_TUNNEL; - } + /* set up AH SA, if any */ - if (kernel_ops->inbound_eroute ? c->spd.eroute_owner == SOS_NOBODY - : encapsulation == ENCAPSULATION_MODE_TUNNEL) + if (st->st_ah.present) { - /* If inbound, and policy does not specifie DISABLEARRIVALCHECK, - * tell KLIPS to enforce the IP addresses appropriate for this tunnel. - * Note reversed ends. - * Not much to be done on failure. - */ - if (inbound && (c->policy & POLICY_DISABLEARRIVALCHECK) == 0) - { - struct pfkey_proto_info proto_info[4]; - int i = 0; - - if (st->st_ipcomp.present) - { - proto_info[i].proto = IPPROTO_COMP; - proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation; - proto_info[i].reqid = c->spd.reqid + 2; - i++; - } - - if (st->st_esp.present) - { - proto_info[i].proto = IPPROTO_ESP; - proto_info[i].encapsulation = st->st_esp.attrs.encapsulation; - proto_info[i].reqid = c->spd.reqid + 1; - i++; - } - - if (st->st_ah.present) - { - proto_info[i].proto = IPPROTO_AH; - proto_info[i].encapsulation = st->st_ah.attrs.encapsulation; - proto_info[i].reqid = c->spd.reqid; - i++; - } - - proto_info[i].proto = 0; - - if (kernel_ops->inbound_eroute - && encapsulation == ENCAPSULATION_MODE_TUNNEL) - { - proto_info[0].encapsulation = ENCAPSULATION_MODE_TUNNEL; - for (i = 1; proto_info[i].proto; i++) - { - proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT; - } - } + ipsec_spi_t ah_spi = inbound ? st->st_ah.our_spi + : st->st_ah.attrs.spi; + u_char *ah_dst_keymat = inbound ? st->st_ah.our_keymat + : st->st_ah.peer_keymat; + integrity_algorithm_t auth_alg; + chunk_t auth_key; - /* MCR - should be passed a spd_eroute structure here */ - (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client - , &c->spd.this.host_addr, &c->spd.this.client - , inner_spi, proto, satype, c->spd.this.protocol - , proto_info, 0 - , ERO_ADD_INBOUND, "add inbound"); - } - } + auth_alg = integrity_algorithm_from_esp(st->st_ah.attrs.auth); + auth_key.ptr = ah_dst_keymat; + auth_key.len = st->st_ah.keymat_len; - /* If there are multiple SPIs, group them. */ + sa.ah.use = TRUE; + sa.ah.spi = ah_spi; - if (kernel_ops->grp_sa && said_next > &said[1]) - { - struct kernel_sa *s; + said_next->spi = ah_spi; + said_next->proto = IPPROTO_AH; - /* group SAs, two at a time, inner to outer (backwards in said[]) - * The grouping is by pairs. So if said[] contains ah esp ipip, - * the grouping would be ipip:esp, esp:ah. - */ - for (s = said; s < said_next-1; s++) + if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, + host_dst, ah_spi, said_next->proto, c->spd.reqid, + mark, <_none, ENCR_UNDEFINED, chunk_empty, + auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, + FALSE, inbound, NULL, NULL) != SUCCESS) { - char - text_said0[SATOT_BUF], - text_said1[SATOT_BUF]; - - /* group s[1] and s[0], in that order */ - - set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto); - set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto); - - DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0)); - - s[0].text_said = text_said0; - s[1].text_said = text_said1; - - if (!kernel_ops->grp_sa(s + 1, s)) - { - goto fail; - } + goto fail; } - /* could update said, but it will not be used */ + said_next++; + mode = MODE_TRANSPORT; } - return TRUE; + goto cleanup; fail: + /* undo the done SPIs */ + while (said_next-- != said) { - /* undo the done SPIs */ - while (said_next-- != said) - { - (void) del_spi(said_next->spi, said_next->proto, &src.addr, - said_next->dst); - } - return FALSE; + hydra->kernel_interface->del_sa(hydra->kernel_interface, host_src, + host_dst, said_next->spi, + said_next->proto, 0 /* cpi */, + mark); } -} + ok = FALSE; -/* teardown_ipsec_sa is a canibalized version of setup_ipsec_sa */ +cleanup: + host_src->destroy(host_src); + host_dst->destroy(host_dst); + return ok; +} static bool teardown_half_ipsec_sa(struct state *st, bool inbound) { - /* We need to delete AH, ESP, and IP in IP SPIs. - * But if there is more than one, they have been grouped - * so deleting any one will do. So we just delete the - * first one found. It may or may not be the only one. - */ connection_t *c = st->st_connection; - struct { - unsigned proto; - struct ipsec_proto_info *info; - } protos[4]; - int i; - bool result; + const struct end *src, *dst; + host_t *host_src, *host_dst; + ipsec_spi_t spi; + mark_t mark; + bool result = TRUE; - i = 0; - if (kernel_ops->inbound_eroute && inbound - && c->spd.eroute_owner == SOS_NOBODY) + if (inbound) { - (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client - , &c->spd.this.host_addr, &c->spd.this.client - , 256, IPSEC_PROTO_ANY, SADB_SATYPE_UNSPEC, c->spd.this.protocol - , null_proto_info, 0 - , ERO_DEL_INBOUND, "delete inbound"); + src = &c->spd.that; + dst = &c->spd.this; + mark = c->spd.mark_in; } - - if (!kernel_ops->grp_sa) + else { - if (st->st_ah.present) - { - protos[i].info = &st->st_ah; - protos[i].proto = SA_AH; - i++; - } + src = &c->spd.this; + dst = &c->spd.that; + mark = c->spd.mark_out; + } - if (st->st_esp.present) - { - protos[i].info = &st->st_esp; - protos[i].proto = SA_ESP; - i++; - } + host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr); + host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr); - if (st->st_ipcomp.present) - { - protos[i].info = &st->st_ipcomp; - protos[i].proto = SA_COMP; - i++; - } - } - else if (st->st_ah.present) - { - protos[i].info = &st->st_ah; - protos[i].proto = SA_AH; - i++; - } - else if (st->st_esp.present) + if (st->st_ah.present) { - protos[i].info = &st->st_esp; - protos[i].proto = SA_ESP; - i++; + spi = inbound ? st->st_ah.our_spi : st->st_ah.attrs.spi; + result &= hydra->kernel_interface->del_sa(hydra->kernel_interface, + host_src, host_dst, spi, IPPROTO_AH, + 0 /* cpi */, mark) == SUCCESS; } - else + + if (st->st_esp.present) { - impossible(); /* neither AH nor ESP in outbound SA bundle! */ + spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi; + result &= hydra->kernel_interface->del_sa(hydra->kernel_interface, + host_src, host_dst, spi, IPPROTO_ESP, + 0 /* cpi */, mark) == SUCCESS; } - protos[i].proto = 0; - result = TRUE; - for (i = 0; protos[i].proto; i++) + if (st->st_ipcomp.present) { - unsigned proto = protos[i].proto; - ipsec_spi_t spi; - const ip_address *src, *dst; + spi = inbound ? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi; + result &= hydra->kernel_interface->del_sa(hydra->kernel_interface, + host_src, host_dst, spi, IPPROTO_COMP, + 0 /* cpi */, mark) == SUCCESS; + } - if (inbound) - { - spi = protos[i].info->our_spi; - src = &c->spd.that.host_addr; - dst = &c->spd.this.host_addr; - } - else - { - spi = protos[i].info->attrs.spi; - src = &c->spd.this.host_addr; - dst = &c->spd.that.host_addr; - } + host_src->destroy(host_src); + host_dst->destroy(host_dst); - result &= del_spi(spi, proto, src, dst); - } return result; } @@ -2304,126 +1414,198 @@ static bool teardown_half_ipsec_sa(struct state *st, bool inbound) */ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) { - char text_said[SATOT_BUF]; - struct kernel_sa sa; connection_t *c = st->st_connection; + traffic_selector_t *ts_src = NULL, *ts_dst = NULL; + host_t *host_src = NULL, *host_dst = NULL; + const struct end *src, *dst; + ipsec_spi_t spi; + mark_t mark; + u_int64_t bytes_kernel = 0; + bool result = FALSE; *use_time = UNDEFINED_TIME; - if (kernel_ops->get_sa == NULL || !st->st_esp.present) + if (!st->st_esp.present) { - return FALSE; + goto failed; } - memset(&sa, 0, sizeof(sa)); - sa.proto = SA_ESP; if (inbound) { - sa.src = &c->spd.that.host_addr; - sa.dst = &c->spd.this.host_addr; - sa.spi = st->st_esp.our_spi; + src = &c->spd.that; + dst = &c->spd.this; + mark = c->spd.mark_in; + spi = st->st_esp.our_spi; } else { - sa.src = &c->spd.this.host_addr; - sa.dst = &c->spd.that.host_addr; - sa.spi = st->st_esp.attrs.spi; + src = &c->spd.this; + dst = &c->spd.that; + mark = c->spd.mark_out; + spi = st->st_esp.attrs.spi; } - set_text_said(text_said, sa.dst, sa.spi, sa.proto); - sa.text_said = text_said; + host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr); + host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr); - DBG(DBG_KLIPS, - DBG_log("get %s", text_said) - ) - if (!kernel_ops->get_sa(&sa, bytes)) + switch(hydra->kernel_interface->query_sa(hydra->kernel_interface, host_src, + host_dst, spi, IPPROTO_ESP, + mark, &bytes_kernel)) { - return FALSE; + case FAILED: + goto failed; + case SUCCESS: + *bytes = bytes_kernel; + break; + case NOT_SUPPORTED: + default: + break; } - DBG(DBG_KLIPS, - DBG_log(" current: %d bytes", *bytes) - ) if (st->st_serialno == c->spd.eroute_owner) { - DBG(DBG_KLIPS, - DBG_log("get %sbound policy with reqid %u" - , inbound? "in":"out", (u_int)c->spd.reqid + 1) - ) - sa.transport_proto = c->spd.this.protocol; - sa.encapsulation = st->st_esp.attrs.encapsulation; + u_int32_t time_kernel; - if (inbound) - { - sa.src_client = &c->spd.that.client; - sa.dst_client = &c->spd.this.client; - } - else + ts_src = traffic_selector_from_subnet(&src->client, src->protocol); + ts_dst = traffic_selector_from_subnet(&dst->client, dst->protocol); + + if (hydra->kernel_interface->query_policy(hydra->kernel_interface, + ts_src, ts_dst, inbound ? POLICY_IN : POLICY_OUT, + mark, &time_kernel) != SUCCESS) { - sa.src_client = &c->spd.this.client; - sa.dst_client = &c->spd.that.client; + goto failed; } - if (!kernel_ops->get_policy(&sa, inbound, use_time)) + *use_time = time_kernel; + + if (inbound && + st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL) { - return FALSE; + if (hydra->kernel_interface->query_policy(hydra->kernel_interface, + ts_src, ts_dst, POLICY_FWD, mark, + &time_kernel) != SUCCESS) + { + goto failed; + } + *use_time = max(*use_time, time_kernel); } - DBG(DBG_KLIPS, - DBG_log(" use_time: %T", use_time, FALSE) - ) } - return TRUE; + + result = TRUE; + +failed: + DESTROY_IF(host_src); + DESTROY_IF(host_dst); + DESTROY_IF(ts_src); + DESTROY_IF(ts_dst); + return result; } -const struct kernel_ops *kernel_ops; +/** + * Handler for kernel events (called by thread-pool thread) + */ +kernel_listener_t *kernel_handler; -#endif /* KLIPS */ +/** + * Data for acquire events + */ +typedef struct { + /** Subnets */ + ip_subnet src, dst; + /** Transport protocol */ + int proto; +} acquire_data_t; -void init_kernel(void) +/** + * Callback for acquire events (called by main thread) + */ +void handle_acquire(acquire_data_t *this) { -#ifdef KLIPS + record_and_initiate_opportunistic(&this->src, &this->dst, this->proto, + "%acquire"); +} - if (no_klips) +METHOD(kernel_listener_t, acquire, bool, + kernel_listener_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts) +{ + if (src_ts && dst_ts) { - kernel_ops = &noklips_kernel_ops; - return; + acquire_data_t *data; + DBG(DBG_CONTROL, + DBG_log("creating acquire event for policy %R === %R " + "with reqid {%u}", src_ts, dst_ts, reqid)); + INIT(data, + .src = subnet_from_traffic_selector(src_ts), + .dst = subnet_from_traffic_selector(dst_ts), + .proto = src_ts->get_protocol(src_ts), + ); + pluto->events->queue(pluto->events, (void*)handle_acquire, data, free); } + else + { + DBG(DBG_CONTROL, + DBG_log("ignoring acquire without traffic selectors for policy " + "with reqid {%u}", reqid)); + } + DESTROY_IF(src_ts); + DESTROY_IF(dst_ts); + return TRUE; +} - init_pfkey(); - - kernel_ops = &klips_kernel_ops; +/** + * Data for mapping events + */ +typedef struct { + /** reqid, spi of affected SA */ + u_int32_t reqid, spi; + /** new endpont */ + ip_address new_end; +} mapping_data_t; -#if defined(linux) && defined(KERNEL26_SUPPORT) - { - bool linux_ipsec = 0; - struct stat buf; +/** + * Callback for mapping events (called by main thread) + */ +void handle_mapping(mapping_data_t *this) +{ + process_nat_t_new_mapping(this->reqid, this->spi, &this->new_end); +} - linux_ipsec = (stat("/proc/net/pfkey", &buf) == 0); - if (linux_ipsec) - { - plog("Using Linux 2.6 IPsec interface code"); - kernel_ops = &linux_kernel_ops; - } - else - { - plog("Using KLIPS IPsec interface code"); - } - } -#endif - if (kernel_ops->init) - { - kernel_ops->init(); - } +METHOD(kernel_listener_t, mapping, bool, + kernel_listener_t *this, u_int32_t reqid, u_int32_t spi, host_t *remote) +{ + mapping_data_t *data; + DBG(DBG_CONTROL, + DBG_log("creating mapping event for SA with SPI %.8x and reqid {%u}", + spi, reqid)); + INIT(data, + .reqid = reqid, + .spi = spi, + .new_end = *(ip_address*)remote->get_sockaddr(remote), + ); + pluto->events->queue(pluto->events, (void*)handle_mapping, data, free); + return TRUE; +} +void init_kernel(void) +{ /* register SA types that we can negotiate */ - can_do_IPcomp = FALSE; /* until we get a response from KLIPS */ - kernel_ops->pfkey_register(); + can_do_IPcomp = FALSE; /* until we get a response from the kernel */ + pfkey_register(); + + INIT(kernel_handler, + .acquire = _acquire, + .mapping = _mapping, + ); + hydra->kernel_interface->add_listener(hydra->kernel_interface, + kernel_handler); +} - if (!kernel_ops->policy_lifetime) - { - event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL); - } -#endif +void kernel_finalize() +{ + hydra->kernel_interface->remove_listener(hydra->kernel_interface, + kernel_handler); + free(kernel_handler); } /* Note: install_inbound_ipsec_sa is only used by the Responder. @@ -2482,13 +1664,8 @@ bool install_inbound_ipsec_sa(struct state *st) return FALSE; } -#ifdef KLIPS /* (attempt to) actually set up the SAs */ return setup_half_ipsec_sa(st, TRUE); -#else /* !KLIPS */ - DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()")); - return TRUE; -#endif /* !KLIPS */ } /* Install a route and then a prospective shunt eroute or an SA group eroute. @@ -2496,11 +1673,8 @@ bool install_inbound_ipsec_sa(struct state *st) * Any SA Group must have already been created. * On failure, steps will be unwound. */ -bool route_and_eroute(connection_t *c USED_BY_KLIPS, - struct spd_route *sr USED_BY_KLIPS, - struct state *st USED_BY_KLIPS) +bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st) { -#ifdef KLIPS struct spd_route *esr; struct spd_route *rosr; connection_t *ero /* who, if anyone, owns our eroute? */ @@ -2510,7 +1684,6 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, , route_installed = FALSE; connection_t *ero_top; - struct bare_shunt **bspp; DBG(DBG_CONTROLMORE, DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu" @@ -2537,15 +1710,9 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, break; #endif - bspp = (ero == NULL) - ? bare_shunt_ptr(&sr->this.client, &sr->that.client, sr->this.protocol) - : NULL; - /* install the eroute */ - passert(bspp == NULL || ero == NULL); /* only one non-NULL */ - - if (bspp != NULL || ero != NULL) + if (ero != NULL) { /* We're replacing an eroute */ @@ -2571,7 +1738,6 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, && samesubnet(&esr->that.client, &sr->that.client)); } #endif - /* remember to free bspp iff we make it out of here alive */ } else { @@ -2601,7 +1767,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, */ firewall_notified = st == NULL /* not a tunnel eroute */ || sr->eroute_owner != SOS_NOBODY /* already notified */ - || do_command(c, sr, "up"); /* go ahead and notify */ + || do_command(c, sr, st, "up"); /* go ahead and notify */ } /* install the route */ @@ -2616,8 +1782,8 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, else if (ro == NULL) { /* a new route: no deletion required, but preparation is */ - (void) do_command(c, sr, "prepare"); /* just in case; ignore failure */ - route_installed = do_command(c, sr, "route"); + (void) do_command(c, sr, st, "prepare"); /* just in case; ignore failure */ + route_installed = do_command(c, sr, st, "route"); } else if (routed(sr->routing) || routes_agree(ro, c)) { @@ -2636,13 +1802,13 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, */ if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop)) { - (void) do_command(ro, sr, "unroute"); - route_installed = do_command(c, sr, "route"); + (void) do_command(ro, sr, st, "unroute"); + route_installed = do_command(c, sr, st, "route"); } else { - route_installed = do_command(c, sr, "route"); - (void) do_command(ro, sr, "unroute"); + route_installed = do_command(c, sr, st, "route"); + (void) do_command(ro, sr, st, "unroute"); } /* record unrouting */ @@ -2663,11 +1829,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, { /* Success! */ - if (bspp != NULL) - { - free_bare_shunt(bspp); - } - else if (ero != NULL && ero != c) + if (ero != NULL && ero != c) { /* check if ero is an ancestor of c. */ connection_t *ero2; @@ -2713,7 +1875,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, { /* Failure! Unwind our work. */ if (firewall_notified && sr->eroute_owner == SOS_NOBODY) - (void) do_command(c, sr, "down"); + (void) do_command(c, sr, st, "down"); if (eroute_installed) { @@ -2721,28 +1883,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, * Since there is nothing much to be done if the restoration * fails, ignore success or failure. */ - if (bspp != NULL) - { - /* Restore old bare_shunt. - * I don't think that this case is very likely. - * Normally a bare shunt would have been assigned - * to a connection before we've gotten this far. - */ - struct bare_shunt *bs = *bspp; - - (void) raw_eroute(&bs->said.dst /* should be useless */ - , &bs->ours - , &bs->said.dst /* should be useless */ - , &bs->his - , bs->said.spi /* network order */ - , SA_INT - , SADB_X_SATYPE_INT - , 0 - , null_proto_info - , SHUNT_PATIENCE - , ERO_REPLACE, "restore"); - } - else if (ero != NULL) + if (ero != NULL) { /* restore ero's former glory */ if (esr->eroute_owner == SOS_NOBODY) @@ -2781,14 +1922,10 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, return FALSE; } -#else /* !KLIPS */ - return TRUE; -#endif /* !KLIPS */ } -bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) +bool install_ipsec_sa(struct state *st, bool inbound_also) { -#ifdef KLIPS struct spd_route *sr; DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s" @@ -2838,21 +1975,6 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) } } } -#else /* !KLIPS */ - DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s" - , inbound_also? "inbound and oubound" : "outbound only")); - - switch (could_route(st->st_connection)) - { - case route_easy: - case route_nearconflict: - break; - default: - return FALSE; - } - - -#endif /* !KLIPS */ return TRUE; } @@ -2861,10 +1983,8 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) * we may not succeed, but we bull ahead anyway because * we cannot do anything better by recognizing failure */ -void delete_ipsec_sa(struct state *st USED_BY_KLIPS, - bool inbound_only USED_BY_KLIPS) +void delete_ipsec_sa(struct state *st, bool inbound_only) { -#ifdef KLIPS if (!inbound_only) { /* If the state is the eroute owner, we must adjust @@ -2890,7 +2010,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS, sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE ? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE; - (void) do_command(c, sr, "down"); + (void) do_command(c, sr, st, "down"); if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE) { /* in this special case, even if the connection @@ -2911,46 +2031,41 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS, (void) teardown_half_ipsec_sa(st, FALSE); } (void) teardown_half_ipsec_sa(st, TRUE); -#else /* !KLIPS */ - DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()")); -#endif /* !KLIPS */ } -#ifdef KLIPS static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound) { connection_t *c = st->st_connection; - char text_said[SATOT_BUF]; - struct kernel_sa sa; - ip_address - src = inbound? c->spd.that.host_addr : c->spd.this.host_addr, - dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr; - - ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi; - - u_int16_t - natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port, - natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port; - - set_text_said(text_said, &dst, esp_spi, SA_ESP); - - memset(&sa, 0, sizeof(sa)); - sa.spi = esp_spi; - sa.src = &src; - sa.dst = &dst; - sa.text_said = text_said; - sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth); - sa.natt_sport = natt_sport; - sa.natt_dport = natt_dport; - sa.transid = st->st_esp.attrs.transid; - - return kernel_ops->add_sa(&sa, TRUE); + host_t *host_src, *host_dst, *new_src, *new_dst; + ipsec_spi_t spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi; + struct end *src = inbound ? &c->spd.that : &c->spd.this, + *dst = inbound ? &c->spd.this : &c->spd.that; + mark_t mark = inbound ? c->spd.mark_in : c->spd.mark_out; + bool result; + + host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr); + host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr); + + new_src = host_src->clone(host_src); + new_dst = host_dst->clone(host_dst); + new_src->set_port(new_src, src->host_port); + new_dst->set_port(new_dst, dst->host_port); + + result = hydra->kernel_interface->update_sa(hydra->kernel_interface, + spi, IPPROTO_ESP, 0 /* cpi */, host_src, host_dst, + new_src, new_dst, TRUE /* encap */, TRUE /* new_encap */, + mark) == SUCCESS; + + host_src->destroy(host_src); + host_dst->destroy(host_dst); + new_src->destroy(new_src); + new_dst->destroy(new_dst); + + return result; } -#endif -bool update_ipsec_sa (struct state *st USED_BY_KLIPS) +bool update_ipsec_sa (struct state *st) { -#ifdef KLIPS if (IS_IPSEC_SA_ESTABLISHED(st->st_state)) { if (st->st_esp.present && ( @@ -2973,10 +2088,6 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS) return FALSE; } return TRUE; -#else /* !KLIPS */ - DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()")); - return TRUE; -#endif /* !KLIPS */ } /* Check if there was traffic on given SA during the last idle_max @@ -2986,102 +2097,17 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS) */ bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time) { - static const char procname[] = "/proc/net/ipsec_spi"; - FILE *f; - char buf[1024]; + time_t use_time; u_int bytes; int ret = TRUE; passert(st != NULL); - f = fopen(procname, "r"); - if (f == NULL) + if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME) { - /* Can't open the file, perhaps were are on 26sec? */ - time_t use_time; - - if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME) - { - *idle_time = time(NULL) - use_time; - ret = *idle_time >= idle_max; - } + *idle_time = time_monotonic(NULL) - use_time; + ret = *idle_time >= idle_max; } - else - { - while (f != NULL) - { - char *line; - char text_said[SATOT_BUF]; - u_int8_t proto = 0; - ip_address dst; - ip_said said; - ipsec_spi_t spi = 0; - static const char idle[] = "idle="; - - dst = st->st_connection->spd.this.host_addr; /* inbound SA */ - if (st->st_ah.present) - { - proto = SA_AH; - spi = st->st_ah.our_spi; - } - if (st->st_esp.present) - { - proto = SA_ESP; - spi = st->st_esp.our_spi; - } - - if (proto == 0 && spi == 0) - { - ret = TRUE; - break; - } - initsaid(&dst, spi, proto, &said); - satot(&said, 'x', text_said, SATOT_BUF); - - line = fgets(buf, sizeof(buf), f); - if (line == NULL) - { - /* Reached end of list */ - ret = TRUE; - break; - } - - if (strneq(line, text_said, strlen(text_said))) - { - /* we found a match, now try to find idle= */ - char *p = strstr(line, idle); - - if (p == NULL) - { - /* SAs which haven't been used yet don't have it */ - ret = TRUE; /* it didn't have traffic */ - break; - } - p += sizeof(idle)-1; - if (*p == '\0') - { - ret = TRUE; /* be paranoid */ - break; - } - if (sscanf(p, "%d", (int *) idle_time) <= 0) - { - ret = TRUE; - break; - } - if (*idle_time >= idle_max) - { - ret = TRUE; - break; - } - else - { - ret = FALSE; - break; - } - } - } - fclose(f); - } return ret; } diff --git a/src/pluto/kernel.h b/src/pluto/kernel.h index 06850abfd..1fa11c50e 100644 --- a/src/pluto/kernel.h +++ b/src/pluto/kernel.h @@ -14,10 +14,8 @@ #include "connections.h" -extern bool no_klips; /* don't actually use KLIPS */ extern bool can_do_IPcomp; /* can system actually perform IPCOMP? */ -#ifdef KLIPS /* Declare eroute things early enough for uses. * * Flags are encoded above the low-order byte of verbs. @@ -32,8 +30,6 @@ extern bool can_do_IPcomp; /* can system actually perform IPCOMP? */ #define ERO_DELETE SADB_X_DELFLOW #define ERO_ADD SADB_X_ADDFLOW #define ERO_REPLACE (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT)) -#define ERO_ADD_INBOUND (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT)) -#define ERO_DEL_INBOUND (SADB_X_DELFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT)) struct pfkey_proto_info { int proto; @@ -75,69 +71,6 @@ struct kernel_sa { const char *text_said; }; -struct kernel_ops { - enum { - KERNEL_TYPE_NONE, - KERNEL_TYPE_KLIPS, - KERNEL_TYPE_LINUX, - } type; - bool inbound_eroute; - bool policy_lifetime; - int *async_fdp; - - void (*init)(void); - void (*pfkey_register)(void); - void (*pfkey_register_response)(const struct sadb_msg *msg); - void (*process_queue)(void); - void (*process_msg)(void); - bool (*raw_eroute)(const ip_address *this_host, - const ip_subnet *this_client, - const ip_address *that_host, - const ip_subnet *that_client, - ipsec_spi_t spi, - unsigned int satype, - unsigned int transport_proto, - const struct pfkey_proto_info *proto_info, - time_t use_lifetime, - unsigned int op, - const char *text_said); - bool (*get_policy)(const struct kernel_sa *sa, bool inbound, - time_t *use_time); - bool (*add_sa)(const struct kernel_sa *sa, bool replace); - bool (*grp_sa)(const struct kernel_sa *sa_outer, - const struct kernel_sa *sa_inner); - bool (*del_sa)(const struct kernel_sa *sa); - bool (*get_sa)(const struct kernel_sa *sa, u_int *bytes); - ipsec_spi_t (*get_spi)(const ip_address *src, - const ip_address *dst, - int proto, - bool tunnel_mode, - unsigned reqid, - ipsec_spi_t min, - ipsec_spi_t max, - const char *text_said); -}; - - -extern const struct kernel_ops *kernel_ops; - -/* information from /proc/net/ipsec_eroute */ - -struct eroute_info { - unsigned long count; - ip_subnet ours; - ip_subnet his; - ip_address dst; - ip_said said; - int transport_proto; - struct eroute_info *next; -}; - -extern struct eroute_info *orphaned_holds; - -extern void show_shunt_status(void); -#endif - /* A netlink header defines EM_MAXRELSPIS, the max number of SAs in a group. * Is there a PF_KEY equivalent? */ @@ -151,22 +84,11 @@ extern void record_and_initiate_opportunistic(const ip_subnet * , const char *why); extern void init_kernel(void); - -extern void scan_proc_shunts(void); +extern void kernel_finalize(void); extern bool trap_connection(struct connection *c); extern void unroute_connection(struct connection *c); -extern bool has_bare_hold(const ip_address *src, const ip_address *dst - , int transport_proto); - -extern bool replace_bare_shunt(const ip_address *src, const ip_address *dst - , policy_prio_t policy_prio - , ipsec_spi_t shunt_spi /* in host order! */ - , bool repl - , unsigned int transport_proto - , const char *why); - extern bool assign_hold(struct connection *c , struct spd_route *sr , int transport_proto diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c index 7c2855edc..2a195cffc 100644 --- a/src/pluto/kernel_alg.c +++ b/src/pluto/kernel_alg.c @@ -105,7 +105,7 @@ const struct sadb_alg* kernel_alg_sadb_alg_get(int satype, int exttype, */ static void kernel_alg_init(void) { - DBG(DBG_KLIPS, + DBG(DBG_KERNEL, DBG_log("alg_init(): memset(%p, 0, %d) memset(%p, 0, %d)", &esp_aalg, (int)sizeof (esp_aalg), &esp_ealg, (int)sizeof (esp_ealg)) @@ -121,7 +121,7 @@ static int kernel_alg_add(int satype, int exttype, struct sadb_alg *alg_p = NULL; int alg_id = sadb_alg->sadb_alg_id; - DBG(DBG_KLIPS, + DBG(DBG_KERNEL, DBG_log("kernel_alg_add(): satype=%d, exttype=%d, alg_id=%d", satype, exttype, sadb_alg->sadb_alg_id) ) @@ -131,7 +131,7 @@ static int kernel_alg_add(int satype, int exttype, /* This logic "mimics" KLIPS: first algo implementation will be used */ if (alg_p->sadb_alg_id) { - DBG(DBG_KLIPS, + DBG(DBG_KERNEL, DBG_log("kernel_alg_add(): discarding already setup " "satype=%d, exttype=%d, alg_id=%d", satype, exttype, sadb_alg->sadb_alg_id) @@ -172,7 +172,7 @@ bool kernel_alg_esp_enc_ok(u_int alg_id, u_int key_len, out: if (ret) { - DBG(DBG_KLIPS, + DBG(DBG_KERNEL, DBG_log("kernel_alg_esp_enc_ok(%d,%d): " "alg_id=%d, " "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, " @@ -188,7 +188,7 @@ out: } else { - DBG(DBG_KLIPS, + DBG(DBG_KERNEL, DBG_log("kernel_alg_esp_enc_ok(%d,%d): NO", alg_id, key_len); ) } @@ -253,66 +253,6 @@ bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg, } /** - * Load kernel_alg arrays from /proc used in manual mode from klips/utils/spi.c - */ -int kernel_alg_proc_read(void) -{ - int satype; - int supp_exttype; - int alg_id, ivlen, minbits, maxbits; - struct sadb_alg sadb_alg; - int ret; - char buf[128]; - - FILE *fp=fopen("/proc/net/pf_key_supported", "r"); - - if (!fp) - return -1; - - kernel_alg_init(); - - while (fgets(buf, sizeof(buf), fp)) - { - if (buf[0] != ' ') /* skip titles */ - continue; - - sscanf(buf, "%d %d %d %d %d %d" - ,&satype, &supp_exttype - , &alg_id, &ivlen - , &minbits, &maxbits); - - switch (satype) - { - case SADB_SATYPE_ESP: - switch(supp_exttype) - { - case SADB_EXT_SUPPORTED_AUTH: - case SADB_EXT_SUPPORTED_ENCRYPT: - sadb_alg.sadb_alg_id = alg_id; - sadb_alg.sadb_alg_ivlen = ivlen; - sadb_alg.sadb_alg_minbits = minbits; - sadb_alg.sadb_alg_maxbits = maxbits; - ret = kernel_alg_add(satype, supp_exttype, &sadb_alg); - DBG(DBG_CRYPT, - DBG_log("kernel_alg_proc_read() alg_id=%d, " - "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, " - "ret=%d" - , sadb_alg.sadb_alg_id - , sadb_alg.sadb_alg_ivlen - , sadb_alg.sadb_alg_minbits - , sadb_alg.sadb_alg_maxbits - , ret) - ) - } - default: - continue; - } - } - fclose(fp); - return 0; -} - -/** * Load kernel_alg arrays pluto's SADB_REGISTER user by pluto/kernel.c */ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) @@ -346,7 +286,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) int supp_exttype = sadb.supported->sadb_supported_exttype; int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN; - DBG(DBG_KLIPS, + DBG(DBG_KERNEL, DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: " "sadb_msg_len=%d sadb_supported_len=%d" , satype==SADB_SATYPE_ESP? "ESP" : "AH" @@ -363,7 +303,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) { kernel_alg_add(satype, supp_exttype, sadb.alg); - DBG(DBG_KLIPS, + DBG(DBG_KERNEL, DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: " "alg[%d], exttype=%d, satype=%d, alg_id=%d, " "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, " @@ -438,7 +378,7 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id) } none: - DBG(DBG_KLIPS, + DBG(DBG_KERNEL, DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d", alg_id, keylen) ) @@ -450,7 +390,7 @@ struct sadb_alg* kernel_alg_esp_sadb_alg(u_int alg_id) struct sadb_alg *sadb_alg = (ESP_EALG_PRESENT(alg_id)) ? &esp_ealg[alg_id] : NULL; - DBG(DBG_KLIPS, + DBG(DBG_KERNEL, DBG_log("kernel_alg_esp_sadb_alg(): alg_id=%d, sadb_alg=%p" , alg_id, sadb_alg) ) diff --git a/src/pluto/kernel_alg.h b/src/pluto/kernel_alg.h index 5ce8c3003..4c757db41 100644 --- a/src/pluto/kernel_alg.h +++ b/src/pluto/kernel_alg.h @@ -33,7 +33,6 @@ extern bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg, struc extern u_int kernel_alg_esp_enc_keylen(u_int alg_id); extern bool kernel_alg_esp_auth_ok(u_int auth, struct alg_info_esp *nfo); extern u_int kernel_alg_esp_auth_keylen(u_int auth); -extern int kernel_alg_proc_read(void); extern void kernel_alg_list(void); /* get sadb_alg for passed args */ diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c deleted file mode 100644 index 75d0c98d3..000000000 --- a/src/pluto/kernel_netlink.c +++ /dev/null @@ -1,1319 +0,0 @@ -/* netlink interface to the kernel's IPsec mechanism - * Copyright (C) 2003 Herbert Xu. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#if defined(linux) && defined(KERNEL26_SUPPORT) - -#include <errno.h> -#include <fcntl.h> -#include <string.h> -#include <sys/queue.h> -#include <sys/socket.h> -#include <sys/types.h> -#include <sys/queue.h> -#include <unistd.h> -#include <linux/xfrm.h> -#include <linux/rtnetlink.h> - -#include "kameipsec.h" - -#include <freeswan.h> -#include <pfkeyv2.h> -#include <pfkey.h> - -#include "constants.h" -#include "defs.h" -#include "kernel.h" -#include "kernel_netlink.h" -#include "kernel_pfkey.h" -#include "log.h" -#include "whack.h" /* for RC_LOG_SERIOUS */ -#include "kernel_alg.h" - -/** required for Linux 2.6.26 kernel and later */ -#ifndef XFRM_STATE_AF_UNSPEC -#define XFRM_STATE_AF_UNSPEC 32 -#endif - -/* Minimum priority number in SPD used by pluto. */ -#define MIN_SPD_PRIORITY 1024 - -static int netlinkfd = NULL_FD; -static int netlink_bcast_fd = NULL_FD; - -#define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */ - -static sparse_names xfrm_type_names = { - NE(NLMSG_NOOP), - NE(NLMSG_ERROR), - NE(NLMSG_DONE), - NE(NLMSG_OVERRUN), - - NE(XFRM_MSG_NEWSA), - NE(XFRM_MSG_DELSA), - NE(XFRM_MSG_GETSA), - - NE(XFRM_MSG_NEWPOLICY), - NE(XFRM_MSG_DELPOLICY), - NE(XFRM_MSG_GETPOLICY), - - NE(XFRM_MSG_ALLOCSPI), - NE(XFRM_MSG_ACQUIRE), - NE(XFRM_MSG_EXPIRE), - - NE(XFRM_MSG_UPDPOLICY), - NE(XFRM_MSG_UPDSA), - - NE(XFRM_MSG_POLEXPIRE), - - NE(XFRM_MSG_MAX), - - { 0, sparse_end } -}; - -#undef NE - -/* Authentication algorithms */ -static sparse_names aalg_list = { - { SADB_X_AALG_NULL, "digest_null" }, - { SADB_AALG_MD5HMAC, "md5" }, - { SADB_AALG_SHA1HMAC, "sha1" }, - { SADB_X_AALG_SHA2_256_96HMAC, "sha256" }, - { SADB_X_AALG_SHA2_256HMAC, "hmac(sha256)" }, - { SADB_X_AALG_SHA2_384HMAC, "hmac(sha384)" }, - { SADB_X_AALG_SHA2_512HMAC, "hmac(sha512)" }, - { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" }, - { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"}, - { 0, sparse_end } -}; - -/* Encryption algorithms */ -static sparse_names ealg_list = { - { SADB_EALG_NULL, "cipher_null" }, - { SADB_EALG_DESCBC, "des" }, - { SADB_EALG_3DESCBC, "des3_ede" }, - { SADB_X_EALG_CASTCBC, "cast128" }, - { SADB_X_EALG_BLOWFISHCBC, "blowfish" }, - { SADB_X_EALG_AESCBC, "aes" }, - { SADB_X_EALG_AESCTR, "rfc3686(ctr(aes))" }, - { SADB_X_EALG_AES_CCM_ICV8, "rfc4309(ccm(aes))" }, - { SADB_X_EALG_AES_CCM_ICV12, "rfc4309(ccm(aes))" }, - { SADB_X_EALG_AES_CCM_ICV16, "rfc4309(ccm(aes))" }, - { SADB_X_EALG_AES_GCM_ICV8, "rfc4106(gcm(aes))" }, - { SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" }, - { SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" }, - { SADB_X_EALG_NULL_AES_GMAC, "rfc4543(gcm(aes))" }, - { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" }, - { SADB_X_EALG_SERPENTCBC, "serpent" }, - { SADB_X_EALG_TWOFISHCBC, "twofish" }, - { 0, sparse_end } -}; - -/* Compression algorithms */ -static sparse_names calg_list = { - { SADB_X_CALG_DEFLATE, "deflate" }, - { SADB_X_CALG_LZS, "lzs" }, - { SADB_X_CALG_LZJH, "lzjh" }, - { 0, sparse_end } -}; - -/** ip2xfrm - Take an IP address and convert to an xfrm. - * - * @param addr ip_address - * @param xaddr xfrm_address_t - IPv[46] Address from addr is copied here. - */ -static void ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr) -{ - if (addr->u.v4.sin_family == AF_INET) - { - xaddr->a4 = addr->u.v4.sin_addr.s_addr; - } - else - { - memcpy(xaddr->a6, &addr->u.v6.sin6_addr, sizeof(xaddr->a6)); - } -} - -/** init_netlink - Initialize the netlink inferface. Opens the sockets and - * then binds to the broadcast socket. - */ -static void init_netlink(void) -{ - struct sockaddr_nl addr; - - netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); - - if (netlinkfd < 0) - { - exit_log_errno((e, "socket() in init_netlink()")); - } - if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0) - { - exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()")); - } - netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); - - if (netlink_bcast_fd < 0) - { - exit_log_errno((e, "socket() for bcast in init_netlink()")); - } - if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0) - { - exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()")); - } - if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0) - { - exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()")); - } - addr.nl_family = AF_NETLINK; - addr.nl_pid = getpid(); - addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE; - if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) - { - exit_log_errno((e, "Failed to bind bcast socket in init_netlink()")); - } -} - -/** send_netlink_msg - * - * @param hdr - Data to be sent. - * @param rbuf - Return Buffer - contains data returned from the send. - * @param rbuf_len - Length of rbuf - * @param description - String - user friendly description of what is - * being attempted. Used for diagnostics - * @param text_said - String - * @return bool True if the message was succesfully sent. - */ -static bool send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, - size_t rbuf_len, const char *description, - const char *text_said) -{ - struct { - struct nlmsghdr n; - struct nlmsgerr e; - char data[1024]; - } rsp; - - size_t len; - ssize_t r; - struct sockaddr_nl addr; - static uint32_t seq; - - if (no_klips) - { - return TRUE; - } - - hdr->nlmsg_seq = ++seq; - len = hdr->nlmsg_len; - do { - r = write(netlinkfd, hdr, len); - } - while (r < 0 && errno == EINTR); - - if (r < 0) - { - log_errno((e - , "netlink write() of %s message" - " for %s %s failed" - , sparse_val_show(xfrm_type_names, hdr->nlmsg_type) - , description, text_said)); - return FALSE; - } - else if ((size_t)r != len) - { - loglog(RC_LOG_SERIOUS - , "ERROR: netlink write() of %s message" - " for %s %s truncated: %ld instead of %lu" - , sparse_val_show(xfrm_type_names, hdr->nlmsg_type) - , description, text_said - , (long)r, (unsigned long)len); - return FALSE; - } - - for (;;) - { - socklen_t alen; - - alen = sizeof(addr); - r = recvfrom(netlinkfd, &rsp, sizeof(rsp), 0 - , (struct sockaddr *)&addr, &alen); - if (r < 0) - { - if (errno == EINTR) - { - continue; - } - log_errno((e - , "netlink recvfrom() of response to our %s message" - " for %s %s failed" - , sparse_val_show(xfrm_type_names, hdr->nlmsg_type) - , description, text_said)); - return FALSE; - } - else if ((size_t) r < sizeof(rsp.n)) - { - plog("netlink read truncated message: %ld bytes; ignore message" - , (long) r); - continue; - } - else if (addr.nl_pid != 0) - { - /* not for us: ignore */ - DBG(DBG_KLIPS, - DBG_log("netlink: ignoring %s message from process %u" - , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type) - , addr.nl_pid)); - continue; - } - else if (rsp.n.nlmsg_seq != seq) - { - DBG(DBG_KLIPS, - DBG_log("netlink: ignoring out of sequence (%u/%u) message %s" - , rsp.n.nlmsg_seq, seq - , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type))); - continue; - } - break; - } - - if (rsp.n.nlmsg_len > (size_t) r) - { - loglog(RC_LOG_SERIOUS - , "netlink recvfrom() of response to our %s message" - " for %s %s was truncated: %ld instead of %lu" - , sparse_val_show(xfrm_type_names, hdr->nlmsg_type) - , description, text_said - , (long) len, (unsigned long) rsp.n.nlmsg_len); - return FALSE; - } - else if (rsp.n.nlmsg_type != NLMSG_ERROR - && (rbuf && rsp.n.nlmsg_type != rbuf->nlmsg_type)) - { - loglog(RC_LOG_SERIOUS - , "netlink recvfrom() of response to our %s message" - " for %s %s was of wrong type (%s)" - , sparse_val_show(xfrm_type_names, hdr->nlmsg_type) - , description, text_said - , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)); - return FALSE; - } - else if (rbuf) - { - if ((size_t) r > rbuf_len) - { - loglog(RC_LOG_SERIOUS - , "netlink recvfrom() of response to our %s message" - " for %s %s was too long: %ld > %lu" - , sparse_val_show(xfrm_type_names, hdr->nlmsg_type) - , description, text_said - , (long)r, (unsigned long)rbuf_len); - return FALSE; - } - memcpy(rbuf, &rsp, r); - return TRUE; - } - else if (rsp.n.nlmsg_type == NLMSG_ERROR && rsp.e.error) - { - loglog(RC_LOG_SERIOUS - , "ERROR: netlink response for %s %s included errno %d: %s" - , description, text_said - , -rsp.e.error - , strerror(-rsp.e.error)); - return FALSE; - } - - return TRUE; -} - -/** netlink_policy - - * - * @param hdr - Data to check - * @param enoent_ok - Boolean - OK or not OK. - * @param text_said - String - * @return boolean - */ -static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, - const char *text_said) -{ - struct { - struct nlmsghdr n; - struct nlmsgerr e; - char data[1024]; - } rsp; - int error; - - rsp.n.nlmsg_type = NLMSG_ERROR; - if (!send_netlink_msg(hdr, &rsp.n, sizeof(rsp), "policy", text_said)) - { - return FALSE; - } - - error = -rsp.e.error; - if (!error) - { - return TRUE; - } - - if (error == ENOENT && enoent_ok) - { - return TRUE; - } - - loglog(RC_LOG_SERIOUS - , "ERROR: netlink %s response for flow %s included errno %d: %s" - , sparse_val_show(xfrm_type_names, hdr->nlmsg_type) - , text_said - , error - , strerror(error)); - return FALSE; -} - -/** netlink_raw_eroute - * - * @param this_host ip_address - * @param this_client ip_subnet - * @param that_host ip_address - * @param that_client ip_subnet - * @param spi - * @param proto int (Currently unused) Contains protocol (u=tcp, 17=udp, etc...) - * @param transport_proto int (Currently unused) 0=tunnel, 1=transport - * @param satype int - * @param proto_info - * @param lifetime (Currently unused) - * @param ip int - * @return boolean True if successful - */ -static bool netlink_raw_eroute(const ip_address *this_host - , const ip_subnet *this_client - , const ip_address *that_host - , const ip_subnet *that_client - , ipsec_spi_t spi - , unsigned int satype - , unsigned int transport_proto - , const struct pfkey_proto_info *proto_info - , time_t use_lifetime UNUSED - , unsigned int op - , const char *text_said) -{ - struct { - struct nlmsghdr n; - union { - struct xfrm_userpolicy_info p; - struct xfrm_userpolicy_id id; - } u; - char data[1024]; - } req; - int shift; - int dir; - int family; - int policy; - bool ok; - bool enoent_ok; - - policy = IPSEC_POLICY_IPSEC; - - if (satype == SADB_X_SATYPE_INT) - { - /* shunt route */ - switch (ntohl(spi)) - { - case SPI_PASS: - policy = IPSEC_POLICY_NONE; - break; - case SPI_DROP: - case SPI_REJECT: - default: - policy = IPSEC_POLICY_DISCARD; - break; - case SPI_TRAP: - case SPI_TRAPSUBNET: - case SPI_HOLD: - if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT)) - { - return TRUE; - } - break; - } - } - - memset(&req, 0, sizeof(req)); - req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - - family = that_client->addr.u.v4.sin_family; - shift = (family == AF_INET) ? 5 : 7; - - req.u.p.sel.sport = portof(&this_client->addr); - req.u.p.sel.dport = portof(&that_client->addr); - req.u.p.sel.sport_mask = (req.u.p.sel.sport) ? ~0:0; - req.u.p.sel.dport_mask = (req.u.p.sel.dport) ? ~0:0; - ip2xfrm(&this_client->addr, &req.u.p.sel.saddr); - ip2xfrm(&that_client->addr, &req.u.p.sel.daddr); - req.u.p.sel.prefixlen_s = this_client->maskbits; - req.u.p.sel.prefixlen_d = that_client->maskbits; - req.u.p.sel.proto = transport_proto; - req.u.p.sel.family = family; - - dir = XFRM_POLICY_OUT; - if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT)) - { - dir = XFRM_POLICY_IN; - } - - if ((op & ERO_MASK) == ERO_DELETE) - { - req.u.id.dir = dir; - req.n.nlmsg_type = XFRM_MSG_DELPOLICY; - req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.id))); - } - else - { - int src, dst; - - req.u.p.dir = dir; - - src = req.u.p.sel.prefixlen_s; - dst = req.u.p.sel.prefixlen_d; - if (dir != XFRM_POLICY_OUT) { - src = req.u.p.sel.prefixlen_d; - dst = req.u.p.sel.prefixlen_s; - } - req.u.p.priority = MIN_SPD_PRIORITY - + (((2 << shift) - src) << shift) - + (2 << shift) - dst; - - req.u.p.action = XFRM_POLICY_ALLOW; - if (policy == IPSEC_POLICY_DISCARD) - { - req.u.p.action = XFRM_POLICY_BLOCK; - } - req.u.p.lft.soft_use_expires_seconds = use_lifetime; - req.u.p.lft.soft_byte_limit = XFRM_INF; - req.u.p.lft.soft_packet_limit = XFRM_INF; - req.u.p.lft.hard_byte_limit = XFRM_INF; - req.u.p.lft.hard_packet_limit = XFRM_INF; - - req.n.nlmsg_type = XFRM_MSG_NEWPOLICY; - if (op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT)) - { - req.n.nlmsg_type = XFRM_MSG_UPDPOLICY; - } - req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p))); - } - - if (policy == IPSEC_POLICY_IPSEC && (op & ERO_MASK) != ERO_DELETE) - { - struct rtattr *attr; - struct xfrm_user_tmpl tmpl[4]; - int i; - - memset(tmpl, 0, sizeof(tmpl)); - for (i = 0; proto_info[i].proto; i++) - { - tmpl[i].reqid = proto_info[i].reqid; - tmpl[i].id.proto = proto_info[i].proto; - tmpl[i].optional = - proto_info[i].proto == IPPROTO_COMP && dir != XFRM_POLICY_OUT; - tmpl[i].aalgos = tmpl[i].ealgos = tmpl[i].calgos = ~0; - tmpl[i].family = that_host->u.v4.sin_family; - tmpl[i].mode = - proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL; - if (!tmpl[i].mode) - { - continue; - } - - ip2xfrm(this_host, &tmpl[i].saddr); - ip2xfrm(that_host, &tmpl[i].id.daddr); - } - - attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len); - attr->rta_type = XFRMA_TMPL; - attr->rta_len = i * sizeof(tmpl[0]); - memcpy(RTA_DATA(attr), tmpl, attr->rta_len); - attr->rta_len = RTA_LENGTH(attr->rta_len); - req.n.nlmsg_len += attr->rta_len; - } - - enoent_ok = FALSE; - if (op == ERO_DEL_INBOUND) - { - enoent_ok = TRUE; - } - else if (op == ERO_DELETE && ntohl(spi) == SPI_HOLD) - { - enoent_ok = TRUE; - } - - ok = netlink_policy(&req.n, enoent_ok, text_said); - switch (dir) - { - case XFRM_POLICY_IN: - if (req.n.nlmsg_type == XFRM_MSG_DELPOLICY) - { - req.u.id.dir = XFRM_POLICY_FWD; - } - else if (!ok) - { - break; - } - else if (proto_info[0].encapsulation != ENCAPSULATION_MODE_TUNNEL - && satype != SADB_X_SATYPE_INT) - { - break; - } - else - { - req.u.p.dir = XFRM_POLICY_FWD; - } - ok &= netlink_policy(&req.n, enoent_ok, text_said); - break; - } - - return ok; -} - -/** netlink_add_sa - Add an SA into the kernel SPDB via netlink - * - * @param sa Kernel SA to add/modify - * @param replace boolean - true if this replaces an existing SA - * @return bool True if successfull - */ -static bool netlink_add_sa(const struct kernel_sa *sa, bool replace) -{ - struct { - struct nlmsghdr n; - struct xfrm_usersa_info p; - char data[1024]; - } req; - struct rtattr *attr; - u_int16_t icv_size = 64; - - memset(&req, 0, sizeof(req)); - req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - req.n.nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; - - ip2xfrm(sa->src, &req.p.saddr); - ip2xfrm(sa->dst, &req.p.id.daddr); - - req.p.id.spi = sa->spi; - req.p.id.proto = satype2proto(sa->satype); - req.p.family = sa->src->u.v4.sin_family; - if (sa->encapsulation == ENCAPSULATION_MODE_TUNNEL) - { - req.p.mode = XFRM_MODE_TUNNEL; - req.p.flags |= XFRM_STATE_AF_UNSPEC; - } - else - { - req.p.mode = XFRM_MODE_TRANSPORT; - } - req.p.replay_window = sa->replay_window; - req.p.reqid = sa->reqid; - req.p.lft.soft_byte_limit = XFRM_INF; - req.p.lft.soft_packet_limit = XFRM_INF; - req.p.lft.hard_byte_limit = XFRM_INF; - req.p.lft.hard_packet_limit = XFRM_INF; - - req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.p))); - - attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len); - - if (sa->authalg) - { - const char *name; - - name = sparse_name(aalg_list, sa->authalg); - if (!name) - { - loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u" - , sa->authalg); - return FALSE; - } - DBG(DBG_CRYPT, - DBG_log("configured authentication algorithm %s with key size %d", - enum_show(&auth_alg_names, sa->authalg), - sa->authkeylen * BITS_PER_BYTE) - ) - - if (sa->authalg == SADB_X_AALG_SHA2_256HMAC) - { - struct xfrm_algo_auth algo; - - /* the kernel uses SHA256 with 96 bit truncation by default, - * use specified truncation size supported by newer kernels */ - strcpy(algo.alg_name, name); - algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE; - algo.alg_trunc_len = 128; - - attr->rta_type = XFRMA_ALG_AUTH_TRUNC; - attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen); - - memcpy(RTA_DATA(attr), &algo, sizeof(algo)); - memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey - , sa->authkeylen); - } - else - { - struct xfrm_algo algo; - - strcpy(algo.alg_name, name); - algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE; - - attr->rta_type = XFRMA_ALG_AUTH; - attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen); - - memcpy(RTA_DATA(attr), &algo, sizeof(algo)); - memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey - , sa->authkeylen); - } - req.n.nlmsg_len += attr->rta_len; - attr = (struct rtattr *)((char *)attr + attr->rta_len); - } - - switch (sa->encalg) - { - case SADB_EALG_NONE: - /* no encryption */ - break; - case SADB_X_EALG_AES_CCM_ICV16: - case SADB_X_EALG_AES_GCM_ICV16: - case SADB_X_EALG_NULL_AES_GMAC: - icv_size += 32; - /* FALL */ - case SADB_X_EALG_AES_CCM_ICV12: - case SADB_X_EALG_AES_GCM_ICV12: - icv_size += 32; - /* FALL */ - case SADB_X_EALG_AES_CCM_ICV8: - case SADB_X_EALG_AES_GCM_ICV8: - { - struct xfrm_algo_aead *algo; - const char *name; - - name = sparse_name(ealg_list, sa->encalg); - if (!name) - { - loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u", - sa->encalg); - return FALSE; - } - DBG(DBG_CRYPT, - DBG_log("configured esp encryption algorithm %s with key size %d", - enum_show(&esp_transform_names, sa->encalg), - sa->enckeylen * BITS_PER_BYTE) - ) - attr->rta_type = XFRMA_ALG_AEAD; - attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen); - req.n.nlmsg_len += attr->rta_len; - - algo = (struct xfrm_algo_aead*)RTA_DATA(attr); - algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE; - algo->alg_icv_len = icv_size; - strcpy(algo->alg_name, name); - memcpy(algo->alg_key, sa->enckey, sa->enckeylen); - - attr = (struct rtattr *)((char *)attr + attr->rta_len); - break; - } - default: - { - struct xfrm_algo *algo; - const char *name; - - name = sparse_name(ealg_list, sa->encalg); - if (!name) - { - loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u", - sa->encalg); - return FALSE; - } - DBG(DBG_CRYPT, - DBG_log("configured esp encryption algorithm %s with key size %d", - enum_show(&esp_transform_names, sa->encalg), - sa->enckeylen * BITS_PER_BYTE) - ) - attr->rta_type = XFRMA_ALG_CRYPT; - attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + sa->enckeylen); - req.n.nlmsg_len += attr->rta_len; - - algo = (struct xfrm_algo*)RTA_DATA(attr); - algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE; - strcpy(algo->alg_name, name); - memcpy(algo->alg_key, sa->enckey, sa->enckeylen); - - attr = (struct rtattr *)((char *)attr + attr->rta_len); - } - } - - if (sa->compalg) - { - struct xfrm_algo algo; - const char *name; - - name = sparse_name(calg_list, sa->compalg); - if (!name) - { - loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u" - , sa->compalg); - return FALSE; - } - - strcpy(algo.alg_name, name); - algo.alg_key_len = 0; - - attr->rta_type = XFRMA_ALG_COMP; - attr->rta_len = RTA_LENGTH(sizeof(algo)); - - memcpy(RTA_DATA(attr), &algo, sizeof(algo)); - - req.n.nlmsg_len += attr->rta_len; - attr = (struct rtattr *)((char *)attr + attr->rta_len); - } - - if (sa->natt_type) - { - struct xfrm_encap_tmpl natt; - - natt.encap_type = sa->natt_type; - natt.encap_sport = ntohs(sa->natt_sport); - natt.encap_dport = ntohs(sa->natt_dport); - memset (&natt.encap_oa, 0, sizeof (natt.encap_oa)); - - attr->rta_type = XFRMA_ENCAP; - attr->rta_len = RTA_LENGTH(sizeof(natt)); - - memcpy(RTA_DATA(attr), &natt, sizeof(natt)); - - req.n.nlmsg_len += attr->rta_len; - attr = (struct rtattr *)((char *)attr + attr->rta_len); - } - - return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said); -} - -/** netlink_del_sa - Delete an SA from the Kernel - * - * @param sa Kernel SA to be deleted - * @return bool True if successfull - */ -static bool netlink_del_sa(const struct kernel_sa *sa) -{ - struct { - struct nlmsghdr n; - struct xfrm_usersa_id id; - char data[1024]; - } req; - - memset(&req, 0, sizeof(req)); - req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - req.n.nlmsg_type = XFRM_MSG_DELSA; - - ip2xfrm(sa->dst, &req.id.daddr); - - req.id.spi = sa->spi; - req.id.family = sa->src->u.v4.sin_family; - req.id.proto = sa->proto; - - req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id))); - - return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said); -} - -static bool netlink_error(const char *req_type, const struct nlmsghdr *n, - const struct nlmsgerr *e, int rsp_size) -{ - if (n->nlmsg_type == NLMSG_ERROR) - { - DBG(DBG_KLIPS, - DBG_log("%s returned with errno %d: %s" - , req_type - , -e->error - , strerror(-e->error)) - ) - return TRUE; - } - if (n->nlmsg_len < NLMSG_LENGTH(rsp_size)) - { - plog("%s returned message with length %lu < %lu bytes" - , req_type - , (unsigned long) n->nlmsg_len - , (unsigned long) rsp_size); - return TRUE; - } - return FALSE; -} - -static bool netlink_get_policy(const struct kernel_sa *sa, bool inbound, - time_t *use_time) -{ - struct { - struct nlmsghdr n; - struct xfrm_userpolicy_id id; - } req; - - struct { - struct nlmsghdr n; - union { - struct nlmsgerr e; - struct xfrm_userpolicy_info info; - } u; - char data[1024]; - } rsp; - - memset(&req, 0, sizeof(req)); - req.n.nlmsg_flags = NLM_F_REQUEST; - req.n.nlmsg_type = XFRM_MSG_GETPOLICY; - - req.id.sel.sport = portof(&sa->src_client->addr); - req.id.sel.dport = portof(&sa->dst_client->addr); - req.id.sel.sport_mask = (req.id.sel.sport) ? ~0:0; - req.id.sel.dport_mask = (req.id.sel.dport) ? ~0:0; - ip2xfrm(&sa->src_client->addr, &req.id.sel.saddr); - ip2xfrm(&sa->dst_client->addr, &req.id.sel.daddr); - req.id.sel.prefixlen_s = sa->src_client->maskbits; - req.id.sel.prefixlen_d = sa->dst_client->maskbits; - req.id.sel.proto = sa->transport_proto; - req.id.sel.family = sa->dst_client->addr.u.v4.sin_family; - - req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id))); - rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY; - - req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT; - - if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) - { - return FALSE; - } - if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) - { - return FALSE; - } - *use_time = (time_t)rsp.u.info.curlft.use_time; - - if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL) - { - time_t use_time_fwd; - - req.id.dir = XFRM_POLICY_FWD; - - if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) - { - return FALSE; - } - if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) - { - return FALSE; - } - use_time_fwd = (time_t)rsp.u.info.curlft.use_time; - *use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd; - } - return TRUE; -} - - -/** netlink_get_sa - Get information about an SA from the Kernel - * - * @param sa Kernel SA to be queried - * @return bool True if successfull - */ -static bool netlink_get_sa(const struct kernel_sa *sa, u_int *bytes) -{ - struct { - struct nlmsghdr n; - struct xfrm_usersa_id id; - } req; - - struct { - struct nlmsghdr n; - union { - struct nlmsgerr e; - struct xfrm_usersa_info info; - } u; - char data[1024]; - } rsp; - - memset(&req, 0, sizeof(req)); - req.n.nlmsg_flags = NLM_F_REQUEST; - req.n.nlmsg_type = XFRM_MSG_GETSA; - - ip2xfrm(sa->dst, &req.id.daddr); - - req.id.spi = sa->spi; - req.id.family = sa->src->u.v4.sin_family; - req.id.proto = sa->proto; - - req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id))); - rsp.n.nlmsg_type = XFRM_MSG_NEWSA; - - if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said)) - { - return FALSE; - } - if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) - { - return FALSE; - } - *bytes = (u_int) rsp.u.info.curlft.bytes; - return TRUE; -} - -static void linux_pfkey_register_response(const struct sadb_msg *msg) -{ - switch (msg->sadb_msg_satype) - { - case SADB_SATYPE_ESP: -#ifndef NO_KERNEL_ALG - kernel_alg_register_pfkey(msg, msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN); -#endif - break; - case SADB_X_SATYPE_IPCOMP: - can_do_IPcomp = TRUE; - break; - default: - break; - } -} - -/** linux_pfkey_register - Register via PFKEY our capabilities - * - */ -static void linux_pfkey_register(void) -{ - pfkey_register_proto(SADB_SATYPE_AH, "AH"); - pfkey_register_proto(SADB_SATYPE_ESP, "ESP"); - pfkey_register_proto(SADB_X_SATYPE_IPCOMP, "IPCOMP"); - pfkey_close(); -} - -/** Create ip_address out of xfrm_address_t. - * - * @param family - * @param src xfrm formatted IP address - * @param dst ip_address formatted destination - * @return err_t NULL if okay, otherwise an error - */ -static err_t xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, - ip_address *dst) -{ - switch (family) - { - case AF_INET: /* IPv4 */ - case AF_UNSPEC: /* Unspecified, we assume IPv4 */ - initaddr((const void *) &src->a4, sizeof(src->a4), AF_INET, dst); - return NULL; - case AF_INET6: /* IPv6 */ - initaddr((const void *) &src->a6, sizeof(src->a6), AF_INET6, dst); - return NULL; - default: - return "unknown address family"; - } -} - -/* Create a pair of ip_address's out of xfrm_sel. - * - * @param sel xfrm selector - * @param src ip_address formatted source - * @param dst ip_address formatted destination - * @return err_t NULL if okay, otherwise an error - */ -static err_t xfrm_sel_to_ip_pair(const struct xfrm_selector *sel, - ip_address *src, ip_address *dst) -{ - int family; - err_t ugh; - - family = sel->family; - - if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src)) - || (ugh = xfrm_to_ip_address(family, &sel->daddr, dst))) - { - return ugh; - } - - /* family has been verified in xfrm_to_ip_address. */ - if (family == AF_INET) - { - src->u.v4.sin_port = sel->sport; - dst->u.v4.sin_port = sel->dport; - } - else - { - src->u.v6.sin6_port = sel->sport; - dst->u.v6.sin6_port = sel->dport; - } - - return NULL; -} - -static void netlink_acquire(struct nlmsghdr *n) -{ - struct xfrm_user_acquire *acquire; - ip_address src, dst; - ip_subnet ours, his; - unsigned transport_proto; - err_t ugh = NULL; - - if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*acquire))) - { - plog("netlink_acquire got message with length %lu < %lu bytes; ignore message" - , (unsigned long) n->nlmsg_len - , (unsigned long) sizeof(*acquire)); - return; - } - - acquire = NLMSG_DATA(n); - transport_proto = acquire->sel.proto; - - /* XXX also the type of src/dst should be checked to make sure - * that they aren't v4 to v6 or something goofy - */ - - if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst)) - && !(ugh = addrtosubnet(&src, &ours)) - && !(ugh = addrtosubnet(&dst, &his))) - { - record_and_initiate_opportunistic(&ours, &his, transport_proto - , "%acquire-netlink"); - } - if (ugh != NULL) - { - plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh); - } -} - -static void netlink_shunt_expire(struct xfrm_userpolicy_info *pol) -{ - ip_address src, dst; - unsigned transport_proto; - err_t ugh = NULL; - - transport_proto = pol->sel.proto; - - if (!(ugh = xfrm_sel_to_ip_pair(&pol->sel, &src, &dst))) - { - plog("XFRM_MSG_POLEXPIRE message from kernel malformed: %s", ugh); - return; - } - - replace_bare_shunt(&src, &dst, BOTTOM_PRIO, SPI_PASS, FALSE, transport_proto - , "delete expired bare shunt"); -} - -static void netlink_policy_expire(struct nlmsghdr *n) -{ - struct xfrm_user_polexpire *upe; - struct { - struct nlmsghdr n; - struct xfrm_userpolicy_id id; - } req; - - struct { - struct nlmsghdr n; - union { - struct nlmsgerr e; - struct xfrm_userpolicy_info pol; - } u; - char data[1024]; - } rsp; - - if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*upe))) - { - plog("netlink_policy_expire got message with length %lu < %lu bytes; ignore message" - , (unsigned long) n->nlmsg_len - , (unsigned long) sizeof(*upe)); - return; - } - - upe = NLMSG_DATA(n); - req.id.dir = upe->pol.dir; - req.id.index = upe->pol.index; - req.n.nlmsg_flags = NLM_F_REQUEST; - req.n.nlmsg_type = XFRM_MSG_GETPOLICY; - req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id))); - - rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY; - - if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) - { - return; - } - if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol))) - { - return; - } - if (req.id.index != rsp.u.pol.index) - { - DBG(DBG_KLIPS, - DBG_log("netlink_policy_expire: policy was replaced: " - "dir=%d, oldindex=%d, newindex=%d" - , req.id.dir, req.id.index, rsp.u.pol.index)); - return; - } - - if (upe->pol.curlft.add_time != rsp.u.pol.curlft.add_time) - { - DBG(DBG_KLIPS, - DBG_log("netlink_policy_expire: policy was replaced " - " and you have won the lottery: " - "dir=%d, index=%d" - , req.id.dir, req.id.index)); - return; - } - - switch (upe->pol.dir) - { - case XFRM_POLICY_OUT: - netlink_shunt_expire(&rsp.u.pol); - break; - } -} - -static bool netlink_get(void) -{ - struct { - struct nlmsghdr n; - char data[1024]; - } rsp; - ssize_t r; - struct sockaddr_nl addr; - socklen_t alen; - - alen = sizeof(addr); - r = recvfrom(netlink_bcast_fd, &rsp, sizeof(rsp), 0 - , (struct sockaddr *)&addr, &alen); - if (r < 0) - { - if (errno == EAGAIN) - return FALSE; - if (errno != EINTR) - log_errno((e, "recvfrom() failed in netlink_get")); - return TRUE; - } - else if ((size_t) r < sizeof(rsp.n)) - { - plog("netlink_get read truncated message: %ld bytes; ignore message" - , (long) r); - return TRUE; - } - else if (addr.nl_pid != 0) - { - /* not for us: ignore */ - DBG(DBG_KLIPS, - DBG_log("netlink_get: ignoring %s message from process %u" - , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type) - , addr.nl_pid)); - return TRUE; - } - else if ((size_t) r != rsp.n.nlmsg_len) - { - plog("netlink_get read message with length %ld that doesn't equal nlmsg_len %lu bytes; ignore message" - , (long) r - , (unsigned long) rsp.n.nlmsg_len); - return TRUE; - } - - DBG(DBG_KLIPS, - DBG_log("netlink_get: %s message" - , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type))); - - switch (rsp.n.nlmsg_type) - { - case XFRM_MSG_ACQUIRE: - netlink_acquire(&rsp.n); - break; - case XFRM_MSG_POLEXPIRE: - netlink_policy_expire(&rsp.n); - break; - default: - /* ignored */ - break; - } - - return TRUE; -} - -static void netlink_process_msg(void) -{ - while (netlink_get()); -} - -static ipsec_spi_t netlink_get_spi(const ip_address *src, const ip_address *dst, - int proto, bool tunnel_mode, unsigned reqid, - ipsec_spi_t min, ipsec_spi_t max, - const char *text_said) -{ - struct { - struct nlmsghdr n; - struct xfrm_userspi_info spi; - } req; - - struct { - struct nlmsghdr n; - union { - struct nlmsgerr e; - struct xfrm_usersa_info sa; - } u; - char data[1024]; - } rsp; - - memset(&req, 0, sizeof(req)); - req.n.nlmsg_flags = NLM_F_REQUEST; - req.n.nlmsg_type = XFRM_MSG_ALLOCSPI; - - ip2xfrm(src, &req.spi.info.saddr); - ip2xfrm(dst, &req.spi.info.id.daddr); - req.spi.info.mode = tunnel_mode; - req.spi.info.reqid = reqid; - req.spi.info.id.proto = proto; - req.spi.info.family = src->u.v4.sin_family; - req.spi.min = min; - req.spi.max = max; - - req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.spi))); - rsp.n.nlmsg_type = XFRM_MSG_NEWSA; - - if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said)) - { - return 0; - } - if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa))) - { - return 0; - } - DBG(DBG_KLIPS, - DBG_log("netlink_get_spi: allocated 0x%x for %s" - , ntohl(rsp.u.sa.id.spi), text_said)); - return rsp.u.sa.id.spi; -} - -const struct kernel_ops linux_kernel_ops = { - type: KERNEL_TYPE_LINUX, - inbound_eroute: 1, - policy_lifetime: 1, - async_fdp: &netlink_bcast_fd, - - init: init_netlink, - pfkey_register: linux_pfkey_register, - pfkey_register_response: linux_pfkey_register_response, - process_msg: netlink_process_msg, - raw_eroute: netlink_raw_eroute, - get_policy: netlink_get_policy, - add_sa: netlink_add_sa, - del_sa: netlink_del_sa, - get_sa: netlink_get_sa, - process_queue: NULL, - grp_sa: NULL, - get_spi: netlink_get_spi, -}; -#endif /* linux && KLIPS */ diff --git a/src/pluto/kernel_noklips.c b/src/pluto/kernel_noklips.c deleted file mode 100644 index e99efe062..000000000 --- a/src/pluto/kernel_noklips.c +++ /dev/null @@ -1,124 +0,0 @@ -/* interface to fake kernel interface, used for testing pluto in-vitro. - * Copyright (C) 1997 Angelos D. Keromytis. - * Copyright (C) 1998-2002 D. Hugh Redelmeier. - * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org> - * Copyright (C) 2003 Herbert Xu. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <errno.h> -#include <fcntl.h> -#include <stddef.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include <sys/select.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <sys/types.h> -#include <sys/queue.h> - -#include <freeswan.h> -#include <pfkeyv2.h> -#include <pfkey.h> - -#include "constants.h" -#include "defs.h" -#include "kernel.h" -#include "kernel_noklips.h" -#include "log.h" -#include "whack.h" /* for RC_LOG_SERIOUS */ - -void -init_noklips(void) -{ - return; -} - -/* asynchronous messages from our queue */ -static void -noklips_dequeue(void) -{ -} - -/* asynchronous messages directly from PF_KEY socket */ -static void -noklips_event(void) -{ -} - -static void -noklips_register_response(const struct sadb_msg *msg UNUSED) -{ -} - -static void -noklips_register(void) -{ -} - -static bool -noklips_raw_eroute(const ip_address *this_host UNUSED - , const ip_subnet *this_client UNUSED - , const ip_address *that_host UNUSED - , const ip_subnet *that_client UNUSED - , ipsec_spi_t spi UNUSED - , unsigned int satype UNUSED - , unsigned int transport_proto UNUSED - , const struct pfkey_proto_info *proto_info UNUSED - , time_t use_lifetime UNUSED - , unsigned int op UNUSED - , const char *text_said UNUSED) -{ - return TRUE; -} - -static bool -noklips_add_sa(const struct kernel_sa *sa UNUSED - , bool replace UNUSED) -{ - return TRUE; -} - -static bool -noklips_grp_sa(const struct kernel_sa *sa0 UNUSED - , const struct kernel_sa *sa1 UNUSED) -{ - return TRUE; -} - -static bool -noklips_del_sa(const struct kernel_sa *sa UNUSED) -{ - return TRUE; -} - - -const struct kernel_ops noklips_kernel_ops = { - type: KERNEL_TYPE_NONE, - async_fdp: NULL, - - init: init_noklips, - pfkey_register: noklips_register, - pfkey_register_response: noklips_register_response, - process_queue: noklips_dequeue, - process_msg: noklips_event, - raw_eroute: noklips_raw_eroute, - add_sa: noklips_add_sa, - grp_sa: noklips_grp_sa, - del_sa: noklips_del_sa, - get_sa: NULL, - get_spi: NULL, - inbound_eroute: FALSE, - policy_lifetime: FALSE -}; diff --git a/src/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c index 99ba4ff30..77fff2f9e 100644 --- a/src/pluto/kernel_pfkey.c +++ b/src/pluto/kernel_pfkey.c @@ -1,7 +1,9 @@ -/* pfkey interface to the kernel's IPsec mechanism - * Copyright (C) 1997 Angelos D. Keromytis. - * Copyright (C) 1998-2002 D. Hugh Redelmeier. +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2003 Herbert Xu. + * Copyright (C) 1998-2002 D. Hugh Redelmeier. + * Copyright (C) 1997 Angelos D. Keromytis. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -14,41 +16,29 @@ * for more details. */ -#ifdef KLIPS - #include <errno.h> -#include <fcntl.h> -#include <stddef.h> -#include <stdlib.h> -#include <string.h> #include <unistd.h> #include <sys/select.h> -#include <sys/time.h> #include <sys/socket.h> #include <sys/types.h> -#include <sys/queue.h> #include <freeswan.h> #include <pfkeyv2.h> #include <pfkey.h> #include "constants.h" -#include "defs.h" #include "kernel.h" #include "kernel_pfkey.h" #include "log.h" #include "whack.h" /* for RC_LOG_SERIOUS */ -#include "demux.h" -#include "nat_traversal.h" -#include "alg_info.h" #include "kernel_alg.h" static int pfkeyfd = NULL_FD; typedef u_int32_t pfkey_seq_t; -static pfkey_seq_t pfkey_seq = 0; /* sequence number for our PF_KEY messages */ +static pfkey_seq_t pfkey_seq = 0; /* sequence number for our PF_KEY messages */ static pid_t pid; @@ -77,106 +67,19 @@ static sparse_names pfkey_type_names = { { 0, sparse_end } }; -#ifdef NEVER /* not needed yet */ -static sparse_names pfkey_ext_names = { - NE(SADB_EXT_RESERVED), - NE(SADB_EXT_SA), - NE(SADB_EXT_LIFETIME_CURRENT), - NE(SADB_EXT_LIFETIME_HARD), - NE(SADB_EXT_LIFETIME_SOFT), - NE(SADB_EXT_ADDRESS_SRC), - NE(SADB_EXT_ADDRESS_DST), - NE(SADB_EXT_ADDRESS_PROXY), - NE(SADB_EXT_KEY_AUTH), - NE(SADB_EXT_KEY_ENCRYPT), - NE(SADB_EXT_IDENTITY_SRC), - NE(SADB_EXT_IDENTITY_DST), - NE(SADB_EXT_SENSITIVITY), - NE(SADB_EXT_PROPOSAL), - NE(SADB_EXT_SUPPORTED_AUTH), - NE(SADB_EXT_SUPPORTED_ENCRYPT), - NE(SADB_EXT_SPIRANGE), - NE(SADB_X_EXT_KMPRIVATE), - NE(SADB_X_EXT_SATYPE2), - NE(SADB_X_EXT_SA2), - NE(SADB_X_EXT_ADDRESS_DST2), - NE(SADB_X_EXT_ADDRESS_SRC_FLOW), - NE(SADB_X_EXT_ADDRESS_DST_FLOW), - NE(SADB_X_EXT_ADDRESS_SRC_MASK), - NE(SADB_X_EXT_ADDRESS_DST_MASK), - NE(SADB_X_EXT_DEBUG), - { 0, sparse_end } -}; -#endif /* NEVER */ - #undef NE -void -init_pfkey(void) -{ - pid = getpid(); - - /* open PF_KEY socket */ - - pfkeyfd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); - - if (pfkeyfd == -1) - exit_log_errno((e, "socket() in init_pfkeyfd()")); - -#ifdef NEVER /* apparently unsupported! */ - if (fcntl(pfkeyfd, F_SETFL, O_NONBLOCK) != 0) - exit_log_errno((e, "fcntl(O_NONBLOCK) in init_pfkeyfd()")); -#endif - if (fcntl(pfkeyfd, F_SETFD, FD_CLOEXEC) != 0) - exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_pfkeyfd()")); - - DBG(DBG_KLIPS, - DBG_log("process %u listening for PF_KEY_V2 on file descriptor %d", (unsigned)pid, pfkeyfd)); -} - -/* Kinds of PF_KEY message from the kernel: - * - response to a request from us - * + ACK/NAK - * + Register: indicates transforms supported by kernel - * + SPI requested by getspi - * - Acquire, requesting us to deal with trapped clear packet - * - expiration of of one of our SAs - * - messages to other processes - * - * To minimize the effect on the event-driven structure of Pluto, - * responses are dealt with synchronously. We hope that the Kernel - * produces them synchronously. We must "read ahead" in the PF_KEY - * stream, saving Acquire and Expiry messages that are encountered. - * We ignore messages to other processes. - */ - typedef union { unsigned char bytes[PFKEYv2_MAX_MSGSIZE]; struct sadb_msg msg; } pfkey_buf; -/* queue of unprocessed PF_KEY messages input from kernel - * Note that the pfkey_buf may be partly allocated, reflecting - * the variable length nature of the messages. So the link field - * must come first. - */ -typedef struct pfkey_item { - struct pfkey_item *next; - pfkey_buf buf; - } pfkey_item; - -static pfkey_item *pfkey_iq_head = NULL; /* oldest */ -static pfkey_item *pfkey_iq_tail; /* youngest */ - static bool pfkey_input_ready(void) { - fd_set readfds; int ndes; - struct timeval tm; - - tm.tv_sec = 0; /* don't wait at all */ - tm.tv_usec = 0; + fd_set readfds; + struct timeval tm = { .tv_sec = 0 }; /* don't wait, polling */ FD_ZERO(&readfds); /* we only care about pfkeyfd */ FD_SET(pfkeyfd, &readfds); @@ -190,16 +93,16 @@ pfkey_input_ready(void) log_errno((e, "select() failed in pfkey_get()")); return FALSE; } - - if (ndes == 0) + else if (ndes == 0) + { return FALSE; /* nothing to read */ - + } passert(ndes == 1 && FD_ISSET(pfkeyfd, &readfds)); return TRUE; } /* get a PF_KEY message from kernel. - * Returns TRUE is message found, FALSE if no message pending, + * Returns TRUE if message found, FALSE if no message pending, * and aborts or keeps trying when an error is encountered. * The only validation of the message is that the message length * received matches that in the message header, and that the message @@ -216,48 +119,48 @@ pfkey_get(pfkey_buf *buf) ssize_t len; if (!pfkey_input_ready()) + { return FALSE; + } len = read(pfkeyfd, buf->bytes, sizeof(buf->bytes)); if (len < 0) { if (errno == EAGAIN) + { return FALSE; - + } log_errno((e, "read() failed in pfkey_get()")); return FALSE; } - else if ((size_t) len < sizeof(buf->msg)) + else if ((size_t)len < sizeof(buf->msg)) { - plog("pfkey_get read truncated PF_KEY message: %d bytes; ignoring message" - , (int) len); + plog("pfkey_get read truncated PF_KEY message: %d bytes; ignoring", + (int)len); } - else if ((size_t) len != buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN) + else if ((size_t)len != buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN) { - plog("pfkey_get read PF_KEY message with length %d that doesn't equal sadb_msg_len %u * %u; ignoring message" - , (int) len - , (unsigned) buf->msg.sadb_msg_len - , (unsigned) IPSEC_PFKEYv2_ALIGN); + plog("pfkey_get read PF_KEY message with length %d that doesn't" + " equal sadb_msg_len %u * %u; ignoring message", (int)len, + (unsigned)buf->msg.sadb_msg_len, (unsigned)IPSEC_PFKEYv2_ALIGN); } - else if (!(buf->msg.sadb_msg_pid == (unsigned)pid - || (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_ACQUIRE) - || (buf->msg.sadb_msg_type == SADB_REGISTER) - || (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING))) + else if (buf->msg.sadb_msg_pid != (unsigned)pid) { /* not for us: ignore */ - DBG(DBG_KLIPS, - DBG_log("pfkey_get: ignoring PF_KEY %s message %u for process %u" - , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type) - , buf->msg.sadb_msg_seq - , buf->msg.sadb_msg_pid)); + DBG(DBG_KERNEL, + DBG_log("pfkey_get: ignoring PF_KEY %s message %u for process" + " %u", sparse_val_show(pfkey_type_names, + buf->msg.sadb_msg_type), + buf->msg.sadb_msg_seq, buf->msg.sadb_msg_pid)); } else { - DBG(DBG_KLIPS, - DBG_log("pfkey_get: %s message %u" - , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type) - , buf->msg.sadb_msg_seq)); + DBG(DBG_KERNEL, + DBG_log("pfkey_get: %s message %u", + sparse_val_show(pfkey_type_names, + buf->msg.sadb_msg_type), + buf->msg.sadb_msg_seq)); return TRUE; } } @@ -269,285 +172,49 @@ pfkey_get_response(pfkey_buf *buf, pfkey_seq_t seq) { while (pfkey_get(buf)) { - if (buf->msg.sadb_msg_pid == (unsigned)pid - && buf->msg.sadb_msg_seq == seq) + if (buf->msg.sadb_msg_seq == seq) { return TRUE; } - else - { - /* Not for us: queue it. */ - size_t bl = buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN; - pfkey_item *it = malloc(offsetof(pfkey_item, buf) + bl); - - memcpy(&it->buf, buf, bl); - - it->next = NULL; - if (pfkey_iq_head == NULL) - { - pfkey_iq_head = it; - } - else - { - pfkey_iq_tail->next = it; - } - pfkey_iq_tail = it; - } } return FALSE; } -/* Process a SADB_REGISTER message from the kernel. - * This will be a response to one of ours, but it may be asynchronous - * (if kernel modules are loaded and unloaded). - * Some sanity checking has already been performed. - */ -static void -klips_pfkey_register_response(const struct sadb_msg *msg) -{ - /* Find out what the kernel can support. - * In fact, the only question at the moment - * is whether it can support IPcomp. - * So we ignore the rest. - * ??? we really should pay attention to what transforms are supported. - */ - switch (msg->sadb_msg_satype) - { - case SADB_SATYPE_AH: - break; - case SADB_SATYPE_ESP: -#ifndef NO_KERNEL_ALG - kernel_alg_register_pfkey(msg, sizeof (pfkey_buf)); -#endif - break; - case SADB_X_SATYPE_COMP: - /* ??? There ought to be an extension to list the - * supported algorithms, but RFC 2367 doesn't - * list one for IPcomp. KLIPS uses SADB_X_CALG_DEFLATE. - * Since we only implement deflate, we'll assume this. - */ - can_do_IPcomp = TRUE; - break; - case SADB_X_SATYPE_IPIP: - break; - default: - break; - } -} - -/* Processs a SADB_ACQUIRE message from KLIPS. - * Try to build an opportunistic connection! - * See RFC 2367 "PF_KEY Key Management API, Version 2" 3.1.6 - * <base, address(SD), (address(P)), (identity(SD),) (sensitivity,) proposal> - * - extensions for source and data IP addresses - * - optional extensions for identity [not useful for us?] - * - optional extension for sensitivity [not useful for us?] - * - expension for proposal [not useful for us?] - * - * ??? We must use the sequence number in creating an SA. - * We actually need to create up to 4 SAs each way. Which one? - * I guess it depends on the protocol present in the sadb_msg_satype. - * For now, we'll ignore this requirement. - * - * ??? We need some mechanism to make sure that multiple ACQUIRE messages - * don't cause a whole bunch of redundant negotiations. - */ -static void -process_pfkey_acquire(pfkey_buf *buf, struct sadb_ext *extensions[SADB_EXT_MAX + 1]) -{ - struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC]; - struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST]; - int src_proto = srcx->sadb_address_proto; - int dst_proto = dstx->sadb_address_proto; - ip_address *src = (ip_address*)&srcx[1]; - ip_address *dst = (ip_address*)&dstx[1]; - ip_subnet ours, his; - err_t ugh = NULL; - - /* assumption: we're only catching our own outgoing packets - * so source is our end and destination is the other end. - * Verifying this is not actually convenient. - * - * This stylized control structure yields a complaint or - * desired results. For compactness, a pointer value is - * treated as a boolean. Logically, the structure is: - * keep going as long as things are OK. - */ - if (buf->msg.sadb_msg_pid == 0 /* we only wish to hear from kernel */ - && !(ugh = src_proto == dst_proto? NULL : "src and dst protocols differ") - && !(ugh = addrtypeof(src) == addrtypeof(dst)? NULL : "conflicting address types") - && !(ugh = addrtosubnet(src, &ours)) - && !(ugh = addrtosubnet(dst, &his))) - record_and_initiate_opportunistic(&ours, &his, src_proto, "%acquire"); - - if (ugh != NULL) - plog("SADB_ACQUIRE message from KLIPS malformed: %s", ugh); - -} - -/* Handle PF_KEY messages from the kernel that are not dealt with - * synchronously. In other words, all but responses to PF_KEY messages - * that we sent. - */ -static void -pfkey_async(pfkey_buf *buf) -{ - struct sadb_ext *extensions[SADB_EXT_MAX + 1]; - - if (pfkey_msg_parse(&buf->msg, NULL, extensions, EXT_BITS_OUT)) - { - plog("pfkey_async:" - " unparseable PF_KEY message:" - " %s len=%d, errno=%d, seq=%d, pid=%d; message ignored" - , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type) - , buf->msg.sadb_msg_len - , buf->msg.sadb_msg_errno - , buf->msg.sadb_msg_seq - , buf->msg.sadb_msg_pid); - } - else - { - DBG(DBG_CONTROL | DBG_KLIPS, DBG_log("pfkey_async:" - " %s len=%u, errno=%u, satype=%u, seq=%u, pid=%u" - , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type) - , buf->msg.sadb_msg_len - , buf->msg.sadb_msg_errno - , buf->msg.sadb_msg_satype - , buf->msg.sadb_msg_seq - , buf->msg.sadb_msg_pid)); - - switch (buf->msg.sadb_msg_type) - { - case SADB_REGISTER: - kernel_ops->pfkey_register_response(&buf->msg); - break; - case SADB_ACQUIRE: - /* to simulate loss of ACQUIRE, delete this call */ - process_pfkey_acquire(buf, extensions); - break; - case SADB_X_NAT_T_NEW_MAPPING: - process_pfkey_nat_t_new_mapping(&(buf->msg), extensions); - break; - default: - /* ignored */ - break; - } - } -} - -/* asynchronous messages from our queue */ -static void -pfkey_dequeue(void) -{ - while (pfkey_iq_head != NULL) - { - pfkey_item *it = pfkey_iq_head; - - pfkey_async(&it->buf); - pfkey_iq_head = it->next; - free(it); - } - - /* Handle any orphaned holds, but only if no pfkey input is pending. - * For each, we initiate Opportunistic. - * note: we don't need to advance the pointer because - * record_and_initiate_opportunistic will remove the current - * record each time we call it. - */ - while (orphaned_holds != NULL && !pfkey_input_ready()) - record_and_initiate_opportunistic(&orphaned_holds->ours - , &orphaned_holds->his - , orphaned_holds->transport_proto - , "%hold found-pfkey"); - -} - -/* asynchronous messages directly from PF_KEY socket */ -static void -pfkey_event(void) -{ - pfkey_buf buf; - - if (pfkey_get(&buf)) - pfkey_async(&buf); -} - static bool -pfkey_build(int error -, const char *description -, const char *text_said -, struct sadb_ext *extensions[SADB_EXT_MAX + 1]) +pfkey_build(int error, const char *description, const char *text_said, + struct sadb_ext *extensions[SADB_EXT_MAX + 1]) { - if (error == 0) - { - return TRUE; - } - else + if (error != 0) { - loglog(RC_LOG_SERIOUS, "building of %s %s failed, code %d" - , description, text_said, error); + loglog(RC_LOG_SERIOUS, "building of %s %s failed, code %d", description, + text_said, error); pfkey_extensions_free(extensions); return FALSE; } + return TRUE; } /* pfkey_extensions_init + pfkey_build + pfkey_msg_hdr_build */ static bool -pfkey_msg_start(u_int8_t msg_type -, u_int8_t satype -, const char *description -, const char *text_said -, struct sadb_ext *extensions[SADB_EXT_MAX + 1]) +pfkey_msg_start(u_int8_t msg_type, u_int8_t satype, const char *description, + const char *text_said, + struct sadb_ext *extensions[SADB_EXT_MAX + 1]) { pfkey_extensions_init(extensions); - return pfkey_build(pfkey_msg_hdr_build(&extensions[0], msg_type - , satype, 0, ++pfkey_seq, pid) - , description, text_said, extensions); -} - -/* pfkey_build + pfkey_address_build */ -static bool -pfkeyext_address(u_int16_t exttype -, const ip_address *address -, const char *description -, const char *text_said -, struct sadb_ext *extensions[SADB_EXT_MAX + 1]) -{ - /* the following variable is only needed to silence - * a warning caused by the fact that the argument - * to sockaddrof is NOT pointer to const! - */ - ip_address t = *address; - - return pfkey_build(pfkey_address_build(extensions + exttype - , exttype, 0, 0, sockaddrof(&t)) - , description, text_said, extensions); -} - -/* pfkey_build + pfkey_x_protocol_build */ -static bool -pfkeyext_protocol(int transport_proto -, const char *description -, const char *text_said -, struct sadb_ext *extensions[SADB_EXT_MAX + 1]) -{ - return (transport_proto == 0)? TRUE - : pfkey_build( - pfkey_x_protocol_build(extensions + SADB_X_EXT_PROTOCOL, transport_proto) - , description, text_said, extensions); + return pfkey_build(pfkey_msg_hdr_build(&extensions[0], msg_type, satype, 0, + ++pfkey_seq, pid), + description, text_said, extensions); } - /* Finish (building, sending, accepting response for) PF_KEY message. * If response isn't NULL, the response from the kernel will be * placed there (and its errno field will not be examined). * Returns TRUE iff all appears well. */ static bool -finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1] -, const char *description -, const char *text_said -, pfkey_buf *response) +finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1], + const char *description, const char *text_said, + pfkey_buf *response) { struct sadb_msg *pfkey_msg; bool success = TRUE; @@ -557,368 +224,157 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1] if (error != 0) { - loglog(RC_LOG_SERIOUS, "pfkey_msg_build of %s %s failed, code %d" - , description, text_said, error); + loglog(RC_LOG_SERIOUS, "pfkey_msg_build of %s %s failed, code %d", + description, text_said, error); success = FALSE; } else { size_t len = pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN; - DBG(DBG_KLIPS, - DBG_log("finish_pfkey_msg: %s message %u for %s %s" - , sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type) - , pfkey_msg->sadb_msg_seq - , description, text_said); + DBG(DBG_KERNEL, + DBG_log("finish_pfkey_msg: %s message %u for %s %s", + sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type), + pfkey_msg->sadb_msg_seq, description, text_said); DBG_dump(NULL, (void *) pfkey_msg, len)); - if (!no_klips) - { - ssize_t r = write(pfkeyfd, pfkey_msg, len); + ssize_t r = write(pfkeyfd, pfkey_msg, len); - if (r != (ssize_t)len) + if (r != (ssize_t)len) + { + if (r < 0) { - if (r < 0) - { - log_errno((e - , "pfkey write() of %s message %u" - " for %s %s failed" - , sparse_val_show(pfkey_type_names - , pfkey_msg->sadb_msg_type) - , pfkey_msg->sadb_msg_seq - , description, text_said)); - } - else - { - loglog(RC_LOG_SERIOUS - , "ERROR: pfkey write() of %s message %u" - " for %s %s truncated: %ld instead of %ld" - , sparse_val_show(pfkey_type_names - , pfkey_msg->sadb_msg_type) - , pfkey_msg->sadb_msg_seq - , description, text_said - , (long)r, (long)len); - } - success = FALSE; + log_errno((e, "pfkey write() of %s message %u for %s %s" + " failed", sparse_val_show(pfkey_type_names, + pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq, + description, text_said)); + } + else + { + loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message" + " %u for %s %s truncated: %ld instead of %ld", + sparse_val_show(pfkey_type_names, + pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq, + description, text_said, (long)r, (long)len); + } + success = FALSE; - /* if we were compiled with debugging, but we haven't already - * dumped the KLIPS command, do so. - */ + /* if we were compiled with debugging, but we haven't already + * dumped the command, do so. + */ #ifdef DEBUG - if ((cur_debugging & DBG_KLIPS) == 0) - DBG_dump(NULL, (void *) pfkey_msg, len); + if ((cur_debugging & DBG_KERNEL) == 0) + DBG_dump(NULL, (void *) pfkey_msg, len); #endif + } + else + { + /* Check response from kernel. + * It ought to be an echo, perhaps with additional info. + * If the caller wants it, response will point to space. + */ + pfkey_buf b; + pfkey_buf *bp = response != NULL? response : &b; + + if (!pfkey_get_response(bp, + ((struct sadb_msg *)extensions[0])->sadb_msg_seq)) + { + loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s" + " message for %s %s", sparse_val_show(pfkey_type_names, + pfkey_msg->sadb_msg_type), description, text_said); + success = FALSE; } - else + else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type) { - /* Check response from KLIPS. - * It ought to be an echo, perhaps with additional info. - * If the caller wants it, response will point to space. - */ - pfkey_buf b; - pfkey_buf *bp = response != NULL? response : &b; - - if (!pfkey_get_response(bp, ((struct sadb_msg *) extensions[0])->sadb_msg_seq)) - { - loglog(RC_LOG_SERIOUS - , "ERROR: no response to our PF_KEY %s message for %s %s" - , sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type) - , description, text_said); - success = FALSE; - } - else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type) - { - loglog(RC_LOG_SERIOUS - , "FreeS/WAN ERROR: response to our PF_KEY %s message for %s %s was of wrong type (%s)" - , sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type) - , description, text_said - , sparse_val_show(pfkey_type_names, bp->msg.sadb_msg_type)); - success = FALSE; - } - else if (response == NULL && bp->msg.sadb_msg_errno != 0) - { - /* KLIPS is signalling a problem */ - loglog(RC_LOG_SERIOUS - , "ERROR: PF_KEY %s response for %s %s included errno %u: %s" - , sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type) - , description, text_said - , (unsigned) bp->msg.sadb_msg_errno - , strerror(bp->msg.sadb_msg_errno)); - success = FALSE; - } + loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s" + " message for %s %s was of wrong type (%s)", + sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type), + description, text_said, sparse_val_show(pfkey_type_names, + bp->msg.sadb_msg_type)); + success = FALSE; + } + else if (response == NULL && bp->msg.sadb_msg_errno != 0) + { + /* Kernel is signalling a problem */ + loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s" + " included errno %u: %s", + sparse_val_show(pfkey_type_names, + pfkey_msg->sadb_msg_type), description, text_said, + (unsigned) bp->msg.sadb_msg_errno, + strerror(bp->msg.sadb_msg_errno)); + success = FALSE; } } } - - /* all paths must exit this way to free resources */ pfkey_extensions_free(extensions); pfkey_msg_free(&pfkey_msg); return success; } -/* register SA types that can be negotiated */ -void -pfkey_register_proto(unsigned satype, const char *satypename) +/* Process a SADB_REGISTER message from the kernel. + * This will be a response to one of ours, but it may be asynchronous + * (if kernel modules are loaded and unloaded). + * Some sanity checking has already been performed. + */ +static void +pfkey_register_response(const struct sadb_msg *msg) { - struct sadb_ext *extensions[SADB_EXT_MAX + 1]; - pfkey_buf pfb; - - if (!(pfkey_msg_start(SADB_REGISTER - , satype - , satypename, NULL, extensions) - && finish_pfkey_msg(extensions, satypename, "", &pfb))) - { - /* ??? should this be loglog */ - plog("no KLIPS support for %s", satypename); - } - else + /* Find out what the kernel can support. + */ + switch (msg->sadb_msg_satype) { - kernel_ops->pfkey_register_response(&pfb.msg); - DBG(DBG_KLIPS, - DBG_log("%s registered with kernel.", satypename)); + case SADB_SATYPE_ESP: +#ifndef NO_KERNEL_ALG + kernel_alg_register_pfkey(msg, sizeof (pfkey_buf)); +#endif + break; + case SADB_X_SATYPE_IPCOMP: + /* ??? There ought to be an extension to list the + * supported algorithms, but RFC 2367 doesn't + * list one for IPcomp. + */ + can_do_IPcomp = TRUE; + break; + default: + break; } } +/** register SA types that can be negotiated */ static void -klips_pfkey_register(void) -{ - pfkey_register_proto(SADB_SATYPE_AH, "AH"); - pfkey_register_proto(SADB_SATYPE_ESP, "ESP"); - can_do_IPcomp = FALSE; /* until we get a response from KLIPS */ - pfkey_register_proto(SADB_X_SATYPE_COMP, "IPCOMP"); - pfkey_register_proto(SADB_X_SATYPE_IPIP, "IPIP"); -} - -static bool -pfkey_raw_eroute(const ip_address *this_host - , const ip_subnet *this_client - , const ip_address *that_host - , const ip_subnet *that_client - , ipsec_spi_t spi - , unsigned int satype - , unsigned int transport_proto - , const struct pfkey_proto_info *proto_info UNUSED - , time_t use_lifetime UNUSED - , unsigned int op - , const char *text_said) +pfkey_register_proto(unsigned satype, const char *satypename) { struct sadb_ext *extensions[SADB_EXT_MAX + 1]; - ip_address - sflow_ska, - dflow_ska, - smask_ska, - dmask_ska; - int sport = ntohs(portof(&this_client->addr)); - int dport = ntohs(portof(&that_client->addr)); - - networkof(this_client, &sflow_ska); - maskof(this_client, &smask_ska); - setportof(sport ? ~0:0, &smask_ska); - - networkof(that_client, &dflow_ska); - maskof(that_client, &dmask_ska); - setportof(dport ? ~0:0, &dmask_ska); - - if (!pfkey_msg_start(op & ERO_MASK, satype - , "pfkey_msg_hdr flow", text_said, extensions)) - { - return FALSE; - } - - if (op != ERO_DELETE) - { - if (!(pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA] - , SADB_EXT_SA - , spi /* in network order */ - , 0, 0, 0, 0, op >> ERO_FLAG_SHIFT) - , "pfkey_sa add flow", text_said, extensions) - - && pfkeyext_address(SADB_EXT_ADDRESS_SRC, this_host - , "pfkey_addr_s add flow", text_said, extensions) - - && pfkeyext_address(SADB_EXT_ADDRESS_DST, that_host - , "pfkey_addr_d add flow", text_said - , extensions))) - { - return FALSE; - } - } - - if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_FLOW, &sflow_ska - , "pfkey_addr_sflow", text_said, extensions)) - { - return FALSE; - } - - if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_FLOW, &dflow_ska - , "pfkey_addr_dflow", text_said, extensions)) - { - return FALSE; - } - - if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_MASK, &smask_ska - , "pfkey_addr_smask", text_said, extensions)) - { - return FALSE; - } + pfkey_buf pfb; - if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_MASK, &dmask_ska - , "pfkey_addr_dmask", text_said, extensions)) + if (!(pfkey_msg_start(SADB_REGISTER, satype, satypename, NULL, extensions) + && finish_pfkey_msg(extensions, satypename, "", &pfb))) { - return FALSE; + /* ??? should this be loglog */ + plog("no kernel support for %s", satypename); } - - if (!pfkeyext_protocol(transport_proto - , "pfkey_x_protocol", text_said, extensions)) + else { - return FALSE; + pfkey_register_response(&pfb.msg); + DBG(DBG_KERNEL, + DBG_log("%s registered with kernel.", satypename)); } - - return finish_pfkey_msg(extensions, "flow", text_said, NULL); -} - -static bool -pfkey_add_sa(const struct kernel_sa *sa, bool replace) -{ - struct sadb_ext *extensions[SADB_EXT_MAX + 1]; - - return pfkey_msg_start(replace ? SADB_UPDATE : SADB_ADD, sa->satype - , "pfkey_msg_hdr Add SA", sa->text_said, extensions) - - && pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA] - , SADB_EXT_SA - , sa->spi /* in network order */ - , sa->replay_window, SADB_SASTATE_MATURE - , sa->authalg, sa->encalg ? sa->encalg: sa->compalg, 0) - , "pfkey_sa Add SA", sa->text_said, extensions) - - && pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src - , "pfkey_addr_s Add SA", sa->text_said, extensions) - - && pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst - , "pfkey_addr_d Add SA", sa->text_said, extensions) - - && (sa->authkeylen == 0 - || pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH] - , SADB_EXT_KEY_AUTH, sa->authkeylen * BITS_PER_BYTE - , sa->authkey) - , "pfkey_key_a Add SA", sa->text_said, extensions)) - - && (sa->enckeylen == 0 - || pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT] - , SADB_EXT_KEY_ENCRYPT, sa->enckeylen * BITS_PER_BYTE - , sa->enckey) - , "pfkey_key_e Add SA", sa->text_said, extensions)) - - && (sa->natt_type == 0 - || pfkey_build(pfkey_x_nat_t_type_build( - &extensions[SADB_X_EXT_NAT_T_TYPE], sa->natt_type), - "pfkey_nat_t_type Add ESP SA", sa->text_said, extensions)) - && (sa->natt_sport == 0 - || pfkey_build(pfkey_x_nat_t_port_build( - &extensions[SADB_X_EXT_NAT_T_SPORT], SADB_X_EXT_NAT_T_SPORT, - sa->natt_sport), "pfkey_nat_t_sport Add ESP SA", sa->text_said, - extensions)) - && (sa->natt_dport == 0 - || pfkey_build(pfkey_x_nat_t_port_build( - &extensions[SADB_X_EXT_NAT_T_DPORT], SADB_X_EXT_NAT_T_DPORT, - sa->natt_dport), "pfkey_nat_t_dport Add ESP SA", sa->text_said, - extensions)) - && (sa->natt_type == 0 || isanyaddr(sa->natt_oa) - || pfkeyext_address(SADB_X_EXT_NAT_T_OA, sa->natt_oa - , "pfkey_nat_t_oa Add ESP SA", sa->text_said, extensions)) - - && finish_pfkey_msg(extensions, "Add SA", sa->text_said, NULL); - -} - -static bool -pfkey_grp_sa(const struct kernel_sa *sa0, const struct kernel_sa *sa1) -{ - struct sadb_ext *extensions[SADB_EXT_MAX + 1]; - - return pfkey_msg_start(SADB_X_GRPSA, sa1->satype - , "pfkey_msg_hdr group", sa1->text_said, extensions) - - && pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA] - , SADB_EXT_SA - , sa1->spi /* in network order */ - , 0, 0, 0, 0, 0) - , "pfkey_sa group", sa1->text_said, extensions) - - && pfkeyext_address(SADB_EXT_ADDRESS_DST, sa1->dst - , "pfkey_addr_d group", sa1->text_said, extensions) - - && pfkey_build(pfkey_x_satype_build(&extensions[SADB_X_EXT_SATYPE2] - , sa0->satype) - , "pfkey_satype group", sa0->text_said, extensions) - - && pfkey_build(pfkey_sa_build(&extensions[SADB_X_EXT_SA2] - , SADB_X_EXT_SA2 - , sa0->spi /* in network order */ - , 0, 0, 0, 0, 0) - , "pfkey_sa2 group", sa0->text_said, extensions) - - && pfkeyext_address(SADB_X_EXT_ADDRESS_DST2, sa0->dst - , "pfkey_addr_d2 group", sa0->text_said, extensions) - - && finish_pfkey_msg(extensions, "group", sa1->text_said, NULL); -} - -static bool -pfkey_del_sa(const struct kernel_sa *sa) -{ - struct sadb_ext *extensions[SADB_EXT_MAX + 1]; - - return pfkey_msg_start(SADB_DELETE, proto2satype(sa->proto) - , "pfkey_msg_hdr delete SA", sa->text_said, extensions) - - && pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA] - , SADB_EXT_SA - , sa->spi /* in host order */ - , 0, SADB_SASTATE_MATURE, 0, 0, 0) - , "pfkey_sa delete SA", sa->text_said, extensions) - - && pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src - , "pfkey_addr_s delete SA", sa->text_said, extensions) - - && pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst - , "pfkey_addr_d delete SA", sa->text_said, extensions) - - && finish_pfkey_msg(extensions, "Delete SA", sa->text_said, NULL); } void -pfkey_close(void) +pfkey_register(void) { - while (pfkey_iq_head != NULL) - { - pfkey_item *it = pfkey_iq_head; + pid = getpid(); - pfkey_iq_head = it->next; - free(it); + pfkeyfd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); + if (pfkeyfd == -1) + { + exit_log_errno((e, "socket() in init_pfkeyfd()")); } + pfkey_register_proto(SADB_SATYPE_AH, "AH"); + pfkey_register_proto(SADB_SATYPE_ESP, "ESP"); + pfkey_register_proto(SADB_X_SATYPE_IPCOMP, "IPCOMP"); + close(pfkeyfd); - pfkeyfd = NULL_FD; } - -const struct kernel_ops klips_kernel_ops = { - type: KERNEL_TYPE_KLIPS, - async_fdp: &pfkeyfd, - - pfkey_register: klips_pfkey_register, - pfkey_register_response: klips_pfkey_register_response, - process_queue: pfkey_dequeue, - process_msg: pfkey_event, - raw_eroute: pfkey_raw_eroute, - add_sa: pfkey_add_sa, - grp_sa: pfkey_grp_sa, - del_sa: pfkey_del_sa, - get_sa: NULL, - get_spi: NULL, - inbound_eroute: FALSE, - policy_lifetime: FALSE, - init: NULL -}; -#endif /* KLIPS */ diff --git a/src/pluto/kernel_pfkey.h b/src/pluto/kernel_pfkey.h index ad20a5888..b50ad6c37 100644 --- a/src/pluto/kernel_pfkey.h +++ b/src/pluto/kernel_pfkey.h @@ -1,6 +1,6 @@ -/* declarations of routines that interface with the kernel's pfkey mechanism - * Copyright (C) 1998-2001 D. Hugh Redelmeier. - * Copyright (C) 2003 Herbert Xu +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -13,9 +13,8 @@ * for more details. */ -#ifdef KLIPS -extern void init_pfkey(void); -extern void pfkey_register_proto(unsigned satype, const char *satypename); -extern void pfkey_close(void); -extern const struct kernel_ops klips_kernel_ops; -#endif +/** + * Register our capabilities via PF_KEY, also learn the kernel's capabilities, + * i.e. the supported algorithms. + */ +void pfkey_register(); diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 6db757ba7..a79c2c0d2 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -37,6 +37,8 @@ #include <library.h> #include <asn1/asn1.h> #include <credentials/certificates/pgp_certificate.h> +#include <credentials/sets/mem_cred.h> +#include <credentials/sets/callback_cred.h> #include "constants.h" #include "defs.h" @@ -539,6 +541,128 @@ end: return ugh; } +/* struct used to prompt for a secret passphrase + * from a console with file descriptor fd + */ +typedef struct { + char secret[PROMPT_PASS_LEN+1]; + bool prompt; + int fd; + int try; +} prompt_pass_t; + +/** + * Passphrase callback to read from whack fd + */ +static shared_key_t* whack_pass_cb(prompt_pass_t *pass, shared_key_type_t type, + identification_t *me, identification_t *other, + id_match_t *match_me, id_match_t *match_other) +{ + int n; + + if (type != SHARED_ANY && type != SHARED_PRIVATE_KEY_PASS) + { + return NULL; + } + + if (pass->try > MAX_PROMPT_PASS_TRIALS) + { + whack_log(RC_LOG_SERIOUS, "invalid passphrase, too many trials"); + return NULL; + } + if (pass->try == 1) + { + whack_log(RC_ENTERSECRET, "need passphrase for 'private key'"); + } + else + { + whack_log(RC_ENTERSECRET, "invalid passphrase, please try again"); + } + pass->try++; + + n = read(pass->fd, pass->secret, PROMPT_PASS_LEN); + if (n == -1) + { + whack_log(RC_LOG_SERIOUS, "read(whackfd) failed"); + return NULL; + } + pass->secret[n-1] = '\0'; + + if (strlen(pass->secret) == 0) + { + whack_log(RC_LOG_SERIOUS, "no passphrase entered, aborted"); + return NULL; + } + if (match_me) + { + *match_me = ID_MATCH_PERFECT; + } + if (match_other) + { + *match_other = ID_MATCH_NONE; + } + return shared_key_create(SHARED_PRIVATE_KEY_PASS, + chunk_clone(chunk_create(pass->secret, strlen(pass->secret)))); +} + +/** + * Loads a PKCS#1 or PGP private key file + */ +static private_key_t* load_private_key(char* filename, prompt_pass_t *pass, + key_type_t type) +{ + private_key_t *key = NULL; + char *path; + + path = concatenate_paths(PRIVATE_KEY_PATH, filename); + if (pass && pass->prompt && pass->fd != NULL_FD) + { /* use passphrase callback */ + callback_cred_t *cb; + + cb = callback_cred_create_shared((void*)whack_pass_cb, pass); + lib->credmgr->add_local_set(lib->credmgr, &cb->set); + + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, + BUILD_FROM_FILE, path, BUILD_END); + lib->credmgr->remove_local_set(lib->credmgr, &cb->set); + cb->destroy(cb); + if (key) + { + whack_log(RC_SUCCESS, "valid passphrase"); + } + } + else if (pass) + { /* use a given passphrase */ + mem_cred_t *mem; + shared_key_t *shared; + + mem = mem_cred_create(); + lib->credmgr->add_local_set(lib->credmgr, &mem->set); + shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, + chunk_clone(chunk_create(pass->secret, strlen(pass->secret)))); + mem->add_shared(mem, shared, NULL); + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, + BUILD_FROM_FILE, path, BUILD_END); + lib->credmgr->remove_local_set(lib->credmgr, &mem->set); + mem->destroy(mem); + } + else + { /* no passphrase */ + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, + BUILD_FROM_FILE, path, BUILD_END); + + } + if (key) + { + plog(" loaded private key from '%s'", filename); + } + else + { + plog(" syntax error in private key file"); + } + return key; +} + /** * process a key file protected with optional passphrase which can either be * read from ipsec.secrets or prompted for by using whack @@ -552,6 +676,7 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd) memset(pass.secret,'\0', sizeof(pass.secret)); pass.prompt = FALSE; pass.fd = whackfd; + pass.try = 1; /* we expect the filename of a PKCS#1 private key file */ @@ -1324,7 +1449,7 @@ void list_public_keys(bool utc) whack_log(RC_COMMENT, " identity: '%Y'", key->id); whack_log(RC_COMMENT, " pubkey: %N %4d bits, until %T %s", key_type_names, public->get_type(public), - public->get_keysize(public) * BITS_PER_BYTE, + public->get_keysize(public), &key->until_time, utc, check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE)); if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) diff --git a/src/pluto/log.c b/src/pluto/log.c index 444ac2220..6e70898a5 100644 --- a/src/pluto/log.c +++ b/src/pluto/log.c @@ -862,9 +862,6 @@ void show_status(bool all, const char *name) } show_connections_status(all, name); show_states_status(all, name); -#ifdef KLIPS - show_shunt_status(); -#endif } /* ip_str: a simple to use variant of addrtot. diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c index 0d0cd899c..a2acce23a 100644 --- a/src/pluto/modecfg.c +++ b/src/pluto/modecfg.c @@ -419,7 +419,7 @@ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody, close_output_pbs(&attrval); } enumerator->destroy(enumerator); - close_message(&strattr); + close_output_pbs(&strattr); modecfg_hash(r_hashval, r_hash_start, rbody->cur, st); close_message(rbody); diff --git a/src/pluto/nat_traversal.c b/src/pluto/nat_traversal.c index feedf2aad..5e9353b72 100644 --- a/src/pluto/nat_traversal.c +++ b/src/pluto/nat_traversal.c @@ -1,6 +1,9 @@ -/* FreeS/WAN NAT-Traversal - * Copyright (C) 2002-2005 Mathieu Lafon - Arkoon Network Security - * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil +/* + * Copyright (C) 2010 Tobias Brunner + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * Copyright (C) 2002-2005 Mathieu Lafon + * Arkoon Network Security * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -24,10 +27,6 @@ #include <signal.h> /* used only if MSG_NOSIGNAL not defined */ #include <sys/queue.h> -#include <freeswan.h> -#include <pfkeyv2.h> -#include <pfkey.h> - #include <library.h> #include <crypto/hashers/hasher.h> @@ -796,80 +795,51 @@ void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st) } } -struct _new_klips_mapp_nfo { - struct sadb_sa *sa; - ip_address src, dst; - u_int16_t sport, dport; +struct _new_kernel_mapp_nfo { + u_int32_t reqid; + u_int32_t spi; + ip_address *addr; }; -static void nat_t_new_klips_mapp (struct state *st, void *data) +static void nat_t_new_kernel_mapp (struct state *st, void *data) { connection_t *c = st->st_connection; - struct _new_klips_mapp_nfo *nfo = (struct _new_klips_mapp_nfo *)data; + struct _new_kernel_mapp_nfo *nfo = (struct _new_kernel_mapp_nfo *)data; if (c != NULL && st->st_esp.present - && sameaddr(&c->spd.that.host_addr, &(nfo->src)) - && st->st_esp.our_spi == nfo->sa->sadb_sa_spi) - { - nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port, - &(nfo->dst), nfo->dport); - } -} - -void process_pfkey_nat_t_new_mapping( - struct sadb_msg *msg __attribute__ ((unused)), - struct sadb_ext *extensions[SADB_EXT_MAX + 1]) -{ - struct _new_klips_mapp_nfo nfo; - struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC]; - struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST]; - struct sockaddr *srca, *dsta; - err_t ugh = NULL; - - nfo.sa = (void *) extensions[SADB_EXT_SA]; - - if (!nfo.sa || !srcx || !dstx) + && nfo->spi == st->st_esp.our_spi + && nfo->reqid == c->spd.reqid) { - plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: " - "got NULL params"); - return; - } - - srca = ((struct sockaddr *)(void *)&srcx[1]); - dsta = ((struct sockaddr *)(void *)&dstx[1]); + u_int16_t port = ntohs(portof(nfo->addr)); - if (srca->sa_family != AF_INET || dsta->sa_family != AF_INET) - { - ugh = "only AF_INET supported"; - } - else - { - char text_said[SATOT_BUF]; - char _srca[ADDRTOT_BUF], _dsta[ADDRTOT_BUF]; - ip_said said; - - initaddr((const void *) &((const struct sockaddr_in *)srca)->sin_addr, - sizeof(((const struct sockaddr_in *)srca)->sin_addr), - srca->sa_family, &(nfo.src)); - nfo.sport = ntohs(((const struct sockaddr_in *)srca)->sin_port); - initaddr((const void *) &((const struct sockaddr_in *)dsta)->sin_addr, - sizeof(((const struct sockaddr_in *)dsta)->sin_addr), - dsta->sa_family, &(nfo.dst)); - nfo.dport = ntohs(((const struct sockaddr_in *)dsta)->sin_port); + DBG(DBG_NATT, { + char text_said[SATOT_BUF]; + char olda[ADDRTOT_BUF]; + char newa[ADDRTOT_BUF]; + ip_said said; - DBG(DBG_NATT, - initsaid(&nfo.src, nfo.sa->sadb_sa_spi, SA_ESP, &said); + initsaid(&c->spd.that.host_addr, nfo->spi, SA_ESP, &said); satot(&said, 0, text_said, SATOT_BUF); - addrtot(&nfo.src, 0, _srca, ADDRTOT_BUF); - addrtot(&nfo.dst, 0, _dsta, ADDRTOT_BUF); - DBG_log("new klips mapping %s %s:%d %s:%d", - text_said, _srca, nfo.sport, _dsta, nfo.dport); - ) + addrtot(&c->spd.that.host_addr, 0, olda, ADDRTOT_BUF); + addrtot(nfo->addr, 0, newa, ADDRTOT_BUF); + + DBG_log("new kernel mapping %s %s:%d %s:%d", + text_said, olda, c->spd.that.host_port, newa, port); + }) - for_each_state((void *)nat_t_new_klips_mapp, &nfo); + nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port, + nfo->addr, port); } +} - if (ugh != NULL) - plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: %s", ugh); +void process_nat_t_new_mapping(u_int32_t reqid, u_int32_t spi, + ip_address *new_end) +{ + struct _new_kernel_mapp_nfo nfo = { + .reqid = reqid, + .spi = spi, + .addr = new_end, + }; + for_each_state((void *)nat_t_new_kernel_mapp, &nfo); } diff --git a/src/pluto/nat_traversal.h b/src/pluto/nat_traversal.h index 98b0a2bc0..80bdaf787 100644 --- a/src/pluto/nat_traversal.h +++ b/src/pluto/nat_traversal.h @@ -1,5 +1,8 @@ -/* FreeS/WAN NAT-Traversal - * Copyright (C) 2002-2003 Mathieu Lafon - Arkoon Network Security +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * Copyright (C) 2002-2003 Mathieu Lafon + * Arkoon Network Security * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -115,11 +118,8 @@ void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st); /** * New NAT mapping */ -#ifdef __PFKEY_V2_H -void process_pfkey_nat_t_new_mapping( - struct sadb_msg *, - struct sadb_ext *[SADB_EXT_MAX + 1]); -#endif +void process_nat_t_new_mapping(u_int32_t reqid, u_int32_t spi, + ip_address *new_end); /** * IKE port floating diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c index c0fd041a7..10b2a4d5a 100644 --- a/src/pluto/pkcs7.c +++ b/src/pluto/pkcs7.c @@ -407,7 +407,7 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data, } break; case PKCS7_ENCRYPTED_KEY: - if (!key->decrypt(key, object, &symmetric_key)) + if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key)) { DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa"); goto end; @@ -473,7 +473,7 @@ end: DBG1(DBG_LIB, "symmetric key length %d is wrong", symmetric_key.len); goto failed; } - if (iv.len != crypter->get_block_size(crypter)) + if (iv.len != crypter->get_iv_size(crypter)) { DBG1(DBG_LIB, "IV length %d is wrong", iv.len); goto failed; @@ -668,7 +668,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg rng->destroy(rng); rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - rng->allocate_bytes(rng, crypter->get_block_size(crypter), &iv); + rng->allocate_bytes(rng, crypter->get_iv_size(crypter), &iv); DBG4(DBG_LIB, "initialization vector: %B", &iv); rng->destroy(rng); } @@ -710,7 +710,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg chunk_free(&out); return chunk_empty; } - key->encrypt(key, symmetricKey, &protectedKey); + key->encrypt(key, ENCRYPT_RSA_PKCS1, symmetricKey, &protectedKey); key->destroy(key); } diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in index 13749e5af..b2ffb11db 100644 --- a/src/pluto/plugins/xauth/Makefile.in +++ b/src/pluto/plugins/xauth/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -163,6 +164,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -194,14 +197,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -216,24 +222,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -241,7 +254,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8 index b80d13772..58cb15091 100644 --- a/src/pluto/pluto.8 +++ b/src/pluto/pluto.8 @@ -15,7 +15,6 @@ ipsec pluto \fIfilename\fP] [\-\-nofork] [\-\-stderrlog] -[\-\-noklips] [\-\-uniqueids] [\fB\-\-interface\fP \fIinterfacename\fP] [\-\-ikeport\ \c @@ -37,7 +36,7 @@ ipsec pluto [\-\-debug\(hyemitting] [\-\-debug\(hycontrol] [\-\-debug\(hylifecycle] -[\-\-debug\(hyklips] +[\-\-debug\(hykernel] [\-\-debug\(hydns] [\-\-debug\(hyoppo] [\-\-debug\(hyprivate] @@ -209,7 +208,7 @@ ipsec whack [\-\-debug\(hyemitting] [\-\-debug\(hycontrol] [\-\-debug\(hylifecycle] -[\-\-debug\(hyklips] +[\-\-debug\(hykernel] [\-\-debug\(hydns] [\-\-debug\(hyoppo] [\-\-debug\(hyprivate] @@ -256,10 +255,7 @@ In other words, .BR pluto can eliminate much of the work of manual keying. The actual -secure transmission of packets is the responsibility of other parts of -the system (see -.BR KLIPS , -the companion implementation of IPsec). +secure transmission of packets is the responsibility of the Linux kernel. \fIipsec_auto\fP(8) provides a more convenient interface to \fBpluto\fP and \fBwhack\fP. .SS IKE's Job @@ -314,8 +310,8 @@ are considered policy and are left in the system administrator's hands. .SS Pluto .LP \fBpluto\fP is an implementation of IKE. It runs as a daemon on a network -node. Currently, this network node must be a LINUX system running the -\fBKLIPS\fP implementation of IPsec. +node. Currently, this network node must be a Linux 2.6 system running the +native \fBNETKEY\fP IPsec stack. .LP \fBpluto\fP only implements a subset of IKE. This is enough for it to interoperate with other instances of \fBpluto\fP, and many other IKE @@ -331,13 +327,13 @@ peers with whom it is negotiating. .LP \fBpluto\fP initiates negotiation of a Security Association when it is manually prodded: the program \fBwhack\fP is run to trigger this. -It will also initiate a negotiation when \fBKLIPS\fP traps an outbound packet -for Opportunistic Encryption. +It will also initiate a negotiation when the Linux kernel traps an outbound +packet for Opportunistic Encryption. .LP \fBpluto\fP implements ISAKMP SAs itself. After it has negotiated the -characteristics of an IPsec SA, it directs \fBKLIPS\fP to implement it. +characteristics of an IPsec SA, it directs the Linux kernel to implement it. It also invokes a script to adjust any firewall and issue \fIroute\fP(8) -commands to direct IP packets through \fBKLIPS\fP. +commands. .LP When \fBpluto\fP shuts down, it closes all Security Associations. .SS Before Running Pluto @@ -345,8 +341,8 @@ When \fBpluto\fP shuts down, it closes all Security Associations. \fBpluto\fP runs as a daemon with userid root. Before running it, a few things must be set up. .LP -\fBpluto\fP requires \fBKLIPS\fP, the FreeS/WAN implementation of IPsec. -All of the components of \fBKLIPS\fP and \fBpluto\fP should be installed. +\fBpluto\fP requires a Linux 2.6 kernel with the modules for the native IPsec +stack enabled. .LP \fBpluto\fP supports multiple public networks (that is, networks that are considered insecure and thus need to have their traffic @@ -355,11 +351,8 @@ public interfaces to use by looking at all interfaces that are configured (the \fB\-\-interface\fP option can be used to limit the interfaces considered). It does this only when \fBwhack\fP tells it to \-\-listen, -so the interfaces must be configured by then. Each interface with a name of the form -\fBipsec\fP[\fB0\fP-\fB9\fP] is taken as a \fBKLIPS\fP virtual public interface. -Another network interface with the same IP address (there should be only -one) is taken as the corresponding real public -interface. \fIifconfig\fP(8) with the \fB\-a\fP flag will show +so the interfaces must be configured by then. +\fIifconfig\fP(8) with the \fB\-a\fP flag will show the name and status of each network interface. .LP \fBpluto\fP requires a database of preshared secrets and RSA private keys. @@ -368,33 +361,6 @@ This is described in the \fBpluto\fP is told of RSA public keys via \fBwhack\fP commands. If the connection is Opportunistic, and no RSA public key is known, \fBpluto\fP will attempt to fetch RSA keys using the Domain Name System. -.SS Setting up \fBKLIPS\fP for \fBpluto\fP -.LP -The most basic network topology that \fBpluto\fP supports has two security -gateways negotiating on behalf of client subnets. The diagram of RGB's -testbed is a good example (see \fIklips/doc/rgb_setup.txt\fP). -.LP -The file \fIINSTALL\fP in the base directory of this distribution -explains how to start setting up the whole system, including \fBKLIPS\fP. -.LP -Make sure that the security gateways have routes to each other. This -is usually covered by the default route, but may require issuing -.IR route (8) -commands. The route must go through a particular IP -interface (we will assume it is \fIeth0\fP, but it need not be). The -interface that connects the security gateway to its client must be a -different one. -.LP -It is necessary to issue a -.IR ipsec_tncfg (8) -command on each gateway. The required command is: - -\ \ \ ipsec tncfg \-\-attach\ \-\-virtual\ ipsec0 \-\-physical\ eth0 - -A command to set up the ipsec0 virtual interface will also need to be -run. It will have the same parameters as the command used to set up -the physical interface to which it has just been connected using -.IR ipsec_tncfg (8). .SS ipsec.secrets file .LP A \fBpluto\fP daemon and another IKE daemon (for example, another instance @@ -473,13 +439,6 @@ corresponding to a particular connection. Often there is one representing an ISAKMP SA and another representing an IPsec SA. .LP -\fBKLIPS\fP hooks into the routing code in a LINUX kernel. -Traffic to be processed by an IPsec SA must be directed through -\fBKLIPS\fP by routing commands. Furthermore, the processing to be -done is specified by \fIipsec eroute(8)\fP commands. -\fBpluto\fP takes the responsibility of managing both of these special -kinds of routes. -.LP Each connection may be routed, and must be while it has an IPsec SA. The connection specifies the characteristics of the route: the interface on this machine, the ``gateway'' (the nexthop), @@ -519,9 +478,9 @@ SA for the same connection already has an eroute, all its outgoing traffic is taken over by the new eroute. The incoming traffic will still be processed. This characteristic is exploited during rekeying. .LP -All of these routing characteristics are expected change when -\fBKLIPS\fP is modified to use the firewall hooks in the LINUX 2.4.x -kernel. +Some of these routing characteristics are specific to \fBKLIPS\fP, the FreeS/WAN +implementation of IPsec and are not relevant when running pluto on the native +Linux 2.6 IPsec stack. .SS Using Whack .LP \fBwhack\fP is used to command a running \fBpluto\fP. @@ -691,7 +650,7 @@ Note that this has nothing to do with IKE authentication. .TP \fB\-\-compress\fP All proposed IPsec SAs will include IPCOMP (compression). -This will be ignored if KLIPS is not configured with IPCOMP support. +This will be ignored if the kernel is not configured with IPCOMP support. .TP \fB\-\-tunnel\fP the IPsec SA should use tunneling. Implicit if the SA is for clients. @@ -1304,9 +1263,6 @@ disable ``daemon fork'' (default is to fork). In addition, after the lock file and control socket are created, print the line ``Pluto initialized'' to standard out. .TP -\fB\-\-noklips\fP -don't actually implement negotiated IPsec SAs -.TP \fB\-\-uniqueids\fP if this option has been selected, whenever a new ISAKMP SA is established, any connection with the same Peer ID but a different @@ -1317,12 +1273,6 @@ then regained at another IP address. \fB\-\-stderrlog\fP log goes to standard out {default is to use \fIsyslogd\fP(8)) .LP -For example -.TP -pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog -.LP -lets one test \fBpluto\fP without using the superuser account. -.LP \fBpluto\fP is willing to produce a prodigious amount of debugging information. To do so, it must be compiled with \-DDEBUG. There are several classes of debugging output, and \fBpluto\fP may be directed to @@ -1351,8 +1301,8 @@ show \fBpluto\fP's decision making \fB\-\-debug-lifecycle\fP [this option is temporary] log more detail of lifecycle of SAs .TP -\fB\-\-debug-klips\fP -show \fBpluto\fP's interaction with \fBKLIPS\fP +\fB\-\-debug-kernel\fP +show \fBpluto\fP's interaction with the kernel .TP \fB\-\-debug-dns\fP show \fBpluto\fP's interaction with \fBDNS\fP for KEY and TXT records @@ -1418,11 +1368,6 @@ system (\fBpluto\fP didn't send a reply because it wasn't happy with the previous message). .SS Notes .LP -If \fBpluto\fP is compiled without \-DKLIPS, it negotiates Security -Associations but never ask the kernel to put them in place and never -makes routing changes. This allows \fBpluto\fP to be tested on systems -without \fBKLIPS\fP, but makes it rather useless. -.LP Each IPsec SA is assigned an SPI, a 32-bit number used to refer to the SA. The IKE protocol lets the destination of the SA choose the SPI. The range 0 to 0xFF is reserved for IANA. @@ -1469,7 +1414,7 @@ component. The selection is controlled by the \-\-encrypt and .IP \(bu Each of these may be combined with IPCOMP Deflate compression, but only if the potential connection specifies compression and only -if KLIPS is configured with IPCOMP support. +if the kernel is configured with IPCOMP support. .IP \(bu The IPSEC SAs may be tunnel or transport mode, where appropriate. The \-\-tunnel flag controls this when \fBpluto\fP is initiating. diff --git a/src/pluto/pluto.c b/src/pluto/pluto.c index e9c7c316b..66fdb30b9 100644 --- a/src/pluto/pluto.c +++ b/src/pluto/pluto.c @@ -41,6 +41,7 @@ pluto_t *pluto; void pluto_deinit() { private_pluto_t *this = (private_pluto_t*)pluto; + this->public.events->destroy(this->public.events); this->public.xauth->destroy(this->public.xauth); free(this); pluto = NULL; @@ -55,6 +56,7 @@ bool pluto_init(char *file) INIT(this, .public = { + .events = event_queue_create(), .xauth = xauth_manager_create(), }, ); diff --git a/src/pluto/pluto.h b/src/pluto/pluto.h index 37e6e3f33..2440093ca 100644 --- a/src/pluto/pluto.h +++ b/src/pluto/pluto.h @@ -31,6 +31,7 @@ typedef struct pluto_t pluto_t; +#include <event_queue.h> #include <xauth/xauth_manager.h> #include <library.h> @@ -41,9 +42,15 @@ typedef struct pluto_t pluto_t; struct pluto_t { /** + * event queue (callbacks, executed by the pluto main thread) + */ + event_queue_t *events; + + /** * manager for payload attributes */ xauth_manager_t *xauth; + }; /** diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index 89123bb8a..627176c1b 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -79,6 +79,11 @@ #include "whack_attribute.h" #include "pluto.h" +/** + * Number of threads in the thread pool, if not specified in config. + */ +#define DEFAULT_THREADS 4 + static void usage(const char *mess) { if (mess != NULL && *mess != '\0') @@ -91,7 +96,6 @@ static void usage(const char *mess) " \\\n\t" "[--nofork]" " [--stderrlog]" - " [--noklips]" " [--nocrsend]" " \\\n\t" "[--strictcrlpolicy]" @@ -125,7 +129,7 @@ static void usage(const char *mess) " \\\n\t" "[--debug-control]" " [--debug-lifecycle]" - " [--debug-klips]" + " [--debug-kernel]" " [--debug-dns]" " \\\n\t" "[--debug-oppo]" @@ -295,7 +299,6 @@ int main(int argc, char **argv) { "optionsfrom", required_argument, NULL, '+' }, { "nofork", no_argument, NULL, 'd' }, { "stderrlog", no_argument, NULL, 'e' }, - { "noklips", no_argument, NULL, 'n' }, { "nocrsend", no_argument, NULL, 'c' }, { "strictcrlpolicy", no_argument, NULL, 'r' }, { "crlcheckinterval", required_argument, NULL, 'x'}, @@ -333,7 +336,8 @@ int main(int argc, char **argv) { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET }, { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET }, { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET }, - { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET }, + { "debug-klips", no_argument, NULL, DBG_KERNEL + DBG_OFFSET }, + { "debug-kernel", no_argument, NULL, DBG_KERNEL + DBG_OFFSET }, { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET }, { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET }, { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET }, @@ -396,10 +400,6 @@ int main(int argc, char **argv) log_to_stderr_desired = TRUE; continue; - case 'n': /* --noklips */ - no_klips = TRUE; - continue; - case 'c': /* --nocrsend */ no_cr_send = TRUE; continue; @@ -621,27 +621,19 @@ int main(int argc, char **argv) fflush(stdout); } - /* Close everything but ctl_fd and (if needed) stderr. - * There is some danger that a library that we don't know - * about is using some fd that we don't know about. - * I guess we'll soon find out. + /* Redirect stdin, stdout and stderr to /dev/null */ { - int i; - - for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */ - { - if ((!log_to_stderr || i != 2) && i != ctl_fd) - close(i); - } - - /* make sure that stdin, stdout, stderr are reserved */ - if (open("/dev/null", O_RDONLY) != 0) + int fd; + if ((fd = open("/dev/null", O_RDWR)) == -1) + abort(); + if (dup2(fd, 0) != 0) abort(); - if (dup2(0, 1) != 1) + if (dup2(fd, 1) != 1) abort(); - if (!log_to_stderr && dup2(0, 2) != 2) + if (!log_to_stderr && dup2(fd, 2) != 2) abort(); + close(fd); } init_constants(); @@ -764,6 +756,10 @@ int main(int argc, char **argv) /* loading attribute certificates (experimental) */ ac_load_certs(); + lib->processor->set_threads(lib->processor, + lib->settings->get_int(lib->settings, "pluto.threads", + DEFAULT_THREADS)); + daily_log_event(); call_server(); return -1; /* Shouldn't ever reach this */ @@ -779,11 +775,13 @@ int main(int argc, char **argv) */ void exit_pluto(int status) { + lib->processor->set_threads(lib->processor, 0); reset_globals(); /* needed because we may be called in odd state */ free_preshared_secrets(); free_remembered_public_keys(); delete_every_connection(); whack_attribute_finalize(); /* free in-memory pools */ + kernel_finalize(); fetch_finalize(); /* stop fetching thread */ free_crl_fetch(); /* free chain of crl fetch requests */ free_ocsp_fetch(); /* free chain of ocsp fetch requests */ diff --git a/src/pluto/server.c b/src/pluto/server.c index 21f65f4f8..4d07843c1 100644 --- a/src/pluto/server.c +++ b/src/pluto/server.c @@ -56,6 +56,7 @@ #include "adns.h" /* needs <resolv.h> */ #include "dnskey.h" /* needs keys.h and adns.h */ #include "whack.h" /* for RC_LOG_SERIOUS */ +#include "pluto.h" #include <pfkeyv2.h> #include <pfkey.h> @@ -467,7 +468,6 @@ create_socket(struct raw_iface *ifp, const char *v_name, int port) #endif #if defined(linux) && defined(KERNEL26_SUPPORT) - if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX) { struct sadb_x_policy policy; int level, opt; @@ -536,7 +536,6 @@ process_raw_ifaces(struct raw_iface *rifaces) for (ifp = rifaces; ifp != NULL; ifp = ifp->next) { struct raw_iface *v = NULL; /* matching ipsecX interface */ - struct raw_iface fake_v; bool after = FALSE; /* has vfp passed ifp on the list? */ bool bad = FALSE; struct raw_iface *vfp; @@ -578,7 +577,6 @@ process_raw_ifaces(struct raw_iface *rifaces) * "after" allows us to avoid double reporting. */ #if defined(linux) && defined(KERNEL26_SUPPORT) - if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX) { if (after) { @@ -603,7 +601,6 @@ process_raw_ifaces(struct raw_iface *rifaces) continue; #if defined(linux) && defined(KERNEL26_SUPPORT) - if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX) { v = ifp; goto add_entry; @@ -613,24 +610,10 @@ process_raw_ifaces(struct raw_iface *rifaces) /* what if we didn't find a virtual interface? */ if (v == NULL) { - if (no_klips) - { - /* kludge for testing: invent a virtual device */ - static const char fvp[] = "virtual"; - fake_v = *ifp; - passert(sizeof(fake_v.name) > sizeof(fvp)); - strcpy(fake_v.name, fvp); - addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1 - , sizeof(fake_v.name) - (sizeof(fvp) - 1)); - v = &fake_v; - } - else - { - DBG(DBG_CONTROL, - DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored" - , ifp->name, ip_str(&ifp->addr))); - continue; - } + DBG(DBG_CONTROL, + DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored" + , ifp->name, ip_str(&ifp->addr))); + continue; } /* We've got all we need; see if this is a new thing: @@ -811,7 +794,7 @@ call_server(void) { fd_set readfds; fd_set writefds; - int ndes; + int ndes, events_fd; /* wait for next interesting thing */ @@ -853,19 +836,10 @@ call_server(void) FD_SET(adns_afd, &readfds); } -#ifdef KLIPS - if (!no_klips) - { - int fd = *kernel_ops->async_fdp; - - if (kernel_ops->process_queue) - kernel_ops->process_queue(); - if (maxfd < fd) - maxfd = fd; - passert(!FD_ISSET(fd, &readfds)); - FD_SET(fd, &readfds); - } -#endif + events_fd = pluto->events->get_event_fd(pluto->events); + if (maxfd < events_fd) + maxfd = events_fd; + FD_SET(events_fd, &readfds); if (listening) { @@ -947,18 +921,16 @@ call_server(void) ndes--; } -#ifdef KLIPS - if (!no_klips && FD_ISSET(*kernel_ops->async_fdp, &readfds)) + if (FD_ISSET(events_fd, &readfds)) { passert(ndes > 0); DBG(DBG_CONTROL, DBG_log(BLANK_FORMAT); - DBG_log("*received kernel message")); - kernel_ops->process_msg(); + DBG_log("*handling asynchronous events")); + pluto->events->handle(pluto->events); passert(GLOBALS_ARE_RESET()); ndes--; } -#endif for (ifp = interfaces; ifp != NULL; ifp = ifp->next) { diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c index f1a3932a6..85e246ac4 100644 --- a/src/pluto/smartcard.c +++ b/src/pluto/smartcard.c @@ -502,9 +502,9 @@ static cert_t* scx_find_cert_object(CK_SESSION_HANDLE session, *cert = cert_empty; cert->smartcard = TRUE; cert->cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, blob, - BUILD_END); + CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, blob, + BUILD_END); if (cert->cert) { return cert; @@ -539,6 +539,7 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session) CK_ULONG obj_count = 0; time_t valid_until; smartcard_t *sc; + cert_t *cert; certificate_t *certificate; x509_t *x509; @@ -559,8 +560,8 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session) *sc = empty_sc; sc->any_slot = FALSE; sc->slot = slot; - sc->last_cert = scx_find_cert_object(session, object, sc); - if (sc->last_cert == NULL) + cert = scx_find_cert_object(session, object, sc); + if (!cert) { scx_free(sc); continue; @@ -571,9 +572,10 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session) ) /* check validity of certificate */ - certificate = sc->last_cert->cert; + certificate = cert->cert; if (!certificate->get_validity(certificate, NULL, NULL, &valid_until)) { + cert_free(cert); scx_free(sc); continue; } @@ -582,17 +584,17 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session) ) sc = scx_add(sc); - x509 = (x509_t*)certificate; /* put end entity and ca certificates into different chains */ + x509 = (x509_t*)certificate; if (x509->get_flags(x509) & X509_CA) { - sc->last_cert = add_authcert(sc->last_cert, X509_CA); + sc->last_cert = add_authcert(cert, X509_CA); } else { - add_public_key_from_cert(sc->last_cert, valid_until, DAL_LOCAL); - sc->last_cert = cert_add(sc->last_cert); + add_public_key_from_cert(cert, valid_until, DAL_LOCAL); + sc->last_cert = cert_add(cert); } cert_share(sc->last_cert); @@ -1078,7 +1080,7 @@ cert_t* scx_load_cert(const char *filename, smartcard_t **scp, bool *cached) *scp = sc = scx_add(scx_parse_number_slot_id(number_slot_id)); /* is there a cached smartcard certificate? */ - *cached = sc->last_cert && + *cached = sc->last_cert && (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL; if (*cached) @@ -1451,7 +1453,7 @@ bool scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen, u_char *out, { return FALSE; } - key->encrypt(key, plain_text, &cipher_text); + key->encrypt(key, ENCRYPT_RSA_PKCS1, plain_text, &cipher_text); key->destroy(key); if (cipher_text.ptr == NULL) diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c index cdf2cb21b..2ed07bdfc 100644 --- a/src/pluto/spdb.c +++ b/src/pluto/spdb.c @@ -234,7 +234,7 @@ out_attr(int type , val, enum_show(d, val))); return TRUE; } -#define return_on(var, val) do { var=val;goto return_out; } while(0); +#define return_on(var, val) do { var=val;goto return_out; } while(0) /* Output an SA, as described by a db_sa. * This has the side-effect of allocating SPIs for us. */ @@ -448,7 +448,7 @@ out_sa(pb_stream *outs , &st->st_connection->spd , tunnel_mode); if (*spi_ptr == 0) - return FALSE; + return_on(ret, FALSE); *spi_generated = TRUE; } if (!out_raw((u_char *)spi_ptr, IPSEC_DOI_SPI_SIZE @@ -2176,7 +2176,7 @@ parse_ipsec_sa_body( #endif if (!can_do_IPcomp) { - plog("compression proposed by %s, but KLIPS is not configured with IPCOMP" + plog("compression proposed by %s, but kernel does not support IPCOMP" , ip_str(&c->spd.that.host_addr)); continue; } diff --git a/src/pluto/state.c b/src/pluto/state.c index 29d78fb3d..3639f944d 100644 --- a/src/pluto/state.c +++ b/src/pluto/state.c @@ -734,7 +734,7 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf, , st->st_serialno , c->name, inst , enum_name(&state_names, st->st_state) - , state_story[st->st_state - STATE_MAIN_R0] + , state_story[st->st_state] , timer_event_names, st->st_event->ev_type , delta , np1, np2, eo, dpd); @@ -782,7 +782,7 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf, } if (st->st_esp.present) { - time_t now = time(NULL); + time_t now = time_monotonic(NULL); add_said(&c->spd.that.host_addr, st->st_esp.attrs.spi, SA_ESP); add_sa_info(st, FALSE); @@ -794,12 +794,10 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf, add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP); add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP); } -#ifdef KLIPS tunnel = st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL; p += snprintf(p, p_end - p, "; %s", tunnel? "tunnel":"transport"); -#endif snprintf(state_buf2, state_buf2_len , "#%lu: \"%s\"%s%s" @@ -897,56 +895,6 @@ void show_states_status(bool all, const char *name) free(array); } -/* Given that we've used up a range of unused CPI's, - * search for a new range of currently unused ones. - * Note: this is very expensive when not trivial! - * If we can't find one easily, choose 0 (a bad SPI, - * no matter what order) indicating failure. - */ -void find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi) -{ - int tries = 0; - cpi_t base = *latest_cpi; - cpi_t closest; - int i; - -startover: - closest = ~0; /* not close at all */ - for (i = 0; i < STATE_TABLE_SIZE; i++) - { - struct state *st; - - for (st = statetable[i]; st != NULL; st = st->st_hashchain_next) - { - if (st->st_ipcomp.present) - { - cpi_t c = ntohl(st->st_ipcomp.our_spi) - base; - - if (c < closest) - { - if (c == 0) - { - /* oops: next spot is occupied; start over */ - if (++tries == 20) - { - /* FAILURE */ - *latest_cpi = *first_busy_cpi = 0; - return; - } - base++; - if (base > IPCOMP_LAST_NEGOTIATED) - base = IPCOMP_FIRST_NEGOTIATED; - goto startover; /* really a tail call */ - } - closest = c; - } - } - } - } - *latest_cpi = base; /* base is first in next free range */ - *first_busy_cpi = closest + base; /* and this is the roof */ -} - /* Muck with high-order 16 bits of this SPI in order to make * the corresponding SAID unique. * Its low-order 16 bits hold a well-known IPCOMP CPI. diff --git a/src/pluto/state.h b/src/pluto/state.h index c4e8db485..a307d9f69 100644 --- a/src/pluto/state.h +++ b/src/pluto/state.h @@ -127,10 +127,8 @@ struct state struct ipsec_proto_info st_ah; struct ipsec_proto_info st_esp; struct ipsec_proto_info st_ipcomp; -#ifdef KLIPS ipsec_spi_t st_tunnel_in_spi; /* KLUDGE */ ipsec_spi_t st_tunnel_out_spi; /* KLUDGE */ -#endif const struct dh_desc *st_pfs_group; /* group for Phase 2 PFS */ @@ -267,7 +265,6 @@ extern struct state extern void show_states_status(bool all, const char *name); extern void for_each_state(void *(f)(struct state *, void *data), void *data); -extern void find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi); extern ipsec_spi_t uniquify_his_cpi(ipsec_spi_t cpi, struct state *st); extern void fmt_state(bool all, struct state *st, time_t n , char *state_buf, size_t state_buf_len diff --git a/src/pluto/timer.c b/src/pluto/timer.c index b112d67f6..c1ad55f5e 100644 --- a/src/pluto/timer.c +++ b/src/pluto/timer.c @@ -233,13 +233,6 @@ void handle_timer_event(void) init_secret(); break; -#ifdef KLIPS - case EVENT_SHUNT_SCAN: - passert(st == NULL); - scan_proc_shunts(); - break; -#endif - case EVENT_LOG_DAILY: daily_log_event(); break; diff --git a/src/pluto/x509.c b/src/pluto/x509.c index 2b8681246..d717beb15 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -427,7 +427,7 @@ void list_x509cert_chain(const char *caption, cert_t* cert, { whack_log(RC_COMMENT, " pubkey: %N %4d bits%s", key_type_names, key->get_type(key), - key->get_keysize(key) * BITS_PER_BYTE, + key->get_keysize(key), cert->smartcard ? ", on smartcard" : (has_private_key(cert)? ", has private key" : "")); diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am index dd4a4a63d..897b49ac3 100644 --- a/src/scepclient/Makefile.am +++ b/src/scepclient/Makefile.am @@ -21,7 +21,7 @@ INCLUDES = \ AM_CFLAGS = \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ --DPLUGINS=\""${pluto_plugins}\"" \ +-DPLUGINS=\""${scepclient_plugins}\"" \ -DDEBUG -DNO_PLUTO LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index 7832e5f66..a20fa2eb9 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -50,6 +50,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -173,6 +174,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -204,14 +207,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -226,24 +232,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -251,7 +264,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -280,7 +296,7 @@ INCLUDES = \ -I$(WHACKDIR) AM_CFLAGS = -DIPSEC_CONFDIR=\"${sysconfdir}\" \ - -DPLUGINS=\""${pluto_plugins}\"" -DDEBUG -DNO_PLUTO \ + -DPLUGINS=\""${scepclient_plugins}\"" -DDEBUG -DNO_PLUTO \ $(am__append_1) LIBSTRONGSWANBUILDDIR = $(top_builddir)/src/libstrongswan LIBFREESWANBUILDDIR = $(top_builddir)/src/libfreeswan diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index 5c32bbdef..448854acd 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -807,7 +807,7 @@ int main(int argc, char **argv) public_key = private_key->get_public_key(private_key); /* check for minimum key length */ - if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS) + if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE) { exit_scepclient("length of RSA key has to be at least %d bits" ,RSA_MIN_OCTETS * BITS_PER_BYTE); @@ -859,7 +859,7 @@ int main(int argc, char **argv) BUILD_SIGNING_KEY, private_key, BUILD_SUBJECT, subject, BUILD_SUBJECT_ALTNAMES, subjectAltNames, - BUILD_PASSPHRASE, challengePassword, + BUILD_CHALLENGE_PWD, challengePassword, BUILD_DIGEST_ALG, pkcs10_signature_alg, BUILD_END); if (!pkcs10_req) diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 9813a0c06..75297f767 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -9,6 +9,7 @@ INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libfreeswan \ +-I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto \ -I$(top_srcdir)/src/whack \ -I$(top_srcdir)/src/stroke @@ -23,9 +24,8 @@ AM_CFLAGS = \ -DDEBUG starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in -dist_man_MANS = ipsec.conf.5 starter.8 -CLEANFILES = ipsec.conf.5 +EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +dist_man_MANS = starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR=$(top_srcdir)/src/pluto @@ -43,11 +43,6 @@ if USE_LOAD_WARNING AM_CFLAGS += -DLOAD_WARNING endif -ipsec.conf.5: ipsec.conf.5.in - sed \ - -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ - $(srcdir)/$@.in > $@ - lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h $(LEX) $(srcdir)/parser.l diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index d06c8974d..446f183f1 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -49,14 +49,14 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \ - "$(DESTDIR)$(man8dir)" +am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" PROGRAMS = $(ipsec_PROGRAMS) am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \ @@ -106,7 +106,6 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff MANS = $(dist_man_MANS) @@ -178,6 +177,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -209,14 +210,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -231,24 +235,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -256,7 +267,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -278,6 +292,7 @@ INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libfreeswan \ +-I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto \ -I$(top_srcdir)/src/whack \ -I$(top_srcdir)/src/stroke @@ -288,9 +303,8 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ -DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \ $(am__append_2) $(am__append_3) starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in -dist_man_MANS = ipsec.conf.5 starter.8 -CLEANFILES = ipsec.conf.5 +EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +dist_man_MANS = starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR = $(top_srcdir)/src/pluto SCEPCLIENTDIR = $(top_srcdir)/src/scepclient @@ -424,44 +438,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(dist_man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" - @list=''; test -n "$(man5dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.5[a-z]*$$/p'; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ - done; } - -uninstall-man5: - @$(NORMAL_UNINSTALL) - @list=''; test -n "$(man5dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.5[a-z]*$$/p'; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man5dir)" && rm -f $$files; } install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" @@ -600,7 +576,7 @@ check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) $(MANS) installdirs: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -620,7 +596,6 @@ install-strip: mostlyclean-generic: clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -669,7 +644,7 @@ install-info: install-info-am install-info-am: -install-man: install-man5 install-man8 +install-man: install-man8 install-pdf: install-pdf-am @@ -701,7 +676,7 @@ ps-am: uninstall-am: uninstall-ipsecPROGRAMS uninstall-man -uninstall-man: uninstall-man5 uninstall-man8 +uninstall-man: uninstall-man8 .MAKE: install-am install-strip @@ -712,20 +687,14 @@ uninstall-man: uninstall-man5 uninstall-man8 install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-exec-local \ install-html install-html-am install-info install-info-am \ - install-ipsecPROGRAMS install-man install-man5 install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \ - uninstall-man8 - - -ipsec.conf.5: ipsec.conf.5.in - sed \ - -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ - $(srcdir)/$@.in > $@ + install-ipsecPROGRAMS install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-ipsecPROGRAMS \ + uninstall-man uninstall-man8 + lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h $(LEX) $(srcdir)/parser.l diff --git a/src/starter/README b/src/starter/README index 12a60a11d..4aff64978 100644 --- a/src/starter/README +++ b/src/starter/README @@ -18,8 +18,6 @@ Usage: FEATURES -------- -o Load and unload KLIPS (ipsec.o kernel module) - o Load modules of the native Linux 2.6 IPsec stack o Launch and monitor pluto @@ -50,8 +48,7 @@ o /var/run/dynip/xxxx can be used to use a virtual interface name in o %auto can be used to automaticaly name the connections -o kill -TERM can be used to stop FS. pluto will be stopped and KLIPS unloaded - (if it has been loaded). +o kill -TERM can be used to stop FS. pluto will be stopped. o Can be used to start strongSwan and load lots of connections in a few seconds. diff --git a/src/starter/args.c b/src/starter/args.c index ab6b60509..37d600283 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -208,6 +208,7 @@ static const token_info_t token_info[] = { ARG_MISC, 0, NULL /* KW_AUTHBY */ }, { ARG_MISC, 0, NULL /* KW_EAP */ }, { ARG_STR, offsetof(starter_conn_t, eap_identity), NULL }, + { ARG_STR, offsetof(starter_conn_t, aaa_identity), NULL }, { ARG_MISC, 0, NULL /* KW_MOBIKE */ }, { ARG_MISC, 0, NULL /* KW_FORCEENCAPS */ }, { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL }, diff --git a/src/starter/confread.c b/src/starter/confread.c index 399e17844..3367616ca 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -19,6 +19,8 @@ #include <freeswan.h> +#include <eap/eap.h> + #include "../pluto/constants.h" #include "../pluto/defs.h" #include "../pluto/log.h" @@ -461,7 +463,7 @@ static void handle_firewall(const char *label, starter_end_t *end, } } -static bool handle_mark(char *value, mark_t *mark) +static bool handle_mark(char *value, mark_t *mark) { char *pos, *endptr; @@ -671,31 +673,8 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg } break; } - if (streq(kw->value, "aka")) - { - conn->eap_type = 23; - } - else if (streq(kw->value, "sim")) - { - conn->eap_type = 18; - } - else if (streq(kw->value, "md5")) - { - conn->eap_type = 4; - } - else if (streq(kw->value, "gtc")) - { - conn->eap_type = 6; - } - else if (streq(kw->value, "mschapv2")) - { - conn->eap_type = 26; - } - else if (streq(kw->value, "radius")) - { /* pseudo-type */ - conn->eap_type = 253; - } - else + conn->eap_type = eap_type_from_string(kw->value); + if (conn->eap_type == 0) { conn->eap_type = atoi(kw->value); if (conn->eap_type == 0) @@ -739,7 +718,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg if (*endptr != '\0') { plog("# bad integer value: %s=%s", kw->entry->name, kw->value); - cfg->err++; + cfg->err++; } } break; @@ -815,7 +794,7 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg) DBG(DBG_CONTROL, DBG_log(" also=%s", kw->value) ) - } + } continue; } @@ -879,7 +858,7 @@ static void load_also_conns(starter_conn_t *conn, also_t *also, /* * find a conn included by also */ -static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn, +static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg) { starter_conn_t *c = cfg->conn_first; diff --git a/src/starter/confread.h b/src/starter/confread.h index 5e4356ea3..982d1d206 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -95,13 +95,6 @@ struct also { also_t *next; }; -typedef struct mark_t mark_t; - -struct mark_t{ - u_int32_t value; - u_int32_t mask; -}; - typedef struct starter_conn starter_conn_t; struct starter_conn { @@ -117,6 +110,7 @@ struct starter_conn { u_int32_t eap_type; u_int32_t eap_vendor; char *eap_identity; + char *aaa_identity; char *xauth_identity; lset_t policy; time_t sa_ike_life_seconds; @@ -129,8 +123,8 @@ struct starter_conn { unsigned long sa_keying_tries; unsigned long sa_rekey_fuzz; u_int32_t reqid; - mark_t mark_in; - mark_t mark_out; + mark_t mark_in; + mark_t mark_out; sa_family_t addr_family; sa_family_t tunnel_addr_family; bool install_policy; diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c index 92b2c74a4..ef26cdce5 100644 --- a/src/starter/interfaces.c +++ b/src/starter/interfaces.c @@ -56,7 +56,7 @@ get_defaultroute(defaultroute_t *defaultroute) ssize_t msglen; int fd; - bzero(&rtu, sizeof(rtu)); + memset(&rtu, 0, sizeof(rtu)); rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt)); rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP; rtu.m.nh.nlmsg_type = RTM_GETROUTE; @@ -142,7 +142,7 @@ get_defaultroute(defaultroute_t *defaultroute) plog("could not open AF_INET socket"); break; } - bzero(&req, sizeof(req)); + memset(&req, 0, sizeof(req)); req.ifr_ifindex = iface_idx; if (ioctl(fd, SIOCGIFNAME, &req) < 0 || ioctl(fd, SIOCGIFADDR, &req) < 0) diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 deleted file mode 100644 index e654ab66e..000000000 --- a/src/starter/ipsec.conf.5 +++ /dev/null @@ -1,1330 +0,0 @@ -.TH IPSEC.CONF 5 "2010-05-30" "4.4.1" "strongSwan" -.SH NAME -ipsec.conf \- IPsec configuration and connections -.SH DESCRIPTION -The optional -.I ipsec.conf -file -specifies most configuration and control information for the -strongSwan IPsec subsystem. -The major exception is secrets for authentication; -see -.IR ipsec.secrets (5). -Its contents are not security-sensitive. -.PP -The file is a text file, consisting of one or more -.IR sections . -White space followed by -.B # -followed by anything to the end of the line -is a comment and is ignored, -as are empty lines which are not within a section. -.PP -A line which contains -.B include -and a file name, separated by white space, -is replaced by the contents of that file, -preceded and followed by empty lines. -If the file name is not a full pathname, -it is considered to be relative to the directory containing the -including file. -Such inclusions can be nested. -Only a single filename may be supplied, and it may not contain white space, -but it may include shell wildcards (see -.IR sh (1)); -for example: -.PP -.B include -.B "ipsec.*.conf" -.PP -The intention of the include facility is mostly to permit keeping -information on connections, or sets of connections, -separate from the main configuration file. -This permits such connection descriptions to be changed, -copied to the other security gateways involved, etc., -without having to constantly extract them from the configuration -file and then insert them back into it. -Note also the -.B also -parameter (described below) which permits splitting a single logical -section (e.g. a connection description) into several actual sections. -.PP -A section -begins with a line of the form: -.PP -.I type -.I name -.PP -where -.I type -indicates what type of section follows, and -.I name -is an arbitrary name which distinguishes the section from others -of the same type. -Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens. -All subsequent non-empty lines -which begin with white space are part of the section; -comments within a section must begin with white space too. -There may be only one section of a given type with a given name. -.PP -Lines within the section are generally of the form -.PP -\ \ \ \ \ \fIparameter\fB=\fIvalue\fR -.PP -(note the mandatory preceding white space). -There can be white space on either side of the -.BR = . -Parameter names follow the same syntax as section names, -and are specific to a section type. -Unless otherwise explicitly specified, -no parameter name may appear more than once in a section. -.PP -An empty -.I value -stands for the system default value (if any) of the parameter, -i.e. it is roughly equivalent to omitting the parameter line entirely. -A -.I value -may contain white space only if the entire -.I value -is enclosed in double quotes (\fB"\fR); -a -.I value -cannot itself contain a double quote, -nor may it be continued across more than one line. -.PP -Numeric values are specified to be either an ``integer'' -(a sequence of digits) or a ``decimal number'' -(sequence of digits optionally followed by `.' and another sequence of digits). -.PP -There is currently one parameter which is available in any type of -section: -.TP -.B also -the value is a section name; -the parameters of that section are appended to this section, -as if they had been written as part of it. -The specified section must exist, must follow the current one, -and must have the same section type. -(Nesting is permitted, -and there may be more than one -.B also -in a single section, -although it is forbidden to append the same section more than once.) -.PP -A section with name -.B %default -specifies defaults for sections of the same type. -For each parameter in it, -any section of that type which does not have a parameter of the same name -gets a copy of the one from the -.B %default -section. -There may be multiple -.B %default -sections of a given type, -but only one default may be supplied for any specific parameter name, -and all -.B %default -sections of a given type must precede all non-\c -.B %default -sections of that type. -.B %default -sections may not contain the -.B also -parameter. -.PP -Currently there are three types of sections: -a -.B config -section specifies general configuration information for IPsec, a -.B conn -section specifies an IPsec connection, while a -.B ca -section specifies special properties of a certification authority. -.SH "CONN SECTIONS" -A -.B conn -section contains a -.IR "connection specification" , -defining a network connection to be made using IPsec. -The name given is arbitrary, and is used to identify the connection. -Here's a simple example: -.PP -.ne 10 -.nf -.ft B -.ta 1c -conn snt - left=192.168.0.1 - leftsubnet=10.1.0.0/16 - right=192.168.0.2 - rightsubnet=10.1.0.0/16 - keyingtries=%forever - auto=add -.ft -.fi -.PP -A note on terminology: There are two kinds of communications going on: -transmission of user IP packets, and gateway-to-gateway negotiations for -keying, rekeying, and general control. -The path to control the connection is called 'ISAKMP SA' in IKEv1 -and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel -level data path, is called 'IPsec SA' or 'Child SA'. -strongSwan currently uses two separate keying daemons. \fIpluto\fP handles -all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2 -protocol. -.PP -To avoid trivial editing of the configuration file to suit it to each system -involved in a connection, -connection specifications are written in terms of -.I left -and -.I right -participants, -rather than in terms of local and remote. -Which participant is considered -.I left -or -.I right -is arbitrary; -for every connection description an attempt is made to figure out whether -the local endpoint should act as the -.I left -or -.I right -endpoint. This is done by matching the IP addresses defined for both endpoints -with the IP addresses assigned to local network interfaces. If a match is found -then the role (left or right) that matches is going to be considered local. -If no match is found during startup, -.I left -is considered local. -This permits using identical connection specifications on both ends. -There are cases where there is no symmetry; a good convention is to -use -.I left -for the local side and -.I right -for the remote side (the first letters are a good mnemonic). -.PP -Many of the parameters relate to one participant or the other; -only the ones for -.I left -are listed here, but every parameter whose name begins with -.B left -has a -.B right -counterpart, -whose description is the same but with -.B left -and -.B right -reversed. -.PP -Parameters are optional unless marked '(required)'. -.SS "CONN PARAMETERS" -Unless otherwise noted, for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -.TP 14 -.B ah -AH authentication algorithm to be used -for the connection, e.g. -.B hmac-md5. -.TP -.B auth -whether authentication should be done as part of -ESP encryption, or separately using the AH protocol; -acceptable values are -.B esp -(the default) and -.BR ah . -.br -The IKEv2 daemon currently supports ESP only. -.TP -.B authby -how the two security gateways should authenticate each other; -acceptable values are -.B secret -or -.B psk -for pre-shared secrets, -.B pubkey -(the default) for public key signatures as well as the synonyms -.B rsasig -for RSA digital signatures and -.B ecdsasig -for Elliptic Curve DSA signatures. -.B never -can be used if negotiation is never to be attempted or accepted (useful for -shunt-only conns). -Digital signatures are superior in every way to shared secrets. -IKEv1 additionally supports the values -.B xauthpsk -and -.B xauthrsasig -that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode -based on shared secrets or digital RSA signatures, respectively. -IKEv2 additionally supports the value -.BR eap , -which indicates an initiator to request EAP authentication. The EAP method -to use is selected by the server (see -.BR eap ). -This parameter is deprecated for IKEv2 connections, as two peers do not need -to agree on an authentication method. Use the -.B leftauth -parameter instead to define authentication methods in IKEv2. -.TP -.B auto -what operation, if any, should be done automatically at IPsec startup; -currently-accepted values are -.BR add , -.BR route , -.B start -and -.B ignore -(the default). -.B add -loads a connection without starting it. -.B route -loads a connection and installs kernel traps. If traffic is detected between -.B leftsubnet -and -.B rightsubnet -, a connection is established. -.B start -loads a connection and brings it up immediatly. -.B ignore -ignores the connection. This is equal to delete a connection from the config -file. -Relevant only locally, other end need not agree on it -(but in general, for an intended-to-be-permanent connection, -both ends should use -.B auto=start -to ensure that any reboot causes immediate renegotiation). -.TP -.B compress -whether IPComp compression of content is proposed on the connection -(link-level compression does not work on encrypted data, -so to be effective, compression must be done \fIbefore\fR encryption); -acceptable values are -.B yes -and -.B no -(the default). A value of -.B yes -causes IPsec to propose both compressed and uncompressed, -and prefer compressed. -A value of -.B no -prevents IPsec from proposing compression; -a proposal to compress will still be accepted. -.TP -.B dpdaction -controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where -R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) -are periodically sent in order to check the -liveliness of the IPsec peer. The values -.BR clear , -.BR hold , -and -.B restart -all activate DPD. If no activity is detected, all connections with a dead peer -are stopped and unrouted -.RB ( clear ), -put in the hold state -.RB ( hold ) -or restarted -.RB ( restart ). -For IKEv1, the default is -.B none -which disables the active sending of R_U_THERE notifications. -Nevertheless pluto will always send the DPD Vendor ID during connection set up -in order to signal the readiness to act passively as a responder if the peer -wants to use DPD. For IKEv2, -.B none -does't make sense, since all messages are used to detect dead peers. If specified, -it has the same meaning as the default -.RB ( clear ). -.TP -.B dpddelay -defines the period time interval with which R_U_THERE messages/INFORMATIONAL -exchanges are sent to the peer. These are only sent if no other traffic is -received. In IKEv2, a value of 0 sends no additional INFORMATIONAL -messages and uses only standard messages (such as those to rekey) to detect -dead peers. -.TP -.B dpdtimeout -defines the timeout interval, after which all connections to a peer are deleted -in case of inactivity. This only applies to IKEv1, in IKEv2 the default -retransmission timeout applies, as every exchange is used to detect dead peers. -.TP -.B inactivity -defines the timeout interval, after which a CHILD_SA is closed if it did -not send or receive any traffic. Currently supported in IKEv2 connections only. -.TP -.B eap -defines the EAP type to propose as server if the client requests EAP -authentication. Currently supported values are -.B aka -for EAP-AKA, -.B gtc -for EAP-GTC, -.B md5 -for EAP-MD5, -.B mschapv2 -for EAP-MS-CHAPv2, -.B radius -for the EAP-RADIUS proxy and -.B sim -for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a -definition in the form -.B eap=type-vendor -(e.g. eap=7-12345) can be used to specify vendor specific EAP types. -This parameter is deprecated in the favour of -.B leftauth. - -To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, -set -.BR eap=radius . -.TP -.B eap_identity -defines the identity the client uses to reply to a EAP Identity request. -If defined on the EAP server, the defined identity will be used as peer -identity during EAP authentication. The special value -.B %identity -uses the EAP Identity method to ask the client for an EAP identity. If not -defined, the IKEv2 identity will be used as EAP identity. -.TP -.B esp -comma-separated list of ESP encryption/authentication algorithms to be used -for the connection, e.g. -.BR 3des-md5 . -The notation is -.BR encryption-integrity-[dh-group] . -.br -If -.B dh-group -is specified, CHILD_SA setup and rekeying include a separate diffe hellman -exchange (IKEv2 only). -.TP -.B forceencaps -Force UDP encapsulation for ESP packets even if no NAT situation is detected. -This may help to surmount restrictive firewalls. In order to force the peer to -encapsulate packets, NAT detection payloads are faked (IKEv2 only). -.TP -.B ike -comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms -to be used, e.g. -.BR aes128-sha1-modp2048 . -The notation is -.BR encryption-integrity-dhgroup . -In IKEv2, multiple algorithms and proposals may be included, such as -.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. -.TP -.B ikelifetime -how long the keying channel of a connection (ISAKMP or IKE SA) -should last before being renegotiated. -.TP -.B installpolicy -decides whether IPsec policies are installed in the kernel by the IKEv2 -charon daemon for a given connection. Allows peaceful cooperation e.g. with -the Mobile IPv6 daemon mip6d who wants to control the kernel policies. -Acceptable values are -.B yes -(the default) and -.BR no . -.TP -.B keyexchange -method of key exchange; -which protocol should be used to initialize the connection. Connections marked with -.B ikev1 -are initiated with pluto, those marked with -.B ikev2 -with charon. An incoming request from the remote peer is handled by the correct -daemon, unaffected from the -.B keyexchange -setting. The default value -.B ike -currently is a synonym for -.BR ikev1 . -.TP -.B keyingtries -how many attempts (a whole number or \fB%forever\fP) should be made to -negotiate a connection, or a replacement for one, before giving up -(default -.BR %forever ). -The value \fB%forever\fP -means 'never give up'. -Relevant only locally, other end need not agree on it. -.TP -.B keylife -synonym for -.BR lifetime . -.TP -.B left -(required) -the IP address of the left participant's public-network interface -or one of several magic values. -If it is -.BR %defaultroute , -.B left -will be filled in automatically with the local address -of the default-route interface (as determined at IPsec startup time and -during configuration update). -Either -.B left -or -.B right -may be -.BR %defaultroute , -but not both. -The prefix -.B % -in front of a fully-qualified domain name or an IP address will implicitly set -.B leftallowany=yes. -If the domain name cannot be resolved into an IP address at IPsec startup or -update time then -.B left=%any -and -.B leftallowany=no -will be assumed. - -In case of an IKEv2 connection, the value -.B %any -for the local endpoint signifies an address to be filled in (by automatic -keying) during negotiation. If the local peer initiates the connection setup -the routing table will be queried to determine the correct local IP address. -In case the local peer is responding to a connection setup then any IP address -that is assigned to a local interface will be accepted. -.br -Note that specifying -.B %any -for the local endpoint is not supported by the IKEv1 pluto daemon. - -If -.B %any -is used for the remote endpoint it literally means any IP address. - -Please note that with the usage of wildcards multiple connection descriptions -might match a given incoming connection attempt. The most specific description -is used in that case. -.TP -.B leftallowany -a modifier for -.B left -, making it behave as -.B %any -although a concrete IP address has been assigned. -Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec -startup or update time. -Acceptable values are -.B yes -and -.B no -(the default). -.TP -.B leftauth -Authentication method to use locally (left) or require from the remote (right) -side. -This parameter is supported in IKEv2 only. Acceptable values are -.B pubkey -for public key authentication (RSA/ECDSA), -.B psk -for pre-shared key authentication and -.B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of -.B eap, -an optional EAP method can be appended. Currently defined methods are -.BR eap-aka , -.BR eap-gtc , -.BR eap-md5 , -.B eap-mschapv2 -and -.BR eap-sim . -Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific -EAP methods are defined in the form -.B eap-type-vendor -.RB "(e.g. " eap-7-12345 ). -.TP -.B leftauth2 -Same as -.BR leftauth , -but defines an additional authentication exchange. IKEv2 supports multiple -authentication rounds using "Multiple Authentication Exchanges" defined -in RFC4739. This allows, for example, separated authentication -of host and user (IKEv2 only). -.TP -.B leftca -the distinguished name of a certificate authority which is required to -lie in the trust path going from the left participant's certificate up -to the root certification authority. -.TP -.B leftca2 -Same as -.B leftca, -but for the second authentication round (IKEv2 only). -.TP -.B leftcert -the path to the left participant's X.509 certificate. The file can be encoded -either in PEM or DER format. OpenPGP certificates are supported as well. -Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP -are accepted. By default -.B leftcert -sets -.B leftid -to the distinguished name of the certificate's subject and -.B leftca -to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a -.B leftid -value which must be certified by the certificate, though. -.TP -.B leftcert2 -Same as -.B leftcert, -but for the second authentication round (IKEv2 only). -.TP -.B leftfirewall -whether the left participant is doing forwarding-firewalling -(including masquerading) using iptables for traffic from \fIleftsubnet\fR, -which should be turned off (for traffic to the other subnet) -once the connection is established; -acceptable values are -.B yes -and -.B no -(the default). -May not be used in the same connection description with -.BR leftupdown . -Implemented as a parameter to the default \fBipsec _updown\fR script. -See notes below. -Relevant only locally, other end need not agree on it. - -If one or both security gateways are doing forwarding firewalling -(possibly including masquerading), -and this is specified using the firewall parameters, -tunnels established with IPsec are exempted from it -so that packets can flow unchanged through the tunnels. -(This means that all subnets connected in this manner must have -distinct, non-overlapping subnet address blocks.) -This is done by the default \fBipsec _updown\fR script (see -.IR pluto (8)). - -In situations calling for more control, -it may be preferable for the user to supply his own -.I updown -script, -which makes the appropriate adjustments for his system. -.TP -.B leftgroups -a comma separated list of group names. If the -.B leftgroups -parameter is present then the peer must be a member of at least one -of the groups defined by the parameter. Group membership must be certified -by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has -been issued to the peer by a trusted Authorization Authority stored in -\fI/etc/ipsec.d/aacerts/\fP. -.br -Attribute certificates are not supported in IKEv2 yet. -.TP -.B lefthostaccess -inserts a pair of INPUT and OUTPUT iptables rules using the default -\fBipsec _updown\fR script, thus allowing access to the host itself -in the case where the host's internal interface is part of the -negotiated client subnet. -Acceptable values are -.B yes -and -.B no -(the default). -.TP -.B leftid -how the left participant should be identified for authentication; -defaults to -.BR left . -Can be an IP address or a fully-qualified domain name preceded by -.B @ -(which is used as a literal string and not resolved). -.TP -.B leftid2 -identity to use for a second authentication for the left participant -(IKEv2 only); defaults to -.BR leftid . -.TP -.B leftikeport -UDP port the left participant uses for IKE communication. Currently supported in -IKEv2 connections only. If unspecified, port 500 is used with the port floating -to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port -different from the default additionally requires a socket implementation that -listens to this port. -.TP -.B leftnexthop -this parameter is usually not needed any more because the NETKEY IPsec stack -does not require explicit routing entries for the traffic to be tunneled. If -.B leftsourceip -is used with IKEv1 then -.B leftnexthop -must still be set in order for the source routes to work properly. -.TP -.B leftprotoport -restrict the traffic selector to a single protocol and/or port. -Examples: -.B leftprotoport=tcp/http -or -.B leftprotoport=6/80 -or -.B leftprotoport=udp -.TP -.B leftrsasigkey -the left participant's -public key for RSA signature authentication, -in RFC 2537 format using -.IR ttodata (3) -encoding. -The magic value -.B %none -means the same as not specifying a value (useful to override a default). -The value -.B %cert -(the default) -means that the key is extracted from a certificate. -The identity used for the left participant -must be a specific host, not -.B %any -or another magic value. -.B Caution: -if two connection descriptions -specify different public keys for the same -.BR leftid , -confusion and madness will ensue. -.TP -.B leftsendcert -Accepted values are -.B never -or -.BR no , -.B always -or -.BR yes , -and -.BR ifasked , -the latter meaning that the peer must send a certificate request payload in -order to get a certificate in return. -.TP -.B leftsourceip -The internal source IP to use in a tunnel, also known as virtual IP. If the -value is one of the synonyms -.BR %modeconfig , -.BR %modecfg , -.BR %config , -or -.BR %cfg , -an address is requested from the peer. In IKEv2, a statically defined address -is also requested, since the server may change it. -.TP -.B rightsourceip -The internal source IP to use in a tunnel for the remote peer. If the -value is -.B %config -on the responder side, the initiator must propose an address which is then -echoed back. Also supported are address pools expressed as -\fInetwork\fB/\fInetmask\fR -or the use of an external IP address pool using %\fIpoolname\fR, -where \fIpoolname\fR is the name of the IP address pool used for the lookup. -.TP -.B leftsubnet -private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR; -if omitted, essentially assumed to be \fIleft\fB/32\fR, -signifying that the left end of the connection goes to the left participant -only. When using IKEv2, the configured subnet of the peers may differ, the -protocol narrows it to the greatest common subnet. Further, IKEv2 supports -multiple subnets separated by commas. IKEv1 only interprets the first subnet -of such a definition. -.TP -.B leftsubnetwithin -the peer can propose any subnet or single IP address that fits within the -range defined by -.BR leftsubnetwithin. -Not relevant for IKEv2, as subnets are narrowed. -.TP -.B leftupdown -what ``updown'' script to run to adjust routing and/or firewalling -when the status of the connection -changes (default -.BR "ipsec _updown" ). -May include positional parameters separated by white space -(although this requires enclosing the whole string in quotes); -including shell metacharacters is unwise. -See -.IR pluto (8) -for details. -Relevant only locally, other end need not agree on it. IKEv2 uses the updown -script to insert firewall rules only, since routing has been implemented -directly into charon. -.TP -.B lifebytes -the number of bytes transmitted over an IPsec SA before it expires (IKEv2 -only). -.TP -.B lifepackets -the number of packets transmitted over an IPsec SA before it expires (IKEv2 -only). -.TP -.B lifetime -how long a particular instance of a connection -(a set of encryption/authentication keys for user packets) should last, -from successful negotiation to expiry; -acceptable values are an integer optionally followed by -.BR s -(a time in seconds) -or a decimal number followed by -.BR m , -.BR h , -or -.B d -(a time -in minutes, hours, or days respectively) -(default -.BR 1h , -maximum -.BR 24h ). -Normally, the connection is renegotiated (via the keying channel) -before it expires (see -.BR margintime ). -The two ends need not exactly agree on -.BR lifetime , -although if they do not, -there will be some clutter of superseded connections on the end -which thinks the lifetime is longer. -.TP -.B marginbytes -how many bytes before IPsec SA expiry (see -.BR lifebytes ) -should attempts to negotiate a replacement begin (IKEv2 only). -.TP -.B marginpackets -how many packets before IPsec SA expiry (see -.BR lifepackets ) -should attempts to negotiate a replacement begin (IKEv2 only). -.TP -.B margintime -how long before connection expiry or keying-channel expiry -should attempts to -negotiate a replacement -begin; acceptable values as for -.B lifetime -(default -.BR 9m ). -Relevant only locally, other end need not agree on it. -.TP -.B mark -sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound -IPsec SAs and policies (IKEv2 only). If the mask is missing then a default -mask of -.B 0xffffffff -is assumed. -.TP -.B mark_in -sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy -(IKEv2 only). If the mask is missing then a default mask of -.B 0xffffffff -is assumed. -.TP -.B mark_out -sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy -(IKEv2 only). If the mask is missing then a default mask of -.B 0xffffffff -is assumed. -.TP -.B mobike -enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are -.B yes -(the default) and -.BR no . -If set to -.BR no , -the IKEv2 charon daemon will not actively propose MOBIKE as initiator and -ignore the MOBIKE_SUPPORTED notify as responder. -.TP -.B modeconfig -defines which mode is used to assign a virtual IP. -Accepted values are -.B push -and -.B pull -(the default). -Currently relevant for IKEv1 only since IKEv2 always uses the configuration -payload in pull mode. Cisco VPN gateways usually operate in -.B push -mode. -.TP -.B pfs -whether Perfect Forward Secrecy of keys is desired on the connection's -keying channel -(with PFS, penetration of the key-exchange protocol -does not compromise keys negotiated earlier); -acceptable values are -.B yes -(the default) -and -.BR no. -IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying -PFS is enforced by defining a Diffie-Hellman modp group in the -.B esp -parameter. -.TP -.B pfsgroup -defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode -differing from the DH group used for IKEv1 Main Mode (IKEv1 only). -.TP -.B reauth -whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, -reauthentication is always done. In IKEv2, a value of -.B no -rekeys without uninstalling the IPsec SAs, a value of -.B yes -(the default) creates a new IKE_SA from scratch and tries to recreate -all IPsec SAs. -.TP -.B rekey -whether a connection should be renegotiated when it is about to expire; -acceptable values are -.B yes -(the default) -and -.BR no . -The two ends need not agree, but while a value of -.B no -prevents pluto/charon from requesting renegotiation, -it does not prevent responding to renegotiation requested from the other end, -so -.B no -will be largely ineffective unless both ends agree on it. -.TP -.B rekeyfuzz -maximum percentage by which -.BR marginbytes , -.B marginpackets -and -.B margintime -should be randomly increased to randomize rekeying intervals -(important for hosts with many connections); -acceptable values are an integer, -which may exceed 100, -followed by a `%' -(defaults to -.BR 100% ). -The value of -.BR marginTYPE , -after this random increase, -must not exceed -.B lifeTYPE -(where TYPE is one of -.IR bytes , -.I packets -or -.IR time ). -The value -.B 0% -will suppress randomization. -Relevant only locally, other end need not agree on it. -.TP -.B rekeymargin -synonym for -.BR margintime . -.TP -.B reqid -sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only). -.TP -.B type -the type of the connection; currently the accepted values -are -.B tunnel -(the default) -signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; -.BR transport , -signifying host-to-host transport mode; -.BR transport_proxy , -signifying the special Mobile IPv6 transport proxy mode; -.BR passthrough , -signifying that no IPsec processing should be done at all; -.BR drop , -signifying that packets should be discarded; and -.BR reject , -signifying that packets should be discarded and a diagnostic ICMP returned. -The IKEv2 daemon charon currently supports -.BR tunnel , -.BR transport , -and -.BR tunnel_proxy -connection types, only. -.TP -.B xauth -specifies the role in the XAUTH protocol if activated by -.B authby=xauthpsk -or -.B authby=xauthrsasig. -Accepted values are -.B server -and -.B client -(the default). - -.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION" -The following parameters are relevant to IKEv2 Mediation Extension -operation only. -.TP 14 -.B mediation -whether this connection is a mediation connection, ie. whether this -connection is used to mediate other connections. Mediation connections -create no child SA. Acceptable values are -.B no -(the default) and -.BR yes . -.TP -.B mediated_by -the name of the connection to mediate this connection through. If given, -the connection will be mediated through the named mediation connection. -The mediation connection must set -.BR mediation=yes . -.TP -.B me_peerid -ID as which the peer is known to the mediation server, ie. which the other -end of this connection uses as its -.B leftid -on its connection to the mediation server. This is the ID we request the -mediation server to mediate us with. If -.B me_peerid -is not given, the -.B rightid -of this connection will be used as peer ID. - -.SH "CA SECTIONS" -This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). -.TP 10 -.B auto -currently can have either the value -.B ignore -or -.B add -. -.TP -.B cacert -defines a path to the CA certificate either relative to -\fI/etc/ipsec.d/cacerts\fP or as an absolute path. -.TP -.B crluri -defines a CRL distribution point (ldap, http, or file URI) -.TP -.B crluri1 -synonym for -.B crluri. -.TP -.B crluri2 -defines an alternative CRL distribution point (ldap, http, or file URI) -.TP -.B ldaphost -defines an ldap host. Currently used by IKEv1 only. -.TP -.B ocspuri -defines an OCSP URI. -.TP -.B ocspuri1 -synonym for -.B ocspuri. -.TP -.B ocspuri2 -defines an alternative OCSP URI. Currently used by IKEv2 only. -.TP -.B certuribase -defines the base URI for the Hash and URL feature supported by IKEv2. -Instead of exchanging complete certificates, IKEv2 allows to send an URI -that resolves to the DER encoded certificate. The certificate URIs are built -by appending the SHA1 hash of the DER encoded certificates to this base URI. -.SH "CONFIG SECTIONS" -At present, the only -.B config -section known to the IPsec software is the one named -.BR setup , -which contains information used when the software is being started. -Here's an example: -.PP -.ne 8 -.nf -.ft B -.ta 1c -config setup - plutodebug=all - crlcheckinterval=10m - strictcrlpolicy=yes -.ft -.fi -.PP -Parameters are optional unless marked ``(required)''. -The currently-accepted -.I parameter -names in a -.B config -.B setup -section affecting both daemons are: -.TP 14 -.B cachecrls -certificate revocation lists (CRLs) fetched via http or ldap will be cached in -\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification -authority's public key. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B charonstart -whether to start the IKEv2 Charon daemon or not. -Accepted values are -.B yes -or -.BR no . -The default is -.B yes -if starter was compiled with IKEv2 support. -.TP -.B dumpdir -in what directory should things started by \fBipsec starter\fR -(notably the Pluto and Charon daemons) be allowed to dump core? -The empty value (the default) means they are not -allowed to. -This feature is currently not yet supported by \fBipsec starter\fR. -.TP -.B plutostart -whether to start the IKEv1 Pluto daemon or not. -Accepted values are -.B yes -or -.BR no . -The default is -.B yes -if starter was compiled with IKEv1 support. -.TP -.B strictcrlpolicy -defines if a fresh CRL must be available in order for the peer authentication based -on RSA signatures to succeed. -Accepted values are -.B yes -and -.B no -(the default). -IKEv2 additionally recognizes -.B ifuri -which reverts to -.B yes -if at least one CRL URI is defined and to -.B no -if no URI is known. -.TP -.B uniqueids -whether a particular participant ID should be kept unique, -with any new (automatically keyed) -connection using an ID from a different IP address -deemed to replace all old ones using that ID; -acceptable values are -.B yes -(the default) -and -.BR no . -Participant IDs normally \fIare\fR unique, -so a new (automatically-keyed) connection using the same ID is -almost invariably intended to replace an old one. -The IKEv2 daemon also accepts the value -.B replace -wich is identical to -.B yes -and the value -.B keep -to reject new IKE_SA setups and keep the duplicate established earlier. -.PP -The following -.B config section -parameters are used by the IKEv1 Pluto daemon only: -.TP -.B crlcheckinterval -interval in seconds. CRL fetching is enabled if the value is greater than zero. -Asynchronous, periodic checking for fresh CRLs is currently done by the -IKEv1 Pluto daemon only. -.TP -.B keep_alive -interval in seconds between NAT keep alive packets, the default being 20 seconds. -.TP -.B nat_traversal -activates NAT traversal by accepting source ISAKMP ports different from udp/500 and -being able of floating to udp/4500 if a NAT situation is detected. -Accepted values are -.B yes -and -.B no -(the default). -Used by IKEv1 only, NAT traversal always being active in IKEv2. -.TP -.B nocrsend -no certificate request payloads will be sent. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B pkcs11initargs -non-standard argument string for PKCS#11 C_Initialize() function; -required by NSS softoken. -.TP -.B pkcs11module -defines the path to a dynamically loadable PKCS #11 library. -.TP -.B pkcs11keepstate -PKCS #11 login sessions will be kept during the whole lifetime of the keying -daemon. Useful with pin-pad smart card readers. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B pkcs11proxy -Pluto will act as a PKCS #11 proxy accessible via the whack interface. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B plutodebug -how much Pluto debugging output should be logged. -An empty value, -or the magic value -.BR none , -means no debugging output (the default). -The magic value -.B all -means full output. -Otherwise only the specified types of output -(a quoted list, names without the -.B \-\-debug\- -prefix, -separated by white space) are enabled; -for details on available debugging types, see -.IR pluto (8). -.TP -.B plutostderrlog -Pluto will not use syslog, but rather log to stderr, and redirect stderr -to the argument file. -.TP -.B postpluto -shell command to run after starting Pluto -(e.g., to remove a decrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B prepluto -shell command to run before starting Pluto -(e.g., to decrypt an encrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B virtual_private -defines private networks using a wildcard notation. -.PP -The following -.B config section -parameters are used by the IKEv2 Charon daemon only: -.TP -.B charondebug -how much Charon debugging output should be logged. -A comma separated list containing type level/pairs may -be specified, e.g: -.B dmn 3, ike 1, net -1. -Acceptable values for types are -.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib -and the level is one of -.B -1, 0, 1, 2, 3, 4 -(for silent, audit, control, controlmore, raw, private). -.PP -The following -.B config section -parameters only make sense if the KLIPS IPsec stack -is used instead of the default NETKEY stack of the Linux 2.6 kernel: -.TP -.B fragicmp -whether a tunnel's need to fragment a packet should be reported -back with an ICMP message, -in an attempt to make the sender lower his PMTU estimate; -acceptable values are -.B yes -(the default) -and -.BR no . -.TP -.B hidetos -whether a tunnel packet's TOS field should be set to -.B 0 -rather than copied from the user packet inside; -acceptable values are -.B yes -(the default) -and -.BR no -.TP -.B interfaces -virtual and physical interfaces for IPsec to use: -a single -\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated -by white space, or -.BR %none . -One of the pairs may be written as -.BR %defaultroute , -which means: find the interface \fId\fR that the default route points to, -and then act as if the value was ``\fBipsec0=\fId\fR''. -.B %defaultroute -is the default; -.B %none -must be used to denote no interfaces. -.TP -.B overridemtu -value that the MTU of the ipsec\fIn\fR interface(s) should be set to, -overriding IPsec's (large) default. -.SH FILES -.nf -/etc/ipsec.conf -/etc/ipsec.d/aacerts -/etc/ipsec.d/acerts -/etc/ipsec.d/cacerts -/etc/ipsec.d/certs -/etc/ipsec.d/crls - -.SH SEE ALSO -ipsec(8), pluto(8), starter(8) -.SH HISTORY -Originally written for the FreeS/WAN project by Henry Spencer. -Updated and extended for the strongSwan project <http://www.strongswan.org> by -Tobias Brunner, Andreas Steffen and Martin Willi. -.SH BUGS -.PP -If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP -will fail. diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in deleted file mode 100644 index 3d2940a66..000000000 --- a/src/starter/ipsec.conf.5.in +++ /dev/null @@ -1,1330 +0,0 @@ -.TH IPSEC.CONF 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" -.SH NAME -ipsec.conf \- IPsec configuration and connections -.SH DESCRIPTION -The optional -.I ipsec.conf -file -specifies most configuration and control information for the -strongSwan IPsec subsystem. -The major exception is secrets for authentication; -see -.IR ipsec.secrets (5). -Its contents are not security-sensitive. -.PP -The file is a text file, consisting of one or more -.IR sections . -White space followed by -.B # -followed by anything to the end of the line -is a comment and is ignored, -as are empty lines which are not within a section. -.PP -A line which contains -.B include -and a file name, separated by white space, -is replaced by the contents of that file, -preceded and followed by empty lines. -If the file name is not a full pathname, -it is considered to be relative to the directory containing the -including file. -Such inclusions can be nested. -Only a single filename may be supplied, and it may not contain white space, -but it may include shell wildcards (see -.IR sh (1)); -for example: -.PP -.B include -.B "ipsec.*.conf" -.PP -The intention of the include facility is mostly to permit keeping -information on connections, or sets of connections, -separate from the main configuration file. -This permits such connection descriptions to be changed, -copied to the other security gateways involved, etc., -without having to constantly extract them from the configuration -file and then insert them back into it. -Note also the -.B also -parameter (described below) which permits splitting a single logical -section (e.g. a connection description) into several actual sections. -.PP -A section -begins with a line of the form: -.PP -.I type -.I name -.PP -where -.I type -indicates what type of section follows, and -.I name -is an arbitrary name which distinguishes the section from others -of the same type. -Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens. -All subsequent non-empty lines -which begin with white space are part of the section; -comments within a section must begin with white space too. -There may be only one section of a given type with a given name. -.PP -Lines within the section are generally of the form -.PP -\ \ \ \ \ \fIparameter\fB=\fIvalue\fR -.PP -(note the mandatory preceding white space). -There can be white space on either side of the -.BR = . -Parameter names follow the same syntax as section names, -and are specific to a section type. -Unless otherwise explicitly specified, -no parameter name may appear more than once in a section. -.PP -An empty -.I value -stands for the system default value (if any) of the parameter, -i.e. it is roughly equivalent to omitting the parameter line entirely. -A -.I value -may contain white space only if the entire -.I value -is enclosed in double quotes (\fB"\fR); -a -.I value -cannot itself contain a double quote, -nor may it be continued across more than one line. -.PP -Numeric values are specified to be either an ``integer'' -(a sequence of digits) or a ``decimal number'' -(sequence of digits optionally followed by `.' and another sequence of digits). -.PP -There is currently one parameter which is available in any type of -section: -.TP -.B also -the value is a section name; -the parameters of that section are appended to this section, -as if they had been written as part of it. -The specified section must exist, must follow the current one, -and must have the same section type. -(Nesting is permitted, -and there may be more than one -.B also -in a single section, -although it is forbidden to append the same section more than once.) -.PP -A section with name -.B %default -specifies defaults for sections of the same type. -For each parameter in it, -any section of that type which does not have a parameter of the same name -gets a copy of the one from the -.B %default -section. -There may be multiple -.B %default -sections of a given type, -but only one default may be supplied for any specific parameter name, -and all -.B %default -sections of a given type must precede all non-\c -.B %default -sections of that type. -.B %default -sections may not contain the -.B also -parameter. -.PP -Currently there are three types of sections: -a -.B config -section specifies general configuration information for IPsec, a -.B conn -section specifies an IPsec connection, while a -.B ca -section specifies special properties of a certification authority. -.SH "CONN SECTIONS" -A -.B conn -section contains a -.IR "connection specification" , -defining a network connection to be made using IPsec. -The name given is arbitrary, and is used to identify the connection. -Here's a simple example: -.PP -.ne 10 -.nf -.ft B -.ta 1c -conn snt - left=192.168.0.1 - leftsubnet=10.1.0.0/16 - right=192.168.0.2 - rightsubnet=10.1.0.0/16 - keyingtries=%forever - auto=add -.ft -.fi -.PP -A note on terminology: There are two kinds of communications going on: -transmission of user IP packets, and gateway-to-gateway negotiations for -keying, rekeying, and general control. -The path to control the connection is called 'ISAKMP SA' in IKEv1 -and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel -level data path, is called 'IPsec SA' or 'Child SA'. -strongSwan currently uses two separate keying daemons. \fIpluto\fP handles -all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2 -protocol. -.PP -To avoid trivial editing of the configuration file to suit it to each system -involved in a connection, -connection specifications are written in terms of -.I left -and -.I right -participants, -rather than in terms of local and remote. -Which participant is considered -.I left -or -.I right -is arbitrary; -for every connection description an attempt is made to figure out whether -the local endpoint should act as the -.I left -or -.I right -endpoint. This is done by matching the IP addresses defined for both endpoints -with the IP addresses assigned to local network interfaces. If a match is found -then the role (left or right) that matches is going to be considered local. -If no match is found during startup, -.I left -is considered local. -This permits using identical connection specifications on both ends. -There are cases where there is no symmetry; a good convention is to -use -.I left -for the local side and -.I right -for the remote side (the first letters are a good mnemonic). -.PP -Many of the parameters relate to one participant or the other; -only the ones for -.I left -are listed here, but every parameter whose name begins with -.B left -has a -.B right -counterpart, -whose description is the same but with -.B left -and -.B right -reversed. -.PP -Parameters are optional unless marked '(required)'. -.SS "CONN PARAMETERS" -Unless otherwise noted, for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -.TP 14 -.B ah -AH authentication algorithm to be used -for the connection, e.g. -.B hmac-md5. -.TP -.B auth -whether authentication should be done as part of -ESP encryption, or separately using the AH protocol; -acceptable values are -.B esp -(the default) and -.BR ah . -.br -The IKEv2 daemon currently supports ESP only. -.TP -.B authby -how the two security gateways should authenticate each other; -acceptable values are -.B secret -or -.B psk -for pre-shared secrets, -.B pubkey -(the default) for public key signatures as well as the synonyms -.B rsasig -for RSA digital signatures and -.B ecdsasig -for Elliptic Curve DSA signatures. -.B never -can be used if negotiation is never to be attempted or accepted (useful for -shunt-only conns). -Digital signatures are superior in every way to shared secrets. -IKEv1 additionally supports the values -.B xauthpsk -and -.B xauthrsasig -that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode -based on shared secrets or digital RSA signatures, respectively. -IKEv2 additionally supports the value -.BR eap , -which indicates an initiator to request EAP authentication. The EAP method -to use is selected by the server (see -.BR eap ). -This parameter is deprecated for IKEv2 connections, as two peers do not need -to agree on an authentication method. Use the -.B leftauth -parameter instead to define authentication methods in IKEv2. -.TP -.B auto -what operation, if any, should be done automatically at IPsec startup; -currently-accepted values are -.BR add , -.BR route , -.B start -and -.B ignore -(the default). -.B add -loads a connection without starting it. -.B route -loads a connection and installs kernel traps. If traffic is detected between -.B leftsubnet -and -.B rightsubnet -, a connection is established. -.B start -loads a connection and brings it up immediatly. -.B ignore -ignores the connection. This is equal to delete a connection from the config -file. -Relevant only locally, other end need not agree on it -(but in general, for an intended-to-be-permanent connection, -both ends should use -.B auto=start -to ensure that any reboot causes immediate renegotiation). -.TP -.B compress -whether IPComp compression of content is proposed on the connection -(link-level compression does not work on encrypted data, -so to be effective, compression must be done \fIbefore\fR encryption); -acceptable values are -.B yes -and -.B no -(the default). A value of -.B yes -causes IPsec to propose both compressed and uncompressed, -and prefer compressed. -A value of -.B no -prevents IPsec from proposing compression; -a proposal to compress will still be accepted. -.TP -.B dpdaction -controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where -R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) -are periodically sent in order to check the -liveliness of the IPsec peer. The values -.BR clear , -.BR hold , -and -.B restart -all activate DPD. If no activity is detected, all connections with a dead peer -are stopped and unrouted -.RB ( clear ), -put in the hold state -.RB ( hold ) -or restarted -.RB ( restart ). -For IKEv1, the default is -.B none -which disables the active sending of R_U_THERE notifications. -Nevertheless pluto will always send the DPD Vendor ID during connection set up -in order to signal the readiness to act passively as a responder if the peer -wants to use DPD. For IKEv2, -.B none -does't make sense, since all messages are used to detect dead peers. If specified, -it has the same meaning as the default -.RB ( clear ). -.TP -.B dpddelay -defines the period time interval with which R_U_THERE messages/INFORMATIONAL -exchanges are sent to the peer. These are only sent if no other traffic is -received. In IKEv2, a value of 0 sends no additional INFORMATIONAL -messages and uses only standard messages (such as those to rekey) to detect -dead peers. -.TP -.B dpdtimeout -defines the timeout interval, after which all connections to a peer are deleted -in case of inactivity. This only applies to IKEv1, in IKEv2 the default -retransmission timeout applies, as every exchange is used to detect dead peers. -.TP -.B inactivity -defines the timeout interval, after which a CHILD_SA is closed if it did -not send or receive any traffic. Currently supported in IKEv2 connections only. -.TP -.B eap -defines the EAP type to propose as server if the client requests EAP -authentication. Currently supported values are -.B aka -for EAP-AKA, -.B gtc -for EAP-GTC, -.B md5 -for EAP-MD5, -.B mschapv2 -for EAP-MS-CHAPv2, -.B radius -for the EAP-RADIUS proxy and -.B sim -for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a -definition in the form -.B eap=type-vendor -(e.g. eap=7-12345) can be used to specify vendor specific EAP types. -This parameter is deprecated in the favour of -.B leftauth. - -To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, -set -.BR eap=radius . -.TP -.B eap_identity -defines the identity the client uses to reply to a EAP Identity request. -If defined on the EAP server, the defined identity will be used as peer -identity during EAP authentication. The special value -.B %identity -uses the EAP Identity method to ask the client for an EAP identity. If not -defined, the IKEv2 identity will be used as EAP identity. -.TP -.B esp -comma-separated list of ESP encryption/authentication algorithms to be used -for the connection, e.g. -.BR 3des-md5 . -The notation is -.BR encryption-integrity-[dh-group] . -.br -If -.B dh-group -is specified, CHILD_SA setup and rekeying include a separate diffe hellman -exchange (IKEv2 only). -.TP -.B forceencaps -Force UDP encapsulation for ESP packets even if no NAT situation is detected. -This may help to surmount restrictive firewalls. In order to force the peer to -encapsulate packets, NAT detection payloads are faked (IKEv2 only). -.TP -.B ike -comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms -to be used, e.g. -.BR aes128-sha1-modp2048 . -The notation is -.BR encryption-integrity-dhgroup . -In IKEv2, multiple algorithms and proposals may be included, such as -.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. -.TP -.B ikelifetime -how long the keying channel of a connection (ISAKMP or IKE SA) -should last before being renegotiated. -.TP -.B installpolicy -decides whether IPsec policies are installed in the kernel by the IKEv2 -charon daemon for a given connection. Allows peaceful cooperation e.g. with -the Mobile IPv6 daemon mip6d who wants to control the kernel policies. -Acceptable values are -.B yes -(the default) and -.BR no . -.TP -.B keyexchange -method of key exchange; -which protocol should be used to initialize the connection. Connections marked with -.B ikev1 -are initiated with pluto, those marked with -.B ikev2 -with charon. An incoming request from the remote peer is handled by the correct -daemon, unaffected from the -.B keyexchange -setting. The default value -.B ike -currently is a synonym for -.BR ikev1 . -.TP -.B keyingtries -how many attempts (a whole number or \fB%forever\fP) should be made to -negotiate a connection, or a replacement for one, before giving up -(default -.BR %forever ). -The value \fB%forever\fP -means 'never give up'. -Relevant only locally, other end need not agree on it. -.TP -.B keylife -synonym for -.BR lifetime . -.TP -.B left -(required) -the IP address of the left participant's public-network interface -or one of several magic values. -If it is -.BR %defaultroute , -.B left -will be filled in automatically with the local address -of the default-route interface (as determined at IPsec startup time and -during configuration update). -Either -.B left -or -.B right -may be -.BR %defaultroute , -but not both. -The prefix -.B % -in front of a fully-qualified domain name or an IP address will implicitly set -.B leftallowany=yes. -If the domain name cannot be resolved into an IP address at IPsec startup or -update time then -.B left=%any -and -.B leftallowany=no -will be assumed. - -In case of an IKEv2 connection, the value -.B %any -for the local endpoint signifies an address to be filled in (by automatic -keying) during negotiation. If the local peer initiates the connection setup -the routing table will be queried to determine the correct local IP address. -In case the local peer is responding to a connection setup then any IP address -that is assigned to a local interface will be accepted. -.br -Note that specifying -.B %any -for the local endpoint is not supported by the IKEv1 pluto daemon. - -If -.B %any -is used for the remote endpoint it literally means any IP address. - -Please note that with the usage of wildcards multiple connection descriptions -might match a given incoming connection attempt. The most specific description -is used in that case. -.TP -.B leftallowany -a modifier for -.B left -, making it behave as -.B %any -although a concrete IP address has been assigned. -Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec -startup or update time. -Acceptable values are -.B yes -and -.B no -(the default). -.TP -.B leftauth -Authentication method to use locally (left) or require from the remote (right) -side. -This parameter is supported in IKEv2 only. Acceptable values are -.B pubkey -for public key authentication (RSA/ECDSA), -.B psk -for pre-shared key authentication and -.B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of -.B eap, -an optional EAP method can be appended. Currently defined methods are -.BR eap-aka , -.BR eap-gtc , -.BR eap-md5 , -.B eap-mschapv2 -and -.BR eap-sim . -Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific -EAP methods are defined in the form -.B eap-type-vendor -.RB "(e.g. " eap-7-12345 ). -.TP -.B leftauth2 -Same as -.BR leftauth , -but defines an additional authentication exchange. IKEv2 supports multiple -authentication rounds using "Multiple Authentication Exchanges" defined -in RFC4739. This allows, for example, separated authentication -of host and user (IKEv2 only). -.TP -.B leftca -the distinguished name of a certificate authority which is required to -lie in the trust path going from the left participant's certificate up -to the root certification authority. -.TP -.B leftca2 -Same as -.B leftca, -but for the second authentication round (IKEv2 only). -.TP -.B leftcert -the path to the left participant's X.509 certificate. The file can be encoded -either in PEM or DER format. OpenPGP certificates are supported as well. -Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP -are accepted. By default -.B leftcert -sets -.B leftid -to the distinguished name of the certificate's subject and -.B leftca -to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a -.B leftid -value which must be certified by the certificate, though. -.TP -.B leftcert2 -Same as -.B leftcert, -but for the second authentication round (IKEv2 only). -.TP -.B leftfirewall -whether the left participant is doing forwarding-firewalling -(including masquerading) using iptables for traffic from \fIleftsubnet\fR, -which should be turned off (for traffic to the other subnet) -once the connection is established; -acceptable values are -.B yes -and -.B no -(the default). -May not be used in the same connection description with -.BR leftupdown . -Implemented as a parameter to the default \fBipsec _updown\fR script. -See notes below. -Relevant only locally, other end need not agree on it. - -If one or both security gateways are doing forwarding firewalling -(possibly including masquerading), -and this is specified using the firewall parameters, -tunnels established with IPsec are exempted from it -so that packets can flow unchanged through the tunnels. -(This means that all subnets connected in this manner must have -distinct, non-overlapping subnet address blocks.) -This is done by the default \fBipsec _updown\fR script (see -.IR pluto (8)). - -In situations calling for more control, -it may be preferable for the user to supply his own -.I updown -script, -which makes the appropriate adjustments for his system. -.TP -.B leftgroups -a comma separated list of group names. If the -.B leftgroups -parameter is present then the peer must be a member of at least one -of the groups defined by the parameter. Group membership must be certified -by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has -been issued to the peer by a trusted Authorization Authority stored in -\fI/etc/ipsec.d/aacerts/\fP. -.br -Attribute certificates are not supported in IKEv2 yet. -.TP -.B lefthostaccess -inserts a pair of INPUT and OUTPUT iptables rules using the default -\fBipsec _updown\fR script, thus allowing access to the host itself -in the case where the host's internal interface is part of the -negotiated client subnet. -Acceptable values are -.B yes -and -.B no -(the default). -.TP -.B leftid -how the left participant should be identified for authentication; -defaults to -.BR left . -Can be an IP address or a fully-qualified domain name preceded by -.B @ -(which is used as a literal string and not resolved). -.TP -.B leftid2 -identity to use for a second authentication for the left participant -(IKEv2 only); defaults to -.BR leftid . -.TP -.B leftikeport -UDP port the left participant uses for IKE communication. Currently supported in -IKEv2 connections only. If unspecified, port 500 is used with the port floating -to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port -different from the default additionally requires a socket implementation that -listens to this port. -.TP -.B leftnexthop -this parameter is usually not needed any more because the NETKEY IPsec stack -does not require explicit routing entries for the traffic to be tunneled. If -.B leftsourceip -is used with IKEv1 then -.B leftnexthop -must still be set in order for the source routes to work properly. -.TP -.B leftprotoport -restrict the traffic selector to a single protocol and/or port. -Examples: -.B leftprotoport=tcp/http -or -.B leftprotoport=6/80 -or -.B leftprotoport=udp -.TP -.B leftrsasigkey -the left participant's -public key for RSA signature authentication, -in RFC 2537 format using -.IR ttodata (3) -encoding. -The magic value -.B %none -means the same as not specifying a value (useful to override a default). -The value -.B %cert -(the default) -means that the key is extracted from a certificate. -The identity used for the left participant -must be a specific host, not -.B %any -or another magic value. -.B Caution: -if two connection descriptions -specify different public keys for the same -.BR leftid , -confusion and madness will ensue. -.TP -.B leftsendcert -Accepted values are -.B never -or -.BR no , -.B always -or -.BR yes , -and -.BR ifasked , -the latter meaning that the peer must send a certificate request payload in -order to get a certificate in return. -.TP -.B leftsourceip -The internal source IP to use in a tunnel, also known as virtual IP. If the -value is one of the synonyms -.BR %modeconfig , -.BR %modecfg , -.BR %config , -or -.BR %cfg , -an address is requested from the peer. In IKEv2, a statically defined address -is also requested, since the server may change it. -.TP -.B rightsourceip -The internal source IP to use in a tunnel for the remote peer. If the -value is -.B %config -on the responder side, the initiator must propose an address which is then -echoed back. Also supported are address pools expressed as -\fInetwork\fB/\fInetmask\fR -or the use of an external IP address pool using %\fIpoolname\fR, -where \fIpoolname\fR is the name of the IP address pool used for the lookup. -.TP -.B leftsubnet -private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR; -if omitted, essentially assumed to be \fIleft\fB/32\fR, -signifying that the left end of the connection goes to the left participant -only. When using IKEv2, the configured subnet of the peers may differ, the -protocol narrows it to the greatest common subnet. Further, IKEv2 supports -multiple subnets separated by commas. IKEv1 only interprets the first subnet -of such a definition. -.TP -.B leftsubnetwithin -the peer can propose any subnet or single IP address that fits within the -range defined by -.BR leftsubnetwithin. -Not relevant for IKEv2, as subnets are narrowed. -.TP -.B leftupdown -what ``updown'' script to run to adjust routing and/or firewalling -when the status of the connection -changes (default -.BR "ipsec _updown" ). -May include positional parameters separated by white space -(although this requires enclosing the whole string in quotes); -including shell metacharacters is unwise. -See -.IR pluto (8) -for details. -Relevant only locally, other end need not agree on it. IKEv2 uses the updown -script to insert firewall rules only, since routing has been implemented -directly into charon. -.TP -.B lifebytes -the number of bytes transmitted over an IPsec SA before it expires (IKEv2 -only). -.TP -.B lifepackets -the number of packets transmitted over an IPsec SA before it expires (IKEv2 -only). -.TP -.B lifetime -how long a particular instance of a connection -(a set of encryption/authentication keys for user packets) should last, -from successful negotiation to expiry; -acceptable values are an integer optionally followed by -.BR s -(a time in seconds) -or a decimal number followed by -.BR m , -.BR h , -or -.B d -(a time -in minutes, hours, or days respectively) -(default -.BR 1h , -maximum -.BR 24h ). -Normally, the connection is renegotiated (via the keying channel) -before it expires (see -.BR margintime ). -The two ends need not exactly agree on -.BR lifetime , -although if they do not, -there will be some clutter of superseded connections on the end -which thinks the lifetime is longer. -.TP -.B marginbytes -how many bytes before IPsec SA expiry (see -.BR lifebytes ) -should attempts to negotiate a replacement begin (IKEv2 only). -.TP -.B marginpackets -how many packets before IPsec SA expiry (see -.BR lifepackets ) -should attempts to negotiate a replacement begin (IKEv2 only). -.TP -.B margintime -how long before connection expiry or keying-channel expiry -should attempts to -negotiate a replacement -begin; acceptable values as for -.B lifetime -(default -.BR 9m ). -Relevant only locally, other end need not agree on it. -.TP -.B mark -sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound -IPsec SAs and policies (IKEv2 only). If the mask is missing then a default -mask of -.B 0xffffffff -is assumed. -.TP -.B mark_in -sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy -(IKEv2 only). If the mask is missing then a default mask of -.B 0xffffffff -is assumed. -.TP -.B mark_out -sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy -(IKEv2 only). If the mask is missing then a default mask of -.B 0xffffffff -is assumed. -.TP -.B mobike -enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are -.B yes -(the default) and -.BR no . -If set to -.BR no , -the IKEv2 charon daemon will not actively propose MOBIKE as initiator and -ignore the MOBIKE_SUPPORTED notify as responder. -.TP -.B modeconfig -defines which mode is used to assign a virtual IP. -Accepted values are -.B push -and -.B pull -(the default). -Currently relevant for IKEv1 only since IKEv2 always uses the configuration -payload in pull mode. Cisco VPN gateways usually operate in -.B push -mode. -.TP -.B pfs -whether Perfect Forward Secrecy of keys is desired on the connection's -keying channel -(with PFS, penetration of the key-exchange protocol -does not compromise keys negotiated earlier); -acceptable values are -.B yes -(the default) -and -.BR no. -IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying -PFS is enforced by defining a Diffie-Hellman modp group in the -.B esp -parameter. -.TP -.B pfsgroup -defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode -differing from the DH group used for IKEv1 Main Mode (IKEv1 only). -.TP -.B reauth -whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, -reauthentication is always done. In IKEv2, a value of -.B no -rekeys without uninstalling the IPsec SAs, a value of -.B yes -(the default) creates a new IKE_SA from scratch and tries to recreate -all IPsec SAs. -.TP -.B rekey -whether a connection should be renegotiated when it is about to expire; -acceptable values are -.B yes -(the default) -and -.BR no . -The two ends need not agree, but while a value of -.B no -prevents pluto/charon from requesting renegotiation, -it does not prevent responding to renegotiation requested from the other end, -so -.B no -will be largely ineffective unless both ends agree on it. -.TP -.B rekeyfuzz -maximum percentage by which -.BR marginbytes , -.B marginpackets -and -.B margintime -should be randomly increased to randomize rekeying intervals -(important for hosts with many connections); -acceptable values are an integer, -which may exceed 100, -followed by a `%' -(defaults to -.BR 100% ). -The value of -.BR marginTYPE , -after this random increase, -must not exceed -.B lifeTYPE -(where TYPE is one of -.IR bytes , -.I packets -or -.IR time ). -The value -.B 0% -will suppress randomization. -Relevant only locally, other end need not agree on it. -.TP -.B rekeymargin -synonym for -.BR margintime . -.TP -.B reqid -sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only). -.TP -.B type -the type of the connection; currently the accepted values -are -.B tunnel -(the default) -signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; -.BR transport , -signifying host-to-host transport mode; -.BR transport_proxy , -signifying the special Mobile IPv6 transport proxy mode; -.BR passthrough , -signifying that no IPsec processing should be done at all; -.BR drop , -signifying that packets should be discarded; and -.BR reject , -signifying that packets should be discarded and a diagnostic ICMP returned. -The IKEv2 daemon charon currently supports -.BR tunnel , -.BR transport , -and -.BR tunnel_proxy -connection types, only. -.TP -.B xauth -specifies the role in the XAUTH protocol if activated by -.B authby=xauthpsk -or -.B authby=xauthrsasig. -Accepted values are -.B server -and -.B client -(the default). - -.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION" -The following parameters are relevant to IKEv2 Mediation Extension -operation only. -.TP 14 -.B mediation -whether this connection is a mediation connection, ie. whether this -connection is used to mediate other connections. Mediation connections -create no child SA. Acceptable values are -.B no -(the default) and -.BR yes . -.TP -.B mediated_by -the name of the connection to mediate this connection through. If given, -the connection will be mediated through the named mediation connection. -The mediation connection must set -.BR mediation=yes . -.TP -.B me_peerid -ID as which the peer is known to the mediation server, ie. which the other -end of this connection uses as its -.B leftid -on its connection to the mediation server. This is the ID we request the -mediation server to mediate us with. If -.B me_peerid -is not given, the -.B rightid -of this connection will be used as peer ID. - -.SH "CA SECTIONS" -This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). -.TP 10 -.B auto -currently can have either the value -.B ignore -or -.B add -. -.TP -.B cacert -defines a path to the CA certificate either relative to -\fI/etc/ipsec.d/cacerts\fP or as an absolute path. -.TP -.B crluri -defines a CRL distribution point (ldap, http, or file URI) -.TP -.B crluri1 -synonym for -.B crluri. -.TP -.B crluri2 -defines an alternative CRL distribution point (ldap, http, or file URI) -.TP -.B ldaphost -defines an ldap host. Currently used by IKEv1 only. -.TP -.B ocspuri -defines an OCSP URI. -.TP -.B ocspuri1 -synonym for -.B ocspuri. -.TP -.B ocspuri2 -defines an alternative OCSP URI. Currently used by IKEv2 only. -.TP -.B certuribase -defines the base URI for the Hash and URL feature supported by IKEv2. -Instead of exchanging complete certificates, IKEv2 allows to send an URI -that resolves to the DER encoded certificate. The certificate URIs are built -by appending the SHA1 hash of the DER encoded certificates to this base URI. -.SH "CONFIG SECTIONS" -At present, the only -.B config -section known to the IPsec software is the one named -.BR setup , -which contains information used when the software is being started. -Here's an example: -.PP -.ne 8 -.nf -.ft B -.ta 1c -config setup - plutodebug=all - crlcheckinterval=10m - strictcrlpolicy=yes -.ft -.fi -.PP -Parameters are optional unless marked ``(required)''. -The currently-accepted -.I parameter -names in a -.B config -.B setup -section affecting both daemons are: -.TP 14 -.B cachecrls -certificate revocation lists (CRLs) fetched via http or ldap will be cached in -\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification -authority's public key. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B charonstart -whether to start the IKEv2 Charon daemon or not. -Accepted values are -.B yes -or -.BR no . -The default is -.B yes -if starter was compiled with IKEv2 support. -.TP -.B dumpdir -in what directory should things started by \fBipsec starter\fR -(notably the Pluto and Charon daemons) be allowed to dump core? -The empty value (the default) means they are not -allowed to. -This feature is currently not yet supported by \fBipsec starter\fR. -.TP -.B plutostart -whether to start the IKEv1 Pluto daemon or not. -Accepted values are -.B yes -or -.BR no . -The default is -.B yes -if starter was compiled with IKEv1 support. -.TP -.B strictcrlpolicy -defines if a fresh CRL must be available in order for the peer authentication based -on RSA signatures to succeed. -Accepted values are -.B yes -and -.B no -(the default). -IKEv2 additionally recognizes -.B ifuri -which reverts to -.B yes -if at least one CRL URI is defined and to -.B no -if no URI is known. -.TP -.B uniqueids -whether a particular participant ID should be kept unique, -with any new (automatically keyed) -connection using an ID from a different IP address -deemed to replace all old ones using that ID; -acceptable values are -.B yes -(the default) -and -.BR no . -Participant IDs normally \fIare\fR unique, -so a new (automatically-keyed) connection using the same ID is -almost invariably intended to replace an old one. -The IKEv2 daemon also accepts the value -.B replace -wich is identical to -.B yes -and the value -.B keep -to reject new IKE_SA setups and keep the duplicate established earlier. -.PP -The following -.B config section -parameters are used by the IKEv1 Pluto daemon only: -.TP -.B crlcheckinterval -interval in seconds. CRL fetching is enabled if the value is greater than zero. -Asynchronous, periodic checking for fresh CRLs is currently done by the -IKEv1 Pluto daemon only. -.TP -.B keep_alive -interval in seconds between NAT keep alive packets, the default being 20 seconds. -.TP -.B nat_traversal -activates NAT traversal by accepting source ISAKMP ports different from udp/500 and -being able of floating to udp/4500 if a NAT situation is detected. -Accepted values are -.B yes -and -.B no -(the default). -Used by IKEv1 only, NAT traversal always being active in IKEv2. -.TP -.B nocrsend -no certificate request payloads will be sent. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B pkcs11initargs -non-standard argument string for PKCS#11 C_Initialize() function; -required by NSS softoken. -.TP -.B pkcs11module -defines the path to a dynamically loadable PKCS #11 library. -.TP -.B pkcs11keepstate -PKCS #11 login sessions will be kept during the whole lifetime of the keying -daemon. Useful with pin-pad smart card readers. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B pkcs11proxy -Pluto will act as a PKCS #11 proxy accessible via the whack interface. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B plutodebug -how much Pluto debugging output should be logged. -An empty value, -or the magic value -.BR none , -means no debugging output (the default). -The magic value -.B all -means full output. -Otherwise only the specified types of output -(a quoted list, names without the -.B \-\-debug\- -prefix, -separated by white space) are enabled; -for details on available debugging types, see -.IR pluto (8). -.TP -.B plutostderrlog -Pluto will not use syslog, but rather log to stderr, and redirect stderr -to the argument file. -.TP -.B postpluto -shell command to run after starting Pluto -(e.g., to remove a decrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B prepluto -shell command to run before starting Pluto -(e.g., to decrypt an encrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B virtual_private -defines private networks using a wildcard notation. -.PP -The following -.B config section -parameters are used by the IKEv2 Charon daemon only: -.TP -.B charondebug -how much Charon debugging output should be logged. -A comma separated list containing type level/pairs may -be specified, e.g: -.B dmn 3, ike 1, net -1. -Acceptable values for types are -.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib -and the level is one of -.B -1, 0, 1, 2, 3, 4 -(for silent, audit, control, controlmore, raw, private). -.PP -The following -.B config section -parameters only make sense if the KLIPS IPsec stack -is used instead of the default NETKEY stack of the Linux 2.6 kernel: -.TP -.B fragicmp -whether a tunnel's need to fragment a packet should be reported -back with an ICMP message, -in an attempt to make the sender lower his PMTU estimate; -acceptable values are -.B yes -(the default) -and -.BR no . -.TP -.B hidetos -whether a tunnel packet's TOS field should be set to -.B 0 -rather than copied from the user packet inside; -acceptable values are -.B yes -(the default) -and -.BR no -.TP -.B interfaces -virtual and physical interfaces for IPsec to use: -a single -\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated -by white space, or -.BR %none . -One of the pairs may be written as -.BR %defaultroute , -which means: find the interface \fId\fR that the default route points to, -and then act as if the value was ``\fBipsec0=\fId\fR''. -.B %defaultroute -is the default; -.B %none -must be used to denote no interfaces. -.TP -.B overridemtu -value that the MTU of the ipsec\fIn\fR interface(s) should be set to, -overriding IPsec's (large) default. -.SH FILES -.nf -/etc/ipsec.conf -/etc/ipsec.d/aacerts -/etc/ipsec.d/acerts -/etc/ipsec.d/cacerts -/etc/ipsec.d/certs -/etc/ipsec.d/crls - -.SH SEE ALSO -ipsec(8), pluto(8), starter(8) -.SH HISTORY -Originally written for the FreeS/WAN project by Henry Spencer. -Updated and extended for the strongSwan project <http://www.strongswan.org> by -Tobias Brunner, Andreas Steffen and Martin Willi. -.SH BUGS -.PP -If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP -will fail. diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 1d7cae00b..0c24c7dcf 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -1,6 +1,6 @@ /* C code produced by gperf version 3.0.3 */ /* Command-line: /usr/bin/gperf -m 10 -C -G -D -t */ -/* Computed positions: -k'1-2,6,$' */ +/* Computed positions: -k'2-3,6,$' */ #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \ && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \ @@ -54,12 +54,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 126 +#define TOTAL_KEYWORDS 127 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 20 -#define MAX_HASH_VALUE 220 -/* maximum key range = 201, duplicates = 0 */ +#define MIN_HASH_VALUE 12 +#define MAX_HASH_VALUE 238 +/* maximum key range = 227, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 35, - 77, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 8, 221, 31, 221, 20, - 28, 5, 75, 26, 88, 5, 221, 97, 5, 50, - 39, 67, 29, 221, 7, 13, 6, 89, 15, 221, - 5, 24, 7, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221 + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 2, + 104, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 15, 239, 20, 14, 58, + 51, 1, 7, 1, 81, 1, 239, 132, 47, 4, + 1, 49, 10, 9, 23, 1, 20, 48, 4, 239, + 239, 35, 1, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239 }; register int hval = len; @@ -112,11 +112,10 @@ hash (str, len) case 5: case 4: case 3: + hval += asso_values[(unsigned char)str[2]]; + /*FALLTHROUGH*/ case 2: hval += asso_values[(unsigned char)str[1]]; - /*FALLTHROUGH*/ - case 1: - hval += asso_values[(unsigned char)str[0]]; break; } return hval + asso_values[(unsigned char)str[len - 1]]; @@ -124,159 +123,161 @@ hash (str, len) static const struct kw_entry wordlist[] = { - {"left", KW_LEFT}, - {"right", KW_RIGHT}, + {"pfs", KW_PFS}, + {"uniqueids", KW_UNIQUEIDS}, + {"rightgroups", KW_RIGHTGROUPS}, {"lifetime", KW_KEYLIFE}, + {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, + {"rightnatip", KW_RIGHTNATIP}, + {"esp", KW_ESP}, + {"rightnexthop", KW_RIGHTNEXTHOP}, + {"rightsourceip", KW_RIGHTSOURCEIP}, + {"right", KW_RIGHT}, + {"leftupdown", KW_LEFTUPDOWN}, + {"leftnexthop", KW_LEFTNEXTHOP}, + {"left", KW_LEFT}, + {"keep_alive", KW_KEEP_ALIVE}, + {"rightsubnet", KW_RIGHTSUBNET}, + {"rightikeport", KW_RIGHTIKEPORT}, + {"rightsendcert", KW_RIGHTSENDCERT}, {"leftcert", KW_LEFTCERT,}, - {"leftfirewall", KW_LEFTFIREWALL}, + {"interfaces", KW_INTERFACES}, + {"lifepackets", KW_LIFEPACKETS}, {"leftsendcert", KW_LEFTSENDCERT}, - {"rightikeport", KW_RIGHTIKEPORT}, - {"leftprotoport", KW_LEFTPROTOPORT}, - {"type", KW_TYPE}, {"leftgroups", KW_LEFTGROUPS}, - {"rekey", KW_REKEY}, - {"rightsubnet", KW_RIGHTSUBNET}, - {"crluri", KW_CRLURI}, - {"rightsendcert", KW_RIGHTSENDCERT}, - {"reqid", KW_REQID}, - {"rightcert", KW_RIGHTCERT}, - {"certuribase", KW_CERTURIBASE}, - {"esp", KW_ESP}, - {"leftallowany", KW_LEFTALLOWANY}, - {"rightid", KW_RIGHTID}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, - {"leftnexthop", KW_LEFTNEXTHOP}, + {"eap", KW_EAP}, + {"rightprotoport", KW_RIGHTPROTOPORT}, + {"leftnatip", KW_LEFTNATIP}, + {"keyingtries", KW_KEYINGTRIES}, + {"type", KW_TYPE}, + {"keylife", KW_KEYLIFE}, + {"mark_in", KW_MARK_IN}, {"lifebytes", KW_LIFEBYTES}, - {"rightrsasigkey", KW_RIGHTRSASIGKEY}, + {"leftca", KW_LEFTCA}, + {"margintime", KW_REKEYMARGIN}, + {"marginbytes", KW_MARGINBYTES}, {"leftrsasigkey", KW_LEFTRSASIGKEY}, - {"rightprotoport", KW_RIGHTPROTOPORT}, - {"rightgroups", KW_RIGHTGROUPS}, - {"plutostart", KW_PLUTOSTART}, - {"strictcrlpolicy", KW_STRICTCRLPOLICY}, - {"lifepackets", KW_LIFEPACKETS}, - {"rightsourceip", KW_RIGHTSOURCEIP}, - {"eap", KW_EAP}, - {"cacert", KW_CACERT}, - {"rightca", KW_RIGHTCA}, + {"marginpackets", KW_MARGINPACKETS}, + {"certuribase", KW_CERTURIBASE}, {"virtual_private", KW_VIRTUAL_PRIVATE}, - {"leftid", KW_LEFTID}, - {"crluri1", KW_CRLURI}, - {"ldapbase", KW_LDAPBASE}, - {"leftca", KW_LEFTCA}, - {"leftnatip", KW_LEFTNATIP}, - {"rightallowany", KW_RIGHTALLOWANY}, - {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, - {"xauth_identity", KW_XAUTH_IDENTITY}, + {"rightid", KW_RIGHTID}, + {"rightupdown", KW_RIGHTUPDOWN}, + {"compress", KW_COMPRESS}, + {"leftprotoport", KW_LEFTPROTOPORT}, + {"overridemtu", KW_OVERRIDEMTU}, + {"reqid", KW_REQID}, {"inactivity", KW_INACTIVITY}, - {"packetdefault", KW_PACKETDEFAULT}, - {"installpolicy", KW_INSTALLPOLICY}, - {"plutostderrlog", KW_PLUTOSTDERRLOG}, - {"leftupdown", KW_LEFTUPDOWN}, - {"rightnatip", KW_RIGHTNATIP}, - {"rightnexthop", KW_RIGHTNEXTHOP}, - {"cachecrls", KW_CACHECRLS}, - {"dpddelay", KW_DPDDELAY}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"mediated_by", KW_MEDIATED_BY}, - {"me_peerid", KW_ME_PEERID}, - {"plutodebug", KW_PLUTODEBUG}, - {"eap_identity", KW_EAP_IDENTITY}, - {"leftcert2", KW_LEFTCERT2,}, - {"rightid2", KW_RIGHTID2}, - {"rekeyfuzz", KW_REKEYFUZZ}, - {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"leftfirewall", KW_LEFTFIREWALL}, {"rightfirewall", KW_RIGHTFIREWALL}, - {"ocspuri", KW_OCSPURI}, - {"also", KW_ALSO}, + {"rightallowany", KW_RIGHTALLOWANY}, + {"mobike", KW_MOBIKE}, + {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"rightrsasigkey", KW_RIGHTRSASIGKEY}, + {"pfsgroup", KW_PFSGROUP}, + {"me_peerid", KW_ME_PEERID}, + {"crluri", KW_CRLURI}, + {"leftsourceip", KW_LEFTSOURCEIP}, + {"crluri1", KW_CRLURI}, {"mediation", KW_MEDIATION}, - {"ike", KW_IKE}, - {"dpdaction", KW_DPDACTION}, - {"rekeymargin", KW_REKEYMARGIN}, - {"compress", KW_COMPRESS}, - {"ldaphost", KW_LDAPHOST}, + {"dumpdir", KW_DUMPDIR}, + {"forceencaps", KW_FORCEENCAPS}, {"leftsubnet", KW_LEFTSUBNET}, - {"crluri2", KW_CRLURI2}, - {"rightca2", KW_RIGHTCA2}, - {"leftsourceip", KW_LEFTSOURCEIP}, - {"rightcert2", KW_RIGHTCERT2}, - {"pfs", KW_PFS}, - {"leftid2", KW_LEFTID2}, + {"rightca", KW_RIGHTCA}, + {"rightcert", KW_RIGHTCERT}, + {"ocspuri", KW_OCSPURI}, + {"dpdaction", KW_DPDACTION}, + {"ocspuri1", KW_OCSPURI}, {"dpdtimeout", KW_DPDTIMEOUT}, - {"leftikeport", KW_LEFTIKEPORT}, - {"leftca2", KW_LEFTCA2}, + {"installpolicy", KW_INSTALLPOLICY}, {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"xauth", KW_XAUTH}, - {"rightauth2", KW_RIGHTAUTH2}, - {"mark_in", KW_MARK_IN}, - {"mobike", KW_MOBIKE}, - {"margintime", KW_REKEYMARGIN}, - {"dumpdir", KW_DUMPDIR}, - {"ocspuri1", KW_OCSPURI}, + {"ldapbase", KW_LDAPBASE}, + {"also", KW_ALSO}, + {"leftallowany", KW_LEFTALLOWANY}, + {"force_keepalive", KW_FORCE_KEEPALIVE}, {"keyexchange", KW_KEYEXCHANGE}, - {"fragicmp", KW_FRAGICMP}, + {"hidetos", KW_HIDETOS}, + {"klipsdebug", KW_KLIPSDEBUG}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, {"rightauth", KW_RIGHTAUTH}, - {"interfaces", KW_INTERFACES}, - {"marginbytes", KW_MARGINBYTES}, - {"marginpackets", KW_MARGINPACKETS}, - {"nocrsend", KW_NOCRSEND}, - {"keep_alive", KW_KEEP_ALIVE}, - {"rightupdown", KW_RIGHTUPDOWN}, - {"keyingtries", KW_KEYINGTRIES}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, - {"uniqueids", KW_UNIQUEIDS}, + {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {"charondebug", KW_CHARONDEBUG}, + {"rightid2", KW_RIGHTID2}, + {"leftid", KW_LEFTID}, + {"mediated_by", KW_MEDIATED_BY}, + {"fragicmp", KW_FRAGICMP}, {"mark_out", KW_MARK_OUT}, + {"auto", KW_AUTO}, + {"leftcert2", KW_LEFTCERT2,}, + {"nat_traversal", KW_NAT_TRAVERSAL}, + {"cacert", KW_CACERT}, + {"plutostart", KW_PLUTOSTART}, + {"eap_identity", KW_EAP_IDENTITY}, + {"prepluto", KW_PREPLUTO}, + {"packetdefault", KW_PACKETDEFAULT}, + {"xauth_identity", KW_XAUTH_IDENTITY}, {"charonstart", KW_CHARONSTART}, - {"klipsdebug", KW_KLIPSDEBUG}, - {"force_keepalive", KW_FORCE_KEEPALIVE}, - {"forceencaps", KW_FORCEENCAPS}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, + {"rightauth2", KW_RIGHTAUTH2}, + {"ike", KW_IKE}, + {"aaa_identity", KW_AAA_IDENTITY}, + {"leftca2", KW_LEFTCA2}, {"authby", KW_AUTHBY}, + {"leftauth", KW_LEFTAUTH}, + {"cachecrls", KW_CACHECRLS}, + {"ldaphost", KW_LDAPHOST}, + {"rekeymargin", KW_REKEYMARGIN}, + {"rekeyfuzz", KW_REKEYFUZZ}, + {"dpddelay", KW_DPDDELAY}, + {"ikelifetime", KW_IKELIFETIME}, + {"auth", KW_AUTH}, + {"xauth", KW_XAUTH}, {"postpluto", KW_POSTPLUTO}, - {"pkcs11module", KW_PKCS11MODULE}, - {"ocspuri2", KW_OCSPURI2}, - {"hidetos", KW_HIDETOS}, - {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"mark", KW_MARK}, - {"charondebug", KW_CHARONDEBUG}, + {"plutodebug", KW_PLUTODEBUG}, + {"modeconfig", KW_MODECONFIG}, + {"nocrsend", KW_NOCRSEND}, {"leftauth2", KW_LEFTAUTH2}, - {"overridemtu", KW_OVERRIDEMTU}, - {"pkcs11initargs", KW_PKCS11INITARGS}, - {"keylife", KW_KEYLIFE}, - {"auto", KW_AUTO}, - {"ikelifetime", KW_IKELIFETIME}, + {"leftid2", KW_LEFTID2}, + {"leftikeport", KW_LEFTIKEPORT}, + {"rightca2", KW_RIGHTCA2}, + {"rekey", KW_REKEY}, + {"rightcert2", KW_RIGHTCERT2}, + {"mark", KW_MARK}, + {"crluri2", KW_CRLURI2}, {"reauth", KW_REAUTH}, - {"leftauth", KW_LEFTAUTH}, - {"pkcs11proxy", KW_PKCS11PROXY}, - {"prepluto", KW_PREPLUTO}, - {"pfsgroup", KW_PFSGROUP}, - {"auth", KW_AUTH}, - {"modeconfig", KW_MODECONFIG} + {"ocspuri2", KW_OCSPURI2}, + {"pkcs11module", KW_PKCS11MODULE}, + {"pkcs11initargs", KW_PKCS11INITARGS}, + {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, + {"pkcs11proxy", KW_PKCS11PROXY} }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, 0, 1, -1, 2, -1, -1, 3, -1, + -1, 4, -1, 5, 6, 7, 8, 9, -1, 10, + 11, -1, 12, 13, 14, 15, 16, 17, -1, 18, + 19, 20, 21, 22, -1, -1, 23, 24, -1, 25, + 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, + 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, + 46, 47, 48, 49, 50, 51, -1, 52, 53, 54, + 55, -1, 56, 57, -1, 58, 59, 60, -1, 61, + 62, 63, 64, -1, -1, 65, -1, 66, -1, 67, + 68, 69, 70, 71, -1, -1, 72, -1, -1, 73, + 74, 75, 76, 77, 78, 79, 80, -1, 81, 82, + 83, 84, 85, 86, 87, -1, 88, -1, 89, 90, + -1, 91, 92, 93, 94, -1, 95, 96, 97, 98, + -1, -1, -1, -1, 99, 100, 101, -1, 102, 103, + 104, 105, 106, 107, 108, 109, -1, 110, -1, -1, + 111, -1, -1, -1, -1, -1, -1, 112, -1, 113, + 114, 115, 116, 117, 118, -1, -1, -1, -1, 119, + -1, -1, 120, -1, -1, -1, -1, -1, -1, 121, + -1, -1, -1, -1, 122, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, 123, -1, 124, 125, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - 0, -1, -1, 1, -1, -1, -1, -1, 2, 3, - -1, -1, 4, 5, -1, 6, 7, -1, -1, 8, - 9, 10, 11, 12, 13, 14, -1, 15, 16, -1, - 17, 18, 19, 20, -1, 21, 22, 23, -1, -1, - 24, 25, 26, 27, 28, 29, -1, 30, 31, 32, - 33, 34, 35, -1, 36, -1, -1, 37, 38, 39, - 40, 41, 42, 43, -1, 44, 45, 46, 47, -1, - 48, -1, 49, 50, 51, 52, 53, 54, 55, -1, - 56, 57, 58, 59, 60, 61, 62, 63, -1, 64, - 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, - 75, -1, 76, 77, 78, 79, -1, -1, 80, 81, - 82, -1, 83, 84, -1, 85, 86, 87, 88, 89, - 90, -1, 91, -1, 92, -1, 93, 94, 95, -1, - -1, 96, 97, -1, 98, 99, -1, -1, -1, -1, - -1, -1, 100, -1, 101, -1, 102, -1, -1, -1, - 103, 104, -1, -1, 105, -1, -1, 106, 107, 108, - 109, 110, 111, -1, 112, 113, -1, 114, 115, 116, - -1, 117, -1, 118, 119, 120, 121, -1, -1, -1, - 122, -1, -1, -1, -1, -1, -1, -1, 123, -1, - -1, -1, 124, -1, -1, -1, -1, -1, -1, -1, - 125 + -1, -1, -1, -1, -1, -1, -1, -1, 126 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 25d2ce4b9..1dae65a99 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -71,6 +71,7 @@ typedef enum { KW_AUTHBY, KW_EAP, KW_EAP_IDENTITY, + KW_AAA_IDENTITY, KW_MOBIKE, KW_FORCEENCAPS, KW_IKELIFETIME, @@ -122,8 +123,8 @@ typedef enum { /* end keywords */ KW_HOST, - KW_NEXTHOP, KW_IKEPORT, + KW_NEXTHOP, KW_SUBNET, KW_SUBNETWITHIN, KW_PROTOPORT, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index fcdc60cff..06705635a 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -49,6 +49,7 @@ force_keepalive, KW_FORCE_KEEPALIVE virtual_private, KW_VIRTUAL_PRIVATE eap, KW_EAP eap_identity, KW_EAP_IDENTITY +aaa_identity, KW_AAA_IDENTITY mobike, KW_MOBIKE forceencaps, KW_FORCEENCAPS pkcs11module, KW_PKCS11MODULE diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 9c69ab9e5..9ba569d47 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -40,15 +40,6 @@ #define IPV6_LEN 16 /** - * Mode of an IPsec SA, must be the same as in charons kernel_ipsec.h - */ -enum ipsec_mode_t { - MODE_TRANSPORT = 1, - MODE_TUNNEL, - MODE_BEET -}; - -/** * Authentication methods, must be the same as in charons authenticator.h */ enum auth_method_t { @@ -204,7 +195,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) memset(&msg, 0, sizeof(msg)); msg.type = STR_ADD_CONN; msg.length = offsetof(stroke_msg_t, buffer); - msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2; + msg.add_conn.ikev2 = conn->keyexchange != KEY_EXCHANGE_IKEV1; msg.add_conn.name = push_string(&msg, connection_name(conn)); /* PUBKEY is preferred to PSK and EAP */ @@ -223,6 +214,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.eap_type = conn->eap_type; msg.add_conn.eap_vendor = conn->eap_vendor; msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity); + msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity); if (conn->policy & POLICY_TUNNEL) { diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c index 58034d96b..b7d916eae 100644 --- a/src/starter/starterwhack.c +++ b/src/starter/starterwhack.c @@ -277,7 +277,7 @@ int starter_whack_add_conn(starter_conn_t *conn) msg.whack_connection = TRUE; msg.name = connection_name(conn, name, sizeof(name)); - msg.ikev1 = conn->keyexchange != KEY_EXCHANGE_IKEV2; + msg.ikev1 = conn->keyexchange == KEY_EXCHANGE_IKEV1; msg.addr_family = conn->addr_family; msg.tunnel_addr_family = conn->tunnel_addr_family; msg.sa_ike_life_seconds = conn->sa_ike_life_seconds; diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index c7f264730..c490be114 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -142,6 +143,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -173,14 +176,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -195,24 +201,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -220,7 +233,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index 4fa0f76a8..103617f08 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -56,9 +56,8 @@ static char* push_string(stroke_msg_t *msg, char *string) static int send_stroke_msg (stroke_msg_t *msg) { struct sockaddr_un ctl_addr; - int sock; - char buffer[512]; - int byte_count; + int sock, byte_count; + char buffer[512], *pass; ctl_addr.sun_family = AF_UNIX; strcpy(ctl_addr.sun_path, STROKE_SOCKET); @@ -90,17 +89,30 @@ static int send_stroke_msg (stroke_msg_t *msg) while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0) { buffer[byte_count] = '\0'; - printf("%s", buffer); - /* we prompt if we receive the "Passphrase:" magic keyword */ - if (byte_count >= 12 && - strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0) + /* we prompt if we receive the "Passphrase:"/"PIN:" magic keyword */ + if ((byte_count >= 12 && + strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0) || + (byte_count >= 5 && + strcmp(buffer + byte_count - 5, "PIN:\n") == 0)) { - if (fgets(buffer, sizeof(buffer), stdin)) + /* remove trailing newline */ + pass = strrchr(buffer, '\n'); + if (pass) { - ignore_result(write(sock, buffer, strlen(buffer))); + *pass = ' '; + } + pass = getpass(buffer); + if (pass) + { + ignore_result(write(sock, pass, strlen(pass))); + ignore_result(write(sock, "\n", 1)); } } + else + { + printf("%s", buffer); + } } if (byte_count < 0) { @@ -276,9 +288,23 @@ static int purge(stroke_keyword_t kw) return send_stroke_msg(&msg); } -static int leases(stroke_keyword_t kw, char *pool, char *address) +static int export_flags[] = { + EXPORT_X509, +}; + +static int export(stroke_keyword_t kw, char *selector) { + stroke_msg_t msg; + msg.type = STR_EXPORT; + msg.length = offsetof(stroke_msg_t, buffer); + msg.export.selector = push_string(&msg, selector); + msg.export.flags = export_flags[kw - STROKE_EXPORT_FIRST]; + return send_stroke_msg(&msg); +} + +static int leases(stroke_keyword_t kw, char *pool, char *address) +{ stroke_msg_t msg; msg.type = STR_LEASES; @@ -349,6 +375,8 @@ static void exit_usage(char *error) printf(" stroke purgeocsp\n"); printf(" Purge IKE_SAs without a CHILD_SA:\n"); printf(" stroke purgeike\n"); + printf(" Export credentials to the console:\n"); + printf(" stroke exportx509 DN\n"); printf(" Show leases of a pool:\n"); printf(" stroke leases [POOL [ADDRESS]]\n"); exit_error(error); @@ -466,6 +494,13 @@ int main(int argc, char *argv[]) case STROKE_PURGE_IKE: res = purge(token->kw); break; + case STROKE_EXPORT_X509: + if (argc != 3) + { + exit_usage("\"exportx509\" needs a distinguished name"); + } + res = export(token->kw, argv[2]); + break; case STROKE_LEASES: res = leases(token->kw, argc > 2 ? argv[2] : NULL, argc > 3 ? argv[3] : NULL); diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c index bb9705743..c2d79176e 100644 --- a/src/stroke/stroke_keywords.c +++ b/src/stroke/stroke_keywords.c @@ -54,7 +54,7 @@ struct stroke_token { stroke_keyword_t kw; }; -#define TOTAL_KEYWORDS 33 +#define TOTAL_KEYWORDS 34 #define MIN_WORD_LENGTH 2 #define MAX_WORD_LENGTH 15 #define MIN_HASH_VALUE 3 @@ -79,15 +79,15 @@ hash (str, len) 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 17, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 18, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 0, 4, 1, - 1, 0, 40, 17, 40, 18, 40, 4, 0, 40, - 40, 12, 17, 40, 6, 3, 19, 12, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 1, 0, 40, 17, 40, 20, 40, 3, 0, 40, + 40, 12, 19, 40, 6, 3, 20, 12, 40, 40, + 10, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, @@ -148,14 +148,15 @@ static const struct stroke_token wordlist[] = {"listocsp", STROKE_LIST_OCSP}, {"statusall", STROKE_STATUSALL}, {"listalgs", STROKE_LIST_ALGS}, + {"exportx509", STROKE_EXPORT_X509}, {"delete", STROKE_DELETE}, - {"purgeocsp", STROKE_PURGE_OCSP}, {"listocspcerts", STROKE_LIST_OCSPCERTS}, + {"purgeocsp", STROKE_PURGE_OCSP}, {"purgeike", STROKE_PURGE_IKE}, - {"listcainfos", STROKE_LIST_CAINFOS}, {"unroute", STROKE_UNROUTE}, - {"listpubkeys", STROKE_LIST_PUBKEYS}, + {"listcainfos", STROKE_LIST_CAINFOS}, {"rereadocspcerts", STROKE_REREAD_OCSPCERTS}, + {"listpubkeys", STROKE_LIST_PUBKEYS}, {"down-srcip", STROKE_DOWN_SRCIP}, {"listgroups", STROKE_LIST_GROUPS} }; @@ -164,7 +165,7 @@ static const short lookup[] = { -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, - 25, 26, 27, 28, 29, 30, 31, -1, -1, -1, -1, 32 + 25, 26, 27, 28, 29, 30, 31, 32, -1, -1, -1, 33 }; #ifdef __GNUC__ diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h index 6332000db..4a3826536 100644 --- a/src/stroke/stroke_keywords.h +++ b/src/stroke/stroke_keywords.h @@ -49,12 +49,14 @@ typedef enum { STROKE_REREAD_ALL, STROKE_PURGE_OCSP, STROKE_PURGE_IKE, - STROKE_LEASES + STROKE_EXPORT_X509, + STROKE_LEASES, } stroke_keyword_t; #define STROKE_LIST_FIRST STROKE_LIST_PUBKEYS #define STROKE_REREAD_FIRST STROKE_REREAD_SECRETS #define STROKE_PURGE_FIRST STROKE_PURGE_OCSP +#define STROKE_EXPORT_FIRST STROKE_EXPORT_X509 typedef struct stroke_token stroke_token_t; diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt index 96fa0bf3a..0b8092985 100644 --- a/src/stroke/stroke_keywords.txt +++ b/src/stroke/stroke_keywords.txt @@ -56,4 +56,5 @@ rereadcrls, STROKE_REREAD_CRLS rereadall, STROKE_REREAD_ALL purgeocsp, STROKE_PURGE_OCSP purgeike, STROKE_PURGE_IKE +exportx509, STROKE_EXPORT_X509 leases, STROKE_LEASES diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index a36cc9038..9466cf0b0 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -109,6 +109,16 @@ enum purge_flag_t { PURGE_IKE = 0x0002, }; +typedef enum export_flag_t export_flag_t; + +/** + * Definition of the export flags + */ +enum export_flag_t { + /** export an X509 certificate */ + EXPORT_X509 = 0x0001, +}; + /** * CRL certificate validation policy */ @@ -193,6 +203,8 @@ struct stroke_msg_t { STR_PURGE, /* show pool leases */ STR_LEASES, + /* export credentials */ + STR_EXPORT, /* more to come */ } type; @@ -220,6 +232,7 @@ struct stroke_msg_t { u_int32_t eap_type; u_int32_t eap_vendor; char *eap_identity; + char *aaa_identity; int mode; int mobike; int force_encap; @@ -301,6 +314,12 @@ struct stroke_msg_t { purge_flag_t flags; } purge; + /* data for STR_EXPORT */ + struct { + export_flag_t flags; + char *selector; + } export; + /* data for STR_LEASES */ struct { char *pool; diff --git a/src/whack/Makefile.am b/src/whack/Makefile.am index 27f856231..316a83312 100644 --- a/src/whack/Makefile.am +++ b/src/whack/Makefile.am @@ -5,6 +5,7 @@ whack_SOURCES = whack.c whack.h INCLUDES = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libfreeswan \ +-I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto whack_LDADD = \ diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in index d163f2b58..270e8fe50 100644 --- a/src/whack/Makefile.in +++ b/src/whack/Makefile.in @@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -141,6 +142,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -172,14 +175,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -194,24 +200,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -219,7 +232,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -235,6 +251,7 @@ whack_SOURCES = whack.c whack.h INCLUDES = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libfreeswan \ +-I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto whack_LDADD = \ diff --git a/src/whack/whack.c b/src/whack/whack.c index 643e4be04..c5fe3b458 100644 --- a/src/whack/whack.c +++ b/src/whack/whack.c @@ -471,7 +471,7 @@ enum { DBGOPT_EMITTING, /* same order as DBG_* */ DBGOPT_CONTROL, /* same order as DBG_* */ DBGOPT_LIFECYCLE, /* same order as DBG_* */ - DBGOPT_KLIPS, /* same order as DBG_* */ + DBGOPT_KERNEL, /* same order as DBG_* */ DBGOPT_DNS, /* same order as DBG_* */ DBGOPT_NATT, /* same order as DBG_* */ DBGOPT_OPPO, /* same order as DBG_* */ @@ -659,7 +659,8 @@ static const struct option long_opts[] = { { "debug-emitting", no_argument, NULL, DBGOPT_EMITTING + OO }, { "debug-control", no_argument, NULL, DBGOPT_CONTROL + OO }, { "debug-lifecycle", no_argument, NULL, DBGOPT_LIFECYCLE + OO }, - { "debug-klips", no_argument, NULL, DBGOPT_KLIPS + OO }, + { "debug-klips", no_argument, NULL, DBGOPT_KERNEL + OO }, + { "debug-kernel", no_argument, NULL, DBGOPT_KERNEL + OO }, { "debug-dns", no_argument, NULL, DBGOPT_DNS + OO }, { "debug-natt", no_argument, NULL, DBGOPT_NATT + OO }, { "debug-oppo", no_argument, NULL, DBGOPT_OPPO + OO }, @@ -1595,7 +1596,7 @@ int main(int argc, char **argv) case DBGOPT_EMITTING: /* --debug-emitting */ case DBGOPT_CONTROL: /* --debug-control */ case DBGOPT_LIFECYCLE: /* --debug-lifecycle */ - case DBGOPT_KLIPS: /* --debug-klips */ + case DBGOPT_KERNEL: /* --debug-kernel, --debug-klips */ case DBGOPT_DNS: /* --debug-dns */ case DBGOPT_NATT: /* --debug-natt */ case DBGOPT_OPPO: /* --debug-oppo */ |