diff options
Diffstat (limited to 'src')
287 files changed, 5317 insertions, 3202 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 09eb13fe3..ebdaa6a63 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -44,8 +44,12 @@ if USE_MEDSRV SUBDIRS += medsrv endif +if USE_INTEGRITY_TEST + SUBDIRS += checksum +endif + EXTRA_DIST = strongswan.conf install-exec-local : test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)" - test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 640 strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true + test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true diff --git a/src/Makefile.in b/src/Makefile.in index 26046e6a1..18da06f7b 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -42,6 +42,7 @@ host_triplet = @host@ @USE_FAST_TRUE@am__append_9 = libfast @USE_MANAGER_TRUE@am__append_10 = manager @USE_MEDSRV_TRUE@am__append_11 = medsrv +@USE_INTEGRITY_TEST_TRUE@am__append_12 = checksum subdir = src DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -65,15 +66,17 @@ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = . include libstrongswan libfreeswan starter ipsec \ _copyright pluto whack charon stroke _updown _updown_espmark \ - openac scepclient dumm libfast manager medsrv + openac scepclient dumm libfast manager medsrv checksum DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -138,6 +141,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -178,7 +182,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -215,7 +221,7 @@ xml_LIBS = @xml_LIBS@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_4) $(am__append_5) $(am__append_6) \ $(am__append_7) $(am__append_8) $(am__append_9) \ - $(am__append_10) $(am__append_11) + $(am__append_10) $(am__append_11) $(am__append_12) EXTRA_DIST = strongswan.conf all: all-recursive @@ -532,7 +538,7 @@ uninstall-am: install-exec-local : test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)" - test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 640 strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true + test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 9f178fdfa..fabc84a29 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -71,12 +71,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -141,6 +143,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -181,7 +184,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index 3db887ef0..60755da69 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -51,12 +51,14 @@ NROFF = nroff MANS = $(dist_man8_MANS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -161,7 +164,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index 2852b7e67..55d3c6b4d 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -51,12 +51,14 @@ NROFF = nroff MANS = $(dist_man8_MANS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -161,7 +164,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index 3b5b9c068..dd51555c0 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -2,6 +2,7 @@ ipsec_PROGRAMS = charon charon_SOURCES = \ bus/bus.c bus/bus.h \ +bus/listeners/listener.h \ bus/listeners/file_logger.c bus/listeners/file_logger.h \ bus/listeners/sys_logger.c bus/listeners/sys_logger.h \ config/backend_manager.c config/backend_manager.h config/backend.h \ @@ -107,7 +108,7 @@ AM_CFLAGS = -rdynamic \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_PLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" -charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB) +charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB) $(SOCKLIB) # compile options ################# @@ -128,10 +129,6 @@ if USE_ME sa/tasks/ike_me.c sa/tasks/ike_me.h endif -if USE_INTEGRITY_TEST - AM_CFLAGS += -DINTEGRITY_TEST -endif - if USE_CAPABILITIES charon_LDADD += -lcap endif diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index 77884d50e..59c0228f8 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -47,56 +47,55 @@ ipsec_PROGRAMS = charon$(EXEEXT) @USE_ME_TRUE@ sa/mediation_manager.c sa/mediation_manager.h \ @USE_ME_TRUE@ sa/tasks/ike_me.c sa/tasks/ike_me.h -@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST -@USE_CAPABILITIES_TRUE@am__append_5 = -lcap -@USE_LOAD_TESTS_TRUE@am__append_6 = plugins/load_tester -@USE_LOAD_TESTS_TRUE@am__append_7 = load-tester -@USE_KERNEL_PFKEY_TRUE@am__append_8 = plugins/kernel_pfkey -@USE_KERNEL_PFKEY_TRUE@am__append_9 = kernel-pfkey -@USE_KERNEL_PFROUTE_TRUE@am__append_10 = plugins/kernel_pfroute -@USE_KERNEL_PFROUTE_TRUE@am__append_11 = kernel-pfroute -@USE_KERNEL_KLIPS_TRUE@am__append_12 = plugins/kernel_klips -@USE_KERNEL_KLIPS_TRUE@am__append_13 = kernel-klips -@USE_KERNEL_NETLINK_TRUE@am__append_14 = plugins/kernel_netlink -@USE_KERNEL_NETLINK_TRUE@am__append_15 = kernel-netlink -@USE_STROKE_TRUE@am__append_16 = plugins/stroke -@USE_STROKE_TRUE@am__append_17 = stroke -@USE_SMP_TRUE@am__append_18 = plugins/smp -@USE_SMP_TRUE@am__append_19 = smp -@USE_SQL_TRUE@am__append_20 = plugins/sql -@USE_SQL_TRUE@am__append_21 = sql -@USE_UPDOWN_TRUE@am__append_22 = plugins/updown -@USE_UPDOWN_TRUE@am__append_23 = updown -@USE_ATTR_TRUE@am__append_24 = plugins/attr -@USE_ATTR_TRUE@am__append_25 = attr -@USE_EAP_IDENTITY_TRUE@am__append_26 = plugins/eap_identity -@USE_EAP_IDENTITY_TRUE@am__append_27 = eapidentity -@USE_EAP_SIM_TRUE@am__append_28 = plugins/eap_sim -@USE_EAP_SIM_TRUE@am__append_29 = eapsim -@USE_EAP_SIM_FILE_TRUE@am__append_30 = plugins/eap_sim_file -@USE_EAP_SIM_FILE_TRUE@am__append_31 = eapsim-file -@USE_EAP_MD5_TRUE@am__append_32 = plugins/eap_md5 -@USE_EAP_MD5_TRUE@am__append_33 = eapmd5 -@USE_EAP_GTC_TRUE@am__append_34 = plugins/eap_gtc -@USE_EAP_GTC_TRUE@am__append_35 = eapgtc -@USE_EAP_AKA_TRUE@am__append_36 = plugins/eap_aka -@USE_EAP_AKA_TRUE@am__append_37 = eapaka -@USE_EAP_MSCHAPV2_TRUE@am__append_38 = plugins/eap_mschapv2 -@USE_EAP_MSCHAPV2_TRUE@am__append_39 = eapmschapv2 -@USE_EAP_RADIUS_TRUE@am__append_40 = plugins/eap_radius -@USE_EAP_RADIUS_TRUE@am__append_41 = eapradius -@USE_MEDSRV_TRUE@am__append_42 = plugins/medsrv -@USE_MEDSRV_TRUE@am__append_43 = medsrv -@USE_MEDCLI_TRUE@am__append_44 = plugins/medcli -@USE_MEDCLI_TRUE@am__append_45 = medcli -@USE_NM_TRUE@am__append_46 = plugins/nm -@USE_NM_TRUE@am__append_47 = nm -@USE_RESOLV_CONF_TRUE@am__append_48 = plugins/resolv_conf -@USE_RESOLV_CONF_TRUE@am__append_49 = resolv-conf -@USE_UCI_TRUE@am__append_50 = plugins/uci -@USE_UCI_TRUE@am__append_51 = uci -@USE_UNIT_TESTS_TRUE@am__append_52 = plugins/unit_tester -@USE_UNIT_TESTS_TRUE@am__append_53 = unit-tester +@USE_CAPABILITIES_TRUE@am__append_4 = -lcap +@USE_LOAD_TESTS_TRUE@am__append_5 = plugins/load_tester +@USE_LOAD_TESTS_TRUE@am__append_6 = load-tester +@USE_KERNEL_PFKEY_TRUE@am__append_7 = plugins/kernel_pfkey +@USE_KERNEL_PFKEY_TRUE@am__append_8 = kernel-pfkey +@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute +@USE_KERNEL_PFROUTE_TRUE@am__append_10 = kernel-pfroute +@USE_KERNEL_KLIPS_TRUE@am__append_11 = plugins/kernel_klips +@USE_KERNEL_KLIPS_TRUE@am__append_12 = kernel-klips +@USE_KERNEL_NETLINK_TRUE@am__append_13 = plugins/kernel_netlink +@USE_KERNEL_NETLINK_TRUE@am__append_14 = kernel-netlink +@USE_STROKE_TRUE@am__append_15 = plugins/stroke +@USE_STROKE_TRUE@am__append_16 = stroke +@USE_SMP_TRUE@am__append_17 = plugins/smp +@USE_SMP_TRUE@am__append_18 = smp +@USE_SQL_TRUE@am__append_19 = plugins/sql +@USE_SQL_TRUE@am__append_20 = sql +@USE_UPDOWN_TRUE@am__append_21 = plugins/updown +@USE_UPDOWN_TRUE@am__append_22 = updown +@USE_ATTR_TRUE@am__append_23 = plugins/attr +@USE_ATTR_TRUE@am__append_24 = attr +@USE_EAP_IDENTITY_TRUE@am__append_25 = plugins/eap_identity +@USE_EAP_IDENTITY_TRUE@am__append_26 = eapidentity +@USE_EAP_SIM_TRUE@am__append_27 = plugins/eap_sim +@USE_EAP_SIM_TRUE@am__append_28 = eapsim +@USE_EAP_SIM_FILE_TRUE@am__append_29 = plugins/eap_sim_file +@USE_EAP_SIM_FILE_TRUE@am__append_30 = eapsim-file +@USE_EAP_MD5_TRUE@am__append_31 = plugins/eap_md5 +@USE_EAP_MD5_TRUE@am__append_32 = eapmd5 +@USE_EAP_GTC_TRUE@am__append_33 = plugins/eap_gtc +@USE_EAP_GTC_TRUE@am__append_34 = eapgtc +@USE_EAP_AKA_TRUE@am__append_35 = plugins/eap_aka +@USE_EAP_AKA_TRUE@am__append_36 = eapaka +@USE_EAP_MSCHAPV2_TRUE@am__append_37 = plugins/eap_mschapv2 +@USE_EAP_MSCHAPV2_TRUE@am__append_38 = eapmschapv2 +@USE_EAP_RADIUS_TRUE@am__append_39 = plugins/eap_radius +@USE_EAP_RADIUS_TRUE@am__append_40 = eapradius +@USE_MEDSRV_TRUE@am__append_41 = plugins/medsrv +@USE_MEDSRV_TRUE@am__append_42 = medsrv +@USE_MEDCLI_TRUE@am__append_43 = plugins/medcli +@USE_MEDCLI_TRUE@am__append_44 = medcli +@USE_NM_TRUE@am__append_45 = plugins/nm +@USE_NM_TRUE@am__append_46 = nm +@USE_RESOLV_CONF_TRUE@am__append_47 = plugins/resolv_conf +@USE_RESOLV_CONF_TRUE@am__append_48 = resolv-conf +@USE_UCI_TRUE@am__append_49 = plugins/uci +@USE_UCI_TRUE@am__append_50 = uci +@USE_UNIT_TESTS_TRUE@am__append_51 = plugins/unit_tester +@USE_UNIT_TESTS_TRUE@am__append_52 = unit-tester subdir = src/charon DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -108,7 +107,7 @@ CONFIG_CLEAN_FILES = am__installdirs = "$(DESTDIR)$(ipsecdir)" ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(ipsec_PROGRAMS) -am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \ +am__charon_SOURCES_DIST = bus/bus.c bus/bus.h bus/listeners/listener.h \ bus/listeners/file_logger.c bus/listeners/file_logger.h \ bus/listeners/sys_logger.c bus/listeners/sys_logger.h \ config/backend_manager.c config/backend_manager.h \ @@ -289,7 +288,8 @@ charon_OBJECTS = $(am_charon_OBJECTS) am__DEPENDENCIES_1 = charon_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -325,12 +325,14 @@ DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \ plugins/resolv_conf plugins/uci plugins/unit_tester DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -395,6 +397,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -435,7 +438,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -469,14 +474,15 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \ - bus/listeners/file_logger.h bus/listeners/sys_logger.c \ - bus/listeners/sys_logger.h config/backend_manager.c \ - config/backend_manager.h config/backend.h config/child_cfg.c \ - config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \ - config/peer_cfg.c config/peer_cfg.h config/proposal.c \ - config/proposal.h config/auth_cfg.c config/auth_cfg.h \ - config/traffic_selector.c config/traffic_selector.h \ +charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ + bus/listeners/file_logger.c bus/listeners/file_logger.h \ + bus/listeners/sys_logger.c bus/listeners/sys_logger.h \ + config/backend_manager.c config/backend_manager.h \ + config/backend.h config/child_cfg.c config/child_cfg.h \ + config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \ + config/peer_cfg.h config/proposal.c config/proposal.h \ + config/auth_cfg.c config/auth_cfg.h config/traffic_selector.c \ + config/traffic_selector.h \ config/attributes/attribute_provider.h \ config/attributes/attribute_handler.h \ config/attributes/attribute_manager.c \ @@ -593,30 +599,30 @@ INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/c AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_PLUGINDIR=\"${plugindir}\" \ - -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_4) \ + -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ -DPLUGINS=\""${PLUGINS}\"" charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \ - -lpthread -lm $(DLLIB) $(am__append_5) + -lpthread -lm $(DLLIB) $(SOCKLIB) $(am__append_4) # build optional plugins ######################## -SUBDIRS = . $(am__append_6) $(am__append_8) $(am__append_10) \ - $(am__append_12) $(am__append_14) $(am__append_16) \ - $(am__append_18) $(am__append_20) $(am__append_22) \ - $(am__append_24) $(am__append_26) $(am__append_28) \ - $(am__append_30) $(am__append_32) $(am__append_34) \ - $(am__append_36) $(am__append_38) $(am__append_40) \ - $(am__append_42) $(am__append_44) $(am__append_46) \ - $(am__append_48) $(am__append_50) $(am__append_52) -PLUGINS = ${libstrongswan_plugins} $(am__append_7) $(am__append_9) \ +SUBDIRS = . $(am__append_5) $(am__append_7) $(am__append_9) \ $(am__append_11) $(am__append_13) $(am__append_15) \ $(am__append_17) $(am__append_19) $(am__append_21) \ $(am__append_23) $(am__append_25) $(am__append_27) \ $(am__append_29) $(am__append_31) $(am__append_33) \ $(am__append_35) $(am__append_37) $(am__append_39) \ $(am__append_41) $(am__append_43) $(am__append_45) \ - $(am__append_47) $(am__append_49) $(am__append_51) \ - $(am__append_53) + $(am__append_47) $(am__append_49) $(am__append_51) +PLUGINS = ${libstrongswan_plugins} $(am__append_6) $(am__append_8) \ + $(am__append_10) $(am__append_12) $(am__append_14) \ + $(am__append_16) $(am__append_18) $(am__append_20) \ + $(am__append_22) $(am__append_24) $(am__append_26) \ + $(am__append_28) $(am__append_30) $(am__append_32) \ + $(am__append_34) $(am__append_36) $(am__append_38) \ + $(am__append_40) $(am__append_42) $(am__append_44) \ + $(am__append_46) $(am__append_48) $(am__append_50) \ + $(am__append_52) all: all-recursive .SUFFIXES: diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c index bb7014b0b..2671f848e 100644 --- a/src/charon/bus/bus.c +++ b/src/charon/bus/bus.c @@ -117,7 +117,7 @@ static entry_t *entry_create(listener_t *listener, bool blocker) this->listener = listener; this->blocker = blocker; this->calling = 0; - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); return this; } @@ -351,6 +351,41 @@ static void unregister_listener(private_bus_t *this, entry_t *entry, } /** + * Implementation of bus_t.alert + */ +static void alert(private_bus_t *this, alert_t alert, ...) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + entry_t *entry; + va_list args; + bool keep; + + ike_sa = pthread_getspecific(this->thread_sa); + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->alert) + { + continue; + } + entry->calling++; + va_start(args, alert); + keep = entry->listener->alert(entry->listener, ike_sa, alert, args); + va_end(args); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +/** * Implementation of bus_t.ike_state_change */ static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa, @@ -374,7 +409,6 @@ static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa, if (!keep) { unregister_listener(this, entry, enumerator); - break; } } enumerator->destroy(enumerator); @@ -409,7 +443,6 @@ static void child_state_change(private_bus_t *this, child_sa_t *child_sa, if (!keep) { unregister_listener(this, entry, enumerator); - break; } } enumerator->destroy(enumerator); @@ -443,7 +476,6 @@ static void message(private_bus_t *this, message_t *message, bool incoming) if (!keep) { unregister_listener(this, entry, enumerator); - break; } } enumerator->destroy(enumerator); @@ -476,7 +508,6 @@ static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa, if (!keep) { unregister_listener(this, entry, enumerator); - break; } } enumerator->destroy(enumerator); @@ -511,7 +542,143 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa, if (!keep) { unregister_listener(this, entry, enumerator); - break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of bus_t.child_updown + */ +static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + entry_t *entry; + bool keep; + + ike_sa = pthread_getspecific(this->thread_sa); + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->child_updown) + { + continue; + } + entry->calling++; + keep = entry->listener->child_updown(entry->listener, + ike_sa, child_sa, up); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of bus_t.child_rekey + */ +static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + entry_t *entry; + bool keep; + + ike_sa = pthread_getspecific(this->thread_sa); + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->child_rekey) + { + continue; + } + entry->calling++; + keep = entry->listener->child_rekey(entry->listener, ike_sa, old, new); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of bus_t.ike_updown + */ +static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up) +{ + enumerator_t *enumerator; + entry_t *entry; + bool keep; + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->ike_updown) + { + continue; + } + entry->calling++; + keep = entry->listener->ike_updown(entry->listener, ike_sa, up); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + /* a down event for IKE_SA implicitly downs all CHILD_SAs */ + if (!up) + { + iterator_t *iterator; + child_sa_t *child_sa; + + iterator = ike_sa->create_child_sa_iterator(ike_sa); + while (iterator->iterate(iterator, (void**)&child_sa)) + { + child_updown(this, child_sa, FALSE); + } + iterator->destroy(iterator); + } +} + +/** + * Implementation of bus_t.ike_rekey + */ +static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new) +{ + enumerator_t *enumerator; + entry_t *entry; + bool keep; + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->ike_rekey) + { + continue; + } + entry->calling++; + keep = entry->listener->ike_rekey(entry->listener, old, new); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); } } enumerator->destroy(enumerator); @@ -545,7 +712,6 @@ static bool authorize(private_bus_t *this, linked_list_t *auth, bool final) if (!keep) { unregister_listener(this, entry, enumerator); - break; } if (!success) { @@ -580,16 +746,21 @@ bus_t *bus_create() this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa; this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_; this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog; + this->public.alert = (void(*)(bus_t*, alert_t alert, ...))alert; this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change; this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change; this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message; this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys; this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys; + this->public.ike_updown = (void(*)(bus_t*, ike_sa_t *ike_sa, bool up))ike_updown; + this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey; + this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown; + this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey; this->public.authorize = (bool(*)(bus_t*, linked_list_t *auth, bool final))authorize; this->public.destroy = (void(*)(bus_t*)) destroy; this->listeners = linked_list_create(); - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); pthread_key_create(&this->thread_id, NULL); pthread_key_create(&this->thread_sa, NULL); diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h index 5faea088f..9c90db6f9 100644 --- a/src/charon/bus/bus.h +++ b/src/charon/bus/bus.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006 Martin Willi + * Copyright (C) 2006-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ typedef enum debug_t debug_t; typedef enum level_t level_t; -typedef struct listener_t listener_t; +typedef enum alert_t alert_t; typedef struct bus_t bus_t; #include <stdarg.h> @@ -31,6 +31,7 @@ typedef struct bus_t bus_t; #include <sa/ike_sa.h> #include <sa/child_sa.h> #include <processing/jobs/job.h> +#include <bus/listeners/listener.h> /** * Debug message group. @@ -126,105 +127,12 @@ enum level_t { # define DBG4(...) {} #endif /* DBG4 */ - /** - * Listener interface, listens to events if registered to the bus. + * Kind of alerts to raise. */ -struct listener_t { - - /** - * Log a debugging message. - * - * The implementing signal function returns TRUE to stay registered - * to the bus, or FALSE to unregister itself. - * Calling bus_t.log() inside of a registered listener is possible, - * but the bus does not invoke listeners recursively. - * - * @param singal kind of the signal (up, down, rekeyed, ...) - * @param level verbosity level of the signal - * @param thread ID of the thread raised this signal - * @param ike_sa IKE_SA associated to the event - * @param format printf() style format string - * @param args vprintf() style va_list argument list - " @return TRUE to stay registered, FALSE to unregister - */ - bool (*log) (listener_t *this, debug_t group, level_t level, int thread, - ike_sa_t *ike_sa, char* format, va_list args); - - /** - * Handle state changes in an IKE_SA. - * - * @param ike_sa IKE_SA which changes its state - * @param state new IKE_SA state this IKE_SA changes to - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa, - ike_sa_state_t state); - - /** - * Handle state changes in a CHILD_SA. - * - * @param ike_sa IKE_SA containing the affected CHILD_SA - * @param child_sa CHILD_SA which changes its state - * @param state new CHILD_SA state this CHILD_SA changes to - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa, - child_sa_t *child_sa, child_sa_state_t state); - - /** - * Hook called for received/sent messages of an IKE_SA. - * - * @param ike_sa IKE_SA sending/receving a message - * @param message message object - * @param incoming TRUE for incoming messages, FALSE for outgoing - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message, - bool incoming); - - /** - * Hook called with IKE_SA key material. - * - * @param ike_sa IKE_SA this keymat belongs to - * @param dh diffie hellman shared secret - * @param nonce_i initiators nonce - * @param nonce_r responders nonce - * @param rekey IKE_SA we are rekeying, if any - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, - chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey); - - /** - * Hook called with CHILD_SA key material. - * - * @param ike_sa IKE_SA the child sa belongs to - * @param child_sa CHILD_SA this keymat is used for - * @param dh diffie hellman shared secret - * @param nonce_i initiators nonce - * @param nonce_r responders nonce - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); - - /** - * Hook called to invoke additional authorization rules. - * - * An authorization hook gets invoked several times: After each - * authentication round, the hook gets invoked with with final = FALSE. - * After authentication is complete and the peer configuration is selected, - * it is invoked again, but with final = TRUE. - * - * @param ike_sa IKE_SA to authorize - * @param auth list of auth_cfg_t, done in peers authentication rounds - * @param final TRUE if this is the final hook invocation - * @param success set to TRUE to complete IKE_SA, FALSE abort - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth, - bool final, bool *success); +enum alert_t { + /* a RADIUS server did not respond, no additional arguments */ + ALERT_RADIUS_NOT_RESPONDING, }; /** @@ -307,6 +215,15 @@ struct bus_t { */ void (*vlog)(bus_t *this, debug_t group, level_t level, char* format, va_list args); + + /** + * Raise an alert over the bus. + * + * @param alert kind of alert + * @param ... alert specific attributes + */ + void (*alert)(bus_t *this, alert_t alert, ...); + /** * Send a IKE_SA state change event to the bus. * @@ -361,6 +278,39 @@ struct bus_t { */ void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); + + /** + * IKE_SA up/down hook. + * + * @param ike_sa IKE_SA coming up/going down + * @param up TRUE for an up event, FALSE for a down event + */ + void (*ike_updown)(bus_t *this, ike_sa_t *ike_sa, bool up); + + /** + * IKE_SA rekeying hook. + * + * @param old rekeyed and obsolete IKE_SA + * @param new new IKE_SA replacing old + */ + void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new); + + /** + * CHILD_SA up/down hook. + * + * @param child_sa CHILD_SA coming up/going down + * @param up TRUE for an up event, FALSE for a down event + */ + void (*child_updown)(bus_t *this, child_sa_t *child_sa, bool up); + + /** + * CHILD_SA rekeying hook. + * + * @param old rekeyed and obsolete CHILD_SA + * @param new new CHILD_SA replacing old + */ + void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new); + /** * Destroy the event bus. */ diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h index 7282224a5..a69374f23 100644 --- a/src/charon/bus/listeners/file_logger.h +++ b/src/charon/bus/listeners/file_logger.h @@ -21,9 +21,9 @@ #ifndef FILE_LOGGER_H_ #define FILE_LOGGER_H_ -typedef struct file_logger_t file_logger_t; +#include <bus/listeners/listener.h> -#include <bus/bus.h> +typedef struct file_logger_t file_logger_t; /** * Logger to files which implements listener_t. diff --git a/src/charon/bus/listeners/listener.h b/src/charon/bus/listeners/listener.h new file mode 100644 index 000000000..578f08ebe --- /dev/null +++ b/src/charon/bus/listeners/listener.h @@ -0,0 +1,179 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup listener listener + * @{ @ingroup listeners + */ + +#ifndef LISTENER_H_ +#define LISTENER_H_ + +typedef struct listener_t listener_t; + +#include <bus/bus.h> + +/** + * Listener interface, listens to events if registered to the bus. + */ +struct listener_t { + + /** + * Log a debugging message. + * + * The implementing signal function returns TRUE to stay registered + * to the bus, or FALSE to unregister itself. + * Calling bus_t.log() inside of a registered listener is possible, + * but the bus does not invoke listeners recursively. + * + * @param group kind of the signal (up, down, rekeyed, ...) + * @param level verbosity level of the signal + * @param thread ID of the thread raised this signal + * @param ike_sa IKE_SA associated to the event + * @param format printf() style format string + * @param args vprintf() style va_list argument list + " @return TRUE to stay registered, FALSE to unregister + */ + bool (*log)(listener_t *this, debug_t group, level_t level, int thread, + ike_sa_t *ike_sa, char* format, va_list args); + + /** + * Hook called if a critical alert is risen. + * + * @param ike_sa IKE_SA associated to the alert, if any + * @param alert kind of alert + * @param ... alert specific argument list + " @return TRUE to stay registered, FALSE to unregister + */ + bool (*alert)(listener_t *this, ike_sa_t *ike_sa, + alert_t alert, va_list args); + + /** + * Handle state changes in an IKE_SA. + * + * @param ike_sa IKE_SA which changes its state + * @param state new IKE_SA state this IKE_SA changes to + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa, + ike_sa_state_t state); + + /** + * Handle state changes in a CHILD_SA. + * + * @param ike_sa IKE_SA containing the affected CHILD_SA + * @param child_sa CHILD_SA which changes its state + * @param state new CHILD_SA state this CHILD_SA changes to + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa, + child_sa_t *child_sa, child_sa_state_t state); + + /** + * Hook called for received/sent messages of an IKE_SA. + * + * @param ike_sa IKE_SA sending/receving a message + * @param message message object + * @param incoming TRUE for incoming messages, FALSE for outgoing + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming); + + /** + * Hook called with IKE_SA key material. + * + * @param ike_sa IKE_SA this keymat belongs to + * @param dh diffie hellman shared secret + * @param nonce_i initiators nonce + * @param nonce_r responders nonce + * @param rekey IKE_SA we are rekeying, if any + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey); + + /** + * Hook called with CHILD_SA key material. + * + * @param ike_sa IKE_SA the child sa belongs to + * @param child_sa CHILD_SA this keymat is used for + * @param dh diffie hellman shared secret + * @param nonce_i initiators nonce + * @param nonce_r responders nonce + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); + + /** + * Hook called if an IKE_SA gets up or down. + * + * @param ike_sa IKE_SA coming up/going down + * @param up TRUE for an up event, FALSE for a down event + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*ike_updown)(listener_t *this, ike_sa_t *ike_sa, bool up); + + /** + * Hook called when an IKE_SA gets rekeyed. + * + * @param old rekeyed IKE_SA getting obsolete + * @param new new IKE_SA replacing old + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new); + + /** + * Hook called when a CHILD_SA gets up or down. + * + * @param ike_sa IKE_SA containing the handled CHILD_SA + * @param child_sa CHILD_SA coming up/going down + * @param up TRUE for an up event, FALSE for a down event + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*child_updown)(listener_t *this, ike_sa_t *ike_sa, + child_sa_t *child_sa, bool up); + + /** + * Hook called when an CHILD_SA gets rekeyed. + * + * @param ike_sa IKE_SA containing the rekeyed CHILD_SA + * @param old rekeyed CHILD_SA getting obsolete + * @param new new CHILD_SA replacing old + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*child_rekey)(listener_t *this, ike_sa_t *ike_sa, + child_sa_t *old, child_sa_t *new); + + /** + * Hook called to invoke additional authorization rules. + * + * An authorization hook gets invoked several times: After each + * authentication round, the hook gets invoked with with final = FALSE. + * After authentication is complete and the peer configuration is selected, + * it is invoked again, but with final = TRUE. + * + * @param ike_sa IKE_SA to authorize + * @param auth list of auth_cfg_t, done in peers authentication rounds + * @param final TRUE if this is the final hook invocation + * @param success set to TRUE to complete IKE_SA, FALSE abort + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth, + bool final, bool *success); +}; + +#endif /* LISTENER_ @}*/ diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c index 5bcf28f24..0b579ce92 100644 --- a/src/charon/bus/listeners/sys_logger.c +++ b/src/charon/bus/listeners/sys_logger.c @@ -15,7 +15,6 @@ #include <stdio.h> #include <string.h> -#include <pthread.h> #include "sys_logger.h" diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h index 6eda096a9..3ed0f02fa 100644 --- a/src/charon/bus/listeners/sys_logger.h +++ b/src/charon/bus/listeners/sys_logger.h @@ -21,11 +21,11 @@ #ifndef SYS_LOGGER_H_ #define SYS_LOGGER_H_ -typedef struct sys_logger_t sys_logger_t; - #include <syslog.h> -#include <bus/bus.h> +#include <bus/listeners/listener.h> + +typedef struct sys_logger_t sys_logger_t; /** * Logger for syslog which implements listener_t. diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c index 83e431c43..bf45fdb42 100644 --- a/src/charon/config/attributes/attribute_manager.c +++ b/src/charon/config/attributes/attribute_manager.c @@ -260,7 +260,7 @@ attribute_manager_t *attribute_manager_create() this->providers = linked_list_create(); this->handlers = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c index 3a3a78466..cfd611858 100644 --- a/src/charon/config/backend_manager.c +++ b/src/charon/config/backend_manager.c @@ -438,7 +438,7 @@ backend_manager_t *backend_manager_create() this->public.destroy = (void (*)(backend_manager_t*))destroy; this->backends = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c index 43e41671a..990ee3fd6 100644 --- a/src/charon/config/child_cfg.c +++ b/src/charon/config/child_cfg.c @@ -345,35 +345,6 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca } /** - * Implementation of child_cfg_t.equal_traffic_selectors. - */ -bool equal_traffic_selectors(private_child_cfg_t *this, bool local, - linked_list_t *ts_list, host_t *host) -{ - linked_list_t *this_list; - traffic_selector_t *this_ts, *ts; - bool result; - - this_list = (local) ? this->my_ts : this->other_ts; - - /* currently equality is established for single traffic selectors only */ - if (this_list->get_count(this_list) != 1 || ts_list->get_count(ts_list) != 1) - { - return FALSE; - } - - this_list->get_first(this_list, (void**)&this_ts); - this_ts = this_ts->clone(this_ts); - this_ts->set_address(this_ts, host); - ts_list->get_first(ts_list, (void**)&ts); - - result = ts->equals(ts, this_ts); - - this_ts->destroy(this_ts); - return result; -} - -/** * Implementation of child_cfg_t.get_updown. */ static char* get_updown(private_child_cfg_t *this) @@ -525,7 +496,6 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, this->public.get_name = (char* (*) (child_cfg_t*))get_name; this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector; this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors; - this->public.equal_traffic_selectors = (bool (*)(child_cfg_t*,bool,linked_list_t*,host_t*))equal_traffic_selectors; this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal; this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals; this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal; diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h index 185fee3da..33c75701c 100644 --- a/src/charon/config/child_cfg.h +++ b/src/charon/config/child_cfg.h @@ -150,18 +150,6 @@ struct child_cfg_t { linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local, linked_list_t *supplied, host_t *host); - - /** - * Checks [single] traffic selectors for equality - * - * @param local TRUE for TS on local side, FALSE for remote - * @param ts list with single traffic selector to compare with - * @param host address to use for narrowing "dynamic" TS', or NULL - * @return TRUE if TS are equal, FALSE otherwise - */ - bool (*equal_traffic_selectors)(child_cfg_t *this, bool local, - linked_list_t *ts_list, host_t *host); - /** * Get the updown script to run for the CHILD_SA. * diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c index da796d6a2..f096f269e 100644 --- a/src/charon/config/peer_cfg.c +++ b/src/charon/config/peer_cfg.c @@ -250,22 +250,46 @@ static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this) } /** - * Check if child_cfg contains traffic selectors + * Check how good a list of TS matches a given child config */ -static int contains_ts(child_cfg_t *child, bool mine, linked_list_t *ts, - host_t *host) +static int get_ts_match(child_cfg_t *cfg, bool local, + linked_list_t *sup_list, host_t *host) { - linked_list_t *selected; - int prio; + linked_list_t *cfg_list; + enumerator_t *sup_enum, *cfg_enum; + traffic_selector_t *sup_ts, *cfg_ts; + int match = 0, round; - if (child->equal_traffic_selectors(child, mine, ts, host)) + /* fetch configured TS list, narrowing dynamic TS */ + cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host); + + /* use a round counter to rate leading TS with higher priority */ + round = sup_list->get_count(sup_list); + + sup_enum = sup_list->create_enumerator(sup_list); + while (sup_enum->enumerate(sup_enum, &sup_ts)) { - return 2; + cfg_enum = cfg_list->create_enumerator(cfg_list); + while (cfg_enum->enumerate(cfg_enum, &cfg_ts)) + { + if (cfg_ts->equals(cfg_ts, sup_ts)) + { /* equality is honored better than matches */ + match += round * 5; + } + else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) || + sup_ts->is_contained_in(sup_ts, cfg_ts)) + { + match += round * 1; + } + } + cfg_enum->destroy(cfg_enum); + round--; } - selected = child->get_traffic_selectors(child, mine, ts, host); - prio = selected->get_count(selected) ? 1 : 0; - selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy)); - return prio; + sup_enum->destroy(sup_enum); + + cfg_list->destroy_offset(cfg_list, offsetof(traffic_selector_t, destroy)); + + return match; } /** @@ -279,21 +303,23 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this, child_cfg_t *current, *found = NULL; enumerator_t *enumerator; int best = 0; - - DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts); + + DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts); enumerator = create_child_cfg_enumerator(this); while (enumerator->enumerate(enumerator, ¤t)) { - int prio = contains_ts(current, TRUE, my_ts, my_host) + - contains_ts(current, FALSE, other_ts, other_host); - - if (prio) + int my_prio, other_prio; + + my_prio = get_ts_match(current, TRUE, my_ts, my_host); + other_prio = get_ts_match(current, FALSE, other_ts, other_host); + + if (my_prio && other_prio) { - DBG2(DBG_CFG, " candidate \"%s\" with prio %d", - current->get_name(current), prio); - if (prio > best) + DBG2(DBG_CFG, " candidate \"%s\" with prio %d+%d", + current->get_name(current), my_prio, other_prio); + if (my_prio + other_prio > best) { - best = prio; + best = my_prio + other_prio; DESTROY_IF(found); found = current->get_ref(current); } @@ -637,7 +663,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->ike_version = ike_version; this->ike_cfg = ike_cfg; this->child_cfgs = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->cert_policy = cert_policy; this->unique = unique; this->keyingtries = keyingtries; diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c index e2dfcca4f..cf7e19605 100644 --- a/src/charon/config/proposal.c +++ b/src/charon/config/proposal.c @@ -266,6 +266,9 @@ static bool is_authenticated_encryption(u_int16_t alg) case ENCR_AES_GCM_ICV8: case ENCR_AES_GCM_ICV12: case ENCR_AES_GCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: return TRUE; } return FALSE; diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c index 776dbe599..0967cbc81 100644 --- a/src/charon/credentials/credential_manager.c +++ b/src/charon/credentials/credential_manager.c @@ -1591,7 +1591,7 @@ credential_manager_t *credential_manager_create() this->cache = cert_cache_create(); this->cache_queue = linked_list_create(); this->sets->insert_first(this->sets, this->cache); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c index 907f5072f..dee0463e6 100644 --- a/src/charon/credentials/sets/cert_cache.c +++ b/src/charon/credentials/sets/cert_cache.c @@ -383,7 +383,7 @@ cert_cache_t *cert_cache_create() this->relations[i].subject = NULL; this->relations[i].issuer = NULL; this->relations[i].hits = 0; - this->relations[i].lock = rwlock_create(RWLOCK_DEFAULT); + this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); } return &this->public; } diff --git a/src/charon/daemon.c b/src/charon/daemon.c index c646ef9b4..0689c448e 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -20,7 +20,9 @@ #ifdef HAVE_PRCTL #include <sys/prctl.h> #endif +#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */ #include <signal.h> +#undef _POSIX_PTHREAD_SEMANTICS #include <pthread.h> #include <sys/stat.h> #include <sys/types.h> @@ -42,10 +44,9 @@ #include <config/traffic_selector.h> #include <config/proposal.h> -#ifdef INTEGRITY_TEST -#include <fips/fips.h> -#include <fips/fips_signature.h> -#endif /* INTEGRITY_TEST */ +#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ +#define LOG_AUTHPRIV LOG_AUTH +#endif typedef struct private_daemon_t private_daemon_t; @@ -469,6 +470,13 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[]) DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")"); + if (lib->integrity) + { + DBG1(DBG_DMN, "integrity tests enabled:"); + DBG1(DBG_DMN, "lib 'libstrongswan': passed file and segment integrity tests"); + DBG1(DBG_DMN, "daemon 'charon': passed file integrity test"); + } + /* load secrets, ca certificates and crls */ this->public.processor = processor_create(); this->public.scheduler = scheduler_create(); @@ -487,19 +495,6 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[]) lib->settings->get_str(lib->settings, "charon.load", PLUGINS)); print_plugins(); - -#ifdef INTEGRITY_TEST - DBG1(DBG_DMN, "integrity test of libstrongswan code"); - if (fips_verify_hmac_signature(hmac_key, hmac_signature)) - { - DBG1(DBG_DMN, " integrity test passed"); - } - else - { - DBG1(DBG_DMN, " integrity test failed"); - return FALSE; - } -#endif /* INTEGRITY_TEST */ this->public.ike_sa_manager = ike_sa_manager_create(); if (this->public.ike_sa_manager == NULL) @@ -686,7 +681,20 @@ int main(int argc, char *argv[]) dbg = dbg_stderr; /* initialize library */ - library_init(STRONGSWAN_CONF); + if (!library_init(STRONGSWAN_CONF)) + { + library_deinit(); + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "charon", argv[0])) + { + dbg_stderr(1, "integrity check of charon failed"); + library_deinit(); + exit(SS_RC_DAEMON_INTEGRITY); + } + lib->printf_hook->add_handler(lib->printf_hook, 'R', traffic_selector_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, @@ -757,7 +765,7 @@ int main(int argc, char *argv[]) { DBG1(DBG_DMN, "initialization failed - aborting charon"); destroy(private_charon); - exit(-1); + exit(SS_RC_INITIALIZATION_FAILED); } if (check_pidfile()) diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c index 5188b79fe..53ae1d200 100644 --- a/src/charon/kernel/kernel_interface.c +++ b/src/charon/kernel/kernel_interface.c @@ -104,6 +104,19 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi, } /** + * Implementation of kernel_interface_t.query_sa + */ +static status_t query_sa(private_kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, bytes); +} + +/** * Implementation of kernel_interface_t.del_sa */ static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst, @@ -387,6 +400,7 @@ kernel_interface_t *kernel_interface_create() this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h index 8c58c959a..c4a273a34 100644 --- a/src/charon/kernel/kernel_interface.h +++ b/src/charon/kernel/kernel_interface.h @@ -141,6 +141,19 @@ struct kernel_interface_t { bool encap, bool new_encap); /** + * Query the number of bytes processed by an SA from the SAD. + * + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param[out] bytes the number of bytes processed by SA + * @return SUCCESS if operation completed + */ + status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes); + + /** * Delete a previously installed SA from the SAD. * * @param src source address for this SA diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h index 6e8c5bc63..d6438c197 100644 --- a/src/charon/kernel/kernel_ipsec.h +++ b/src/charon/kernel/kernel_ipsec.h @@ -171,6 +171,19 @@ struct kernel_ipsec_t { bool encap, bool new_encap); /** + * Query the number of bytes processed by an SA from the SAD. + * + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param[out] bytes the number of bytes processed by SA + * @return SUCCESS if operation completed + */ + status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes); + + /** * Delete a previusly installed SA from the SAD. * * @param src source address for this SA diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c index 4910fe2e8..19f589115 100644 --- a/src/charon/network/sender.c +++ b/src/charon/network/sender.c @@ -139,9 +139,9 @@ sender_t * sender_create() this->public.destroy = (void(*)(sender_t*)) destroy; this->list = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->got = condvar_create(CONDVAR_DEFAULT); - this->sent = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->got = condvar_create(CONDVAR_TYPE_DEFAULT); + this->sent = condvar_create(CONDVAR_TYPE_DEFAULT); this->job = callback_job_create((callback_job_cb_t)send_packets, this, NULL, NULL); diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c index 8627ca76d..97c88be79 100644 --- a/src/charon/network/socket.c +++ b/src/charon/network/socket.c @@ -18,6 +18,10 @@ /* for struct in6_pktinfo */ #define _GNU_SOURCE +#ifdef __sun +#define _XPG4_2 +#define __EXTENSIONS__ +#endif #include <pthread.h> #include <sys/types.h> @@ -34,6 +38,9 @@ #include <netinet/ip6.h> #include <netinet/udp.h> #include <net/if.h> +#ifdef __APPLE__ +#include <sys/sysctl.h> +#endif #include "socket.h" @@ -431,7 +438,6 @@ status_t sender(private_socket_t *this, packet_t *packet) static int open_socket(private_socket_t *this, int family, u_int16_t port) { int on = TRUE; - int type = UDP_ENCAP_ESPINUDP; struct sockaddr_storage addr; socklen_t addrlen; u_int sol, pktinfo = 0; @@ -502,13 +508,18 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port) return 0; } } - - /* enable UDP decapsulation globally, only for one socket needed */ - if (family == AF_INET && port == IKEV2_NATT_PORT && - setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0) + +#ifndef __APPLE__ { - DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno)); + /* enable UDP decapsulation globally, only for one socket needed */ + int type = UDP_ENCAP_ESPINUDP; + if (family == AF_INET && port == IKEV2_NATT_PORT && + setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0) + { + DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno)); + } } +#endif return skt; } @@ -611,6 +622,18 @@ socket_t *socket_create() this->ipv6 = 0; this->ipv4_natt = 0; this->ipv6_natt = 0; + +#ifdef __APPLE__ + { + int natt_port = IKEV2_NATT_PORT; + if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &natt_port, + sizeof(natt_port)) != 0) + { + DBG1(DBG_NET, "could not set net.inet.ipsec.esp_port to %d: %s", + natt_port, strerror(errno)); + } + } +#endif this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT); if (this->ipv4 == 0) diff --git a/src/charon/plugins/attr/Makefile.am b/src/charon/plugins/attr/Makefile.am index d5eb99d9f..b4b3b7da6 100644 --- a/src/charon/plugins/attr/Makefile.am +++ b/src/charon/plugins/attr/Makefile.am @@ -6,4 +6,4 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-attr.la libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \ attr_provider.h attr_provider.c -libstrongswan_attr_la_LDFLAGS = -module +libstrongswan_attr_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/attr/Makefile.in b/src/charon/plugins/attr/Makefile.in index c0467054e..5c94771e1 100644 --- a/src/charon/plugins/attr/Makefile.in +++ b/src/charon/plugins/attr/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-attr.la libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \ attr_provider.h attr_provider.c -libstrongswan_attr_la_LDFLAGS = -module +libstrongswan_attr_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_aka/Makefile.am b/src/charon/plugins/eap_aka/Makefile.am index e1ad1eaf9..1a3ea1857 100644 --- a/src/charon/plugins/eap_aka/Makefile.am +++ b/src/charon/plugins/eap_aka/Makefile.am @@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapaka.la libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c -libstrongswan_eapaka_la_LDFLAGS = -module +libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version libstrongswan_eapaka_la_LIBADD = -lgmp diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in index 74d49ac73..2d2405379 100644 --- a/src/charon/plugins/eap_aka/Makefile.in +++ b/src/charon/plugins/eap_aka/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapaka.la libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c -libstrongswan_eapaka_la_LDFLAGS = -module +libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version libstrongswan_eapaka_la_LIBADD = -lgmp all: all-am diff --git a/src/charon/plugins/eap_gtc/Makefile.am b/src/charon/plugins/eap_gtc/Makefile.am index 1057bd506..547a8dfc5 100644 --- a/src/charon/plugins/eap_gtc/Makefile.am +++ b/src/charon/plugins/eap_gtc/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapgtc.la libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c -libstrongswan_eapgtc_la_LDFLAGS = -module -lpam +libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in index 19d648bbd..46d438a97 100644 --- a/src/charon/plugins/eap_gtc/Makefile.in +++ b/src/charon/plugins/eap_gtc/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapgtc.la libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c -libstrongswan_eapgtc_la_LDFLAGS = -module -lpam +libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_identity/Makefile.am b/src/charon/plugins/eap_identity/Makefile.am index dbf66e74b..79ddee3e8 100644 --- a/src/charon/plugins/eap_identity/Makefile.am +++ b/src/charon/plugins/eap_identity/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapidentity.la libstrongswan_eapidentity_la_SOURCES = \ eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c -libstrongswan_eapidentity_la_LDFLAGS = -module +libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in index f275cd770..0adb9ce10 100644 --- a/src/charon/plugins/eap_identity/Makefile.in +++ b/src/charon/plugins/eap_identity/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-eapidentity.la libstrongswan_eapidentity_la_SOURCES = \ eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c -libstrongswan_eapidentity_la_LDFLAGS = -module +libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_md5/Makefile.am b/src/charon/plugins/eap_md5/Makefile.am index d7964fee9..8bad64368 100644 --- a/src/charon/plugins/eap_md5/Makefile.am +++ b/src/charon/plugins/eap_md5/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapmd5.la libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c -libstrongswan_eapmd5_la_LDFLAGS = -module +libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in index 372b80b3e..c11837b91 100644 --- a/src/charon/plugins/eap_md5/Makefile.in +++ b/src/charon/plugins/eap_md5/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapmd5.la libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c -libstrongswan_eapmd5_la_LDFLAGS = -module +libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_mschapv2/Makefile.am b/src/charon/plugins/eap_mschapv2/Makefile.am index 6ab931905..179da70fc 100644 --- a/src/charon/plugins/eap_mschapv2/Makefile.am +++ b/src/charon/plugins/eap_mschapv2/Makefile.am @@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-eapmschapv2.la libstrongswan_eapmschapv2_la_SOURCES = \ eap_mschapv2_plugin.h eap_mschapv2_plugin.c \ eap_mschapv2.h eap_mschapv2.c -libstrongswan_eapmschapv2_la_LDFLAGS = -module +libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_mschapv2/Makefile.in b/src/charon/plugins/eap_mschapv2/Makefile.in index 5ae41d896..d6dd74b88 100644 --- a/src/charon/plugins/eap_mschapv2/Makefile.in +++ b/src/charon/plugins/eap_mschapv2/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_eapmschapv2_la_SOURCES = \ eap_mschapv2_plugin.h eap_mschapv2_plugin.c \ eap_mschapv2.h eap_mschapv2.c -libstrongswan_eapmschapv2_la_LDFLAGS = -module +libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_radius/Makefile.am b/src/charon/plugins/eap_radius/Makefile.am index f7de2f14f..df5c94656 100644 --- a/src/charon/plugins/eap_radius/Makefile.am +++ b/src/charon/plugins/eap_radius/Makefile.am @@ -10,5 +10,5 @@ libstrongswan_eapradius_la_SOURCES = \ eap_radius.h eap_radius.c \ radius_client.h radius_client.c \ radius_message.h radius_message.c -libstrongswan_eapradius_la_LDFLAGS = -module +libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_radius/Makefile.in b/src/charon/plugins/eap_radius/Makefile.in index e7a4cd0f8..c30111fad 100644 --- a/src/charon/plugins/eap_radius/Makefile.in +++ b/src/charon/plugins/eap_radius/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -229,7 +234,7 @@ libstrongswan_eapradius_la_SOURCES = \ radius_client.h radius_client.c \ radius_message.h radius_message.c -libstrongswan_eapradius_la_LDFLAGS = -module +libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c index ee2477440..deb3b648b 100644 --- a/src/charon/plugins/eap_radius/eap_radius.c +++ b/src/charon/plugins/eap_radius/eap_radius.c @@ -66,6 +66,11 @@ struct private_eap_radius_t { * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly */ bool eap_start; + + /** + * Prefix to prepend to EAP identity + */ + char *id_prefix; }; /** @@ -86,18 +91,20 @@ static void add_eap_identity(private_eap_radius_t *this, /** identity data */ u_int8_t data[]; } __attribute__((__packed__)) *hdr; - chunk_t id; + chunk_t id, prefix; size_t len; id = this->peer->get_encoding(this->peer); - len = sizeof(*hdr) + id.len; + prefix = chunk_create(this->id_prefix, strlen(this->id_prefix)); + len = sizeof(*hdr) + prefix.len + id.len; hdr = alloca(len); hdr->code = EAP_RESPONSE; hdr->identifier = 0; hdr->length = htons(len); hdr->type = EAP_IDENTITY; - memcpy(hdr->data, id.ptr, id.len); + memcpy(hdr->data, prefix.ptr, prefix.len); + memcpy(hdr->data + prefix.len, id.ptr, id.len); request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len)); } @@ -136,9 +143,12 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out) { radius_message_t *request, *response; status_t status = FAILED; + chunk_t username; request = radius_message_create_request(); - request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer)); + username = chunk_create(this->id_prefix, strlen(this->id_prefix)); + username = chunk_cata("cc", username, this->peer->get_encoding(this->peer)); + request->add(request, RAT_USER_NAME, username); if (this->eap_start) { @@ -283,7 +293,8 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer this->msk = chunk_empty; this->eap_start = lib->settings->get_bool(lib->settings, "charon.plugins.eap_radius.eap_start", FALSE); - + this->id_prefix = lib->settings->get_str(lib->settings, + "charon.plugins.eap_radius.id_prefix", ""); return &this->public; } diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c index 57d3f8f21..de1bafc6d 100644 --- a/src/charon/plugins/eap_radius/radius_client.c +++ b/src/charon/plugins/eap_radius/radius_client.c @@ -161,8 +161,8 @@ bool radius_client_init() "charon.plugins.eap_radius.sockets", 1); sockets = linked_list_create(); - mutex = mutex_create(MUTEX_DEFAULT); - condvar = condvar_create(CONDVAR_DEFAULT); + mutex = mutex_create(MUTEX_TYPE_DEFAULT); + condvar = condvar_create(CONDVAR_TYPE_DEFAULT); for (i = 0; i < count; i++) { fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP); @@ -353,6 +353,7 @@ static radius_message_t* request(private_radius_client_t *this, } DBG1(DBG_CFG, "RADIUS server is not responding"); put_socket(socket); + charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING); return NULL; } diff --git a/src/charon/plugins/eap_sim/Makefile.am b/src/charon/plugins/eap_sim/Makefile.am index 6cb53ebb5..e503bddab 100644 --- a/src/charon/plugins/eap_sim/Makefile.am +++ b/src/charon/plugins/eap_sim/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-eapsim.la libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \ eap_sim_plugin.h eap_sim_plugin.c -libstrongswan_eapsim_la_LDFLAGS = -module +libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in index 2374567bc..8f6daacad 100644 --- a/src/charon/plugins/eap_sim/Makefile.in +++ b/src/charon/plugins/eap_sim/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-eapsim.la libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \ eap_sim_plugin.h eap_sim_plugin.c -libstrongswan_eapsim_la_LDFLAGS = -module +libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_sim_file/Makefile.am b/src/charon/plugins/eap_sim_file/Makefile.am index fc3a0fa14..1cd1dd9e2 100644 --- a/src/charon/plugins/eap_sim_file/Makefile.am +++ b/src/charon/plugins/eap_sim_file/Makefile.am @@ -10,5 +10,5 @@ libstrongswan_eapsim_file_la_SOURCES = \ eap_sim_file_card.h eap_sim_file_card.c \ eap_sim_file_provider.h eap_sim_file_provider.c \ eap_sim_file_triplets.h eap_sim_file_triplets.c -libstrongswan_eapsim_file_la_LDFLAGS = -module +libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in index 554b3a7bc..b19cc839f 100644 --- a/src/charon/plugins/eap_sim_file/Makefile.in +++ b/src/charon/plugins/eap_sim_file/Makefile.in @@ -77,12 +77,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -187,7 +190,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -230,7 +235,7 @@ libstrongswan_eapsim_file_la_SOURCES = \ eap_sim_file_provider.h eap_sim_file_provider.c \ eap_sim_file_triplets.h eap_sim_file_triplets.c -libstrongswan_eapsim_file_la_LDFLAGS = -module +libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c index d093851c2..e27ed6860 100644 --- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c +++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c @@ -251,7 +251,7 @@ eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file) this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy; this->triplets = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); read_triplets(this, file); diff --git a/src/charon/plugins/kernel_klips/Makefile.am b/src/charon/plugins/kernel_klips/Makefile.am index dc0234775..0c0987cca 100644 --- a/src/charon/plugins/kernel_klips/Makefile.am +++ b/src/charon/plugins/kernel_klips/Makefile.am @@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-klips.la libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \ kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h -libstrongswan_kernel_klips_la_LDFLAGS = -module +libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in index a1efe9d5a..4b1c27352 100644 --- a/src/charon/plugins/kernel_klips/Makefile.in +++ b/src/charon/plugins/kernel_klips/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-klips.la libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \ kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h -libstrongswan_kernel_klips_la_LDFLAGS = -module +libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c index c69ce4c9a..9a903d027 100644 --- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1934,6 +1934,16 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_klips_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + return NOT_SUPPORTED; /* TODO */ +} + +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src, @@ -2609,6 +2619,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; @@ -2621,8 +2632,8 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() this->allocated_spis = linked_list_create(); this->installed_sas = linked_list_create(); this->ipsec_devices = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->mutex_pfkey = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); this->seq = 0; diff --git a/src/charon/plugins/kernel_netlink/Makefile.am b/src/charon/plugins/kernel_netlink/Makefile.am index e0efe5779..6351280d6 100644 --- a/src/charon/plugins/kernel_netlink/Makefile.am +++ b/src/charon/plugins/kernel_netlink/Makefile.am @@ -8,4 +8,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \ kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ kernel_netlink_shared.h kernel_netlink_shared.c -libstrongswan_kernel_netlink_la_LDFLAGS = -module +libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in index b97738bff..46d2a1c65 100644 --- a/src/charon/plugins/kernel_netlink/Makefile.in +++ b/src/charon/plugins/kernel_netlink/Makefile.in @@ -77,12 +77,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -187,7 +190,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -228,7 +233,7 @@ libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ kernel_netlink_shared.h kernel_netlink_shared.c -libstrongswan_kernel_netlink_la_LDFLAGS = -module +libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 9322d8dfe..2051316f6 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -984,16 +984,20 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, break; case ENCR_AES_CCM_ICV16: case ENCR_AES_GCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV16: icv_size += 32; /* FALL */ case ENCR_AES_CCM_ICV12: case ENCR_AES_GCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV12: icv_size += 32; /* FALL */ case ENCR_AES_CCM_ICV8: case ENCR_AES_GCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV8: { - rthdr->rta_type = XFRMA_ALG_AEAD; + struct xfrm_algo_aead *algo; + alg_name = lookup_algorithm(encryption_algs, enc_alg); if (alg_name == NULL) { @@ -1004,6 +1008,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); + rthdr->rta_type = XFRMA_ALG_AEAD; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len); hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) @@ -1011,7 +1016,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, return FAILED; } - struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); + algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); algo->alg_key_len = enc_key.len * 8; algo->alg_icv_len = icv_size; strcpy(algo->alg_name, alg_name); @@ -1022,7 +1027,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, } default: { - rthdr->rta_type = XFRMA_ALG_CRYPT; + struct xfrm_algo *algo; + alg_name = lookup_algorithm(encryption_algs, enc_alg); if (alg_name == NULL) { @@ -1033,6 +1039,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); + rthdr->rta_type = XFRMA_ALG_CRYPT; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len); hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) @@ -1040,13 +1047,12 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, return FAILED; } - struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); + algo = (struct xfrm_algo*)RTA_DATA(rthdr); algo->alg_key_len = enc_key.len * 8; strcpy(algo->alg_name, alg_name); memcpy(algo->alg_key, enc_key.ptr, enc_key.len); rthdr = XFRM_RTA_NEXT(rthdr); - break; } } @@ -1230,6 +1236,74 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + netlink_buf_t request; + struct nlmsghdr *out = NULL, *hdr; + struct xfrm_usersa_id *sa_id; + struct xfrm_usersa_info *sa = NULL; + size_t len; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST; + hdr->nlmsg_type = XFRM_MSG_GETSA; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); + + sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); + host2xfrm(dst, &sa_id->daddr); + sa_id->spi = spi; + sa_id->proto = proto_ike2kernel(protocol); + sa_id->family = dst->get_family(dst); + + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) + { + hdr = out; + while (NLMSG_OK(hdr, len)) + { + switch (hdr->nlmsg_type) + { + case XFRM_MSG_NEWSA: + { + sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr); + break; + } + case NLMSG_ERROR: + { + struct nlmsgerr *err = NLMSG_DATA(hdr); + DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)", + ntohl(spi), strerror(-err->error), -err->error); + break; + } + default: + hdr = NLMSG_NEXT(hdr, len); + continue; + case NLMSG_DONE: + break; + } + break; + } + } + + if (sa == NULL) + { + DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); + free(out); + return FAILED; + } + *bytes = sa->curlft.bytes; + + free(out); + return SUCCESS; +} +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src, @@ -1888,6 +1962,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; @@ -1897,7 +1972,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() /* private members */ this->policies = hashtable_create((hashtable_hash_t)policy_hash, (hashtable_equals_t)policy_equals, 32); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c index 32154a7ea..e5c0b5da7 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1370,8 +1370,8 @@ kernel_netlink_net_t *kernel_netlink_net_create() /* private members */ this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); timerclear(&this->last_roam); this->routing_table = lib->settings->get_int(lib->settings, "charon.routing_table", IPSEC_ROUTING_TABLE); diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c index 7ef7cc56e..ec1187083 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c @@ -255,7 +255,7 @@ netlink_socket_t *netlink_socket_create(int protocol) { /* private members */ this->seq = 200; - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; diff --git a/src/charon/plugins/kernel_pfkey/Makefile.am b/src/charon/plugins/kernel_pfkey/Makefile.am index c9d66b5de..e03a0ca02 100644 --- a/src/charon/plugins/kernel_pfkey/Makefile.am +++ b/src/charon/plugins/kernel_pfkey/Makefile.am @@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c -libstrongswan_kernel_pfkey_la_LDFLAGS = -module +libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in index df2492ef7..e01510127 100644 --- a/src/charon/plugins/kernel_pfkey/Makefile.in +++ b/src/charon/plugins/kernel_pfkey/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c -libstrongswan_kernel_pfkey_la_LDFLAGS = -module +libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 56f0320dc..1f83e8f39 100644 --- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -17,6 +17,10 @@ #include <sys/types.h> #include <sys/socket.h> +#ifdef __FreeBSD__ +#include <limits.h> /* for LONG_MAX */ +#endif + #ifdef HAVE_NET_PFKEYV2_H #include <net/pfkeyv2.h> #else @@ -37,11 +41,11 @@ #endif #ifdef HAVE_NATT -#ifdef HAVE_NETINET_UDP_H -#include <netinet/udp.h> -#else +#ifdef HAVE_LINUX_UDP_H #include <linux/udp.h> -#endif /*HAVE_NETINET_UDP_H*/ +#else +#include <netinet/udp.h> +#endif /*HAVE_LINUX_UDP_H*/ #endif /*HAVE_NATT*/ #include <unistd.h> @@ -89,7 +93,7 @@ #define IP_IPSEC_POLICY 16 #endif -/* missing on uclibc */ +/** missing on uclibc */ #ifndef IPV6_IPSEC_POLICY #define IPV6_IPSEC_POLICY 34 #endif @@ -98,6 +102,17 @@ #define PRIO_LOW 3000 #define PRIO_HIGH 2000 +#ifdef __APPLE__ +/** from xnu/bsd/net/pfkeyv2.h */ +#define SADB_X_EXT_NATT 0x002 + struct sadb_sa_2 { + struct sadb_sa sa; + u_int16_t sadb_sa_natt_port; + u_int16_t sadb_reserved0; + u_int32_t sadb_reserved1; + }; +#endif + /** buffer size for PF_KEY messages */ #define PFKEY_BUFFER_SIZE 4096 @@ -467,7 +482,7 @@ static u_int8_t dir2kernel(policy_dir_t dir) return IPSEC_DIR_FWD; #endif default: - return dir; + return IPSEC_DIR_INVALID; } } @@ -693,7 +708,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out) while (len >= PFKEY_LEN(sizeof(struct sadb_ext))) { - DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type); + DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type); if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) || ext->sadb_ext_len > len) { @@ -740,6 +755,8 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket this->mutex_pfkey->lock(this->mutex_pfkey); + /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367, + * in particular the behavior in response to an SADB_ACQUIRE. */ in->sadb_msg_seq = ++this->seq; in->sadb_msg_pid = getpid(); @@ -801,14 +818,23 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket } if (msg->sadb_msg_seq != this->seq) { - DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, " - "was %d expected %d", msg->sadb_msg_seq, this->seq); - if (msg->sadb_msg_seq < this->seq) + DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence " + "number, was %d expected %d", msg->sadb_msg_seq, this->seq); + if (msg->sadb_msg_seq == 0) + { + /* FreeBSD and Mac OS X do this for the response to + * SADB_X_SPDGET (but not for the response to SADB_GET). + * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */ + } + else if (msg->sadb_msg_seq < this->seq) { continue; } - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; + else + { + this->mutex_pfkey->unlock(this->mutex_pfkey); + return FAILED; + } } if (msg->sadb_msg_type != in->sadb_msg_type) { @@ -1223,10 +1249,25 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this, msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD; msg->sadb_msg_satype = proto_ike2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); + +#ifdef __APPLE__ + if (encap) + { + struct sadb_sa_2 *sa_2; + sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg); + sa_2->sadb_sa_natt_port = dst->get_port(dst); + sa = &sa_2->sa; + sa->sadb_sa_flags |= SADB_X_EXT_NATT; + len = sizeof(struct sadb_sa_2); + } + else +#endif + { + sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); + len = sizeof(struct sadb_sa); + } sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); + sa->sadb_sa_len = PFKEY_LEN(len); sa->sadb_sa_spi = spi; sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32; sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg); @@ -1403,7 +1444,21 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, msg->sadb_msg_satype = proto_ike2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); +#ifdef __APPLE__ + { + struct sadb_sa_2 *sa_2; + sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg); + sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2)); + memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa)); + if (encap) + { + sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst); + sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT; + } + } +#else PFKEY_EXT_COPY(msg, response.sa); +#endif PFKEY_EXT_COPY(msg, response.x_sa2); PFKEY_EXT_COPY(msg, response.src); @@ -1421,7 +1476,7 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, { PFKEY_EXT_COPY(msg, response.key_auth); } - + #ifdef HAVE_NATT if (new_encap) { @@ -1449,6 +1504,65 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + unsigned char request[PFKEY_BUFFER_SIZE]; + struct sadb_msg *msg, *out; + struct sadb_sa *sa; + pfkey_msg_t response; + size_t len; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); + + msg = (struct sadb_msg*)request; + msg->sadb_msg_version = PF_KEY_V2; + msg->sadb_msg_type = SADB_GET; + msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); + + sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); + sa->sadb_sa_exttype = SADB_EXT_SA; + sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); + sa->sadb_sa_spi = spi; + PFKEY_EXT_ADD(msg, sa); + + /* the Linux Kernel doesn't care for the src address, but other systems do + * (e.g. FreeBSD) + */ + add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); + add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); + + if (pfkey_send(this, msg, &out, &len) != SUCCESS) + { + DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); + return FAILED; + } + else if (out->sadb_msg_errno) + { + DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)", + ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); + free(out); + return FAILED; + } + else if (parse_pfkey_message(out, &response) != SUCCESS) + { + DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); + free(out); + return FAILED; + } + *bytes = response.lft_current->sadb_lifetime_bytes; + + free(out); + return SUCCESS; +} + +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, @@ -1476,7 +1590,9 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, sa->sadb_sa_spi = spi; PFKEY_EXT_ADD(msg, sa); - /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */ + /* the Linux Kernel doesn't care for the src address, but other systems do + * (e.g. FreeBSD) + */ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); @@ -1518,6 +1634,12 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, pfkey_msg_t response; size_t len; + if (dir2kernel(direction) == IPSEC_DIR_INVALID) + { + /* FWD policies are not supported on all platforms */ + return SUCCESS; + } + /* create a policy */ policy = create_policy_entry(src_ts, dst_ts, direction, reqid); @@ -1594,6 +1716,18 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto, policy->dst.mask); +#ifdef __FreeBSD__ + { /* on FreeBSD a lifetime has to be defined to be able to later query + * the current use time. */ + struct sadb_lifetime *lft; + lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg); + lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; + lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime)); + lft->sadb_lifetime_addtime = LONG_MAX; + PFKEY_EXT_ADD(msg, lft); + } +#endif + this->mutex->unlock(this->mutex); if (pfkey_send(this, msg, &out, &len) != SUCCESS) @@ -1700,6 +1834,12 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, pfkey_msg_t response; size_t len; + if (dir2kernel(direction) == IPSEC_DIR_INVALID) + { + /* FWD policies are not supported on all platforms */ + return NOT_FOUND; + } + DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); @@ -1764,6 +1904,13 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, free(out); return FAILED; } + else if (response.lft_current == NULL) + { + DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no " + "use time", src_ts, dst_ts, policy_dir_names, direction); + free(out); + return FAILED; + } *use_time = response.lft_current->sadb_lifetime_usetime; @@ -1787,6 +1934,12 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, route_entry_t *route; size_t len; + if (dir2kernel(direction) == IPSEC_DIR_INVALID) + { + /* FWD policies are not supported on all platforms */ + return SUCCESS; + } + DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); @@ -1995,6 +2148,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; @@ -2004,8 +2158,8 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() /* private members */ this->policies = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->mutex_pfkey = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); this->seq = 0; diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am index 3ad445c09..b6e6587a7 100644 --- a/src/charon/plugins/kernel_pfroute/Makefile.am +++ b/src/charon/plugins/kernel_pfroute/Makefile.am @@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ kernel_pfroute_net.h kernel_pfroute_net.c -libstrongswan_kernel_pfroute_la_LDFLAGS = -module +libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_pfroute/Makefile.in b/src/charon/plugins/kernel_pfroute/Makefile.in index e585a7db2..05da8e271 100644 --- a/src/charon/plugins/kernel_pfroute/Makefile.in +++ b/src/charon/plugins/kernel_pfroute/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ kernel_pfroute_net.h kernel_pfroute_net.c -libstrongswan_kernel_pfroute_la_LDFLAGS = -module +libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c index c2b35a5ce..d5a864b1c 100644 --- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -681,8 +681,8 @@ kernel_pfroute_net_t *kernel_pfroute_net_create() /* private members */ this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->mutex_pfroute = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT); this->seq = 0; diff --git a/src/charon/plugins/load_tester/Makefile.am b/src/charon/plugins/load_tester/Makefile.am index 121f0b080..e6e04229a 100644 --- a/src/charon/plugins/load_tester/Makefile.am +++ b/src/charon/plugins/load_tester/Makefile.am @@ -13,5 +13,5 @@ libstrongswan_load_tester_la_SOURCES = \ load_tester_listener.c load_tester_listener.h \ load_tester_diffie_hellman.c load_tester_diffie_hellman.h -libstrongswan_load_tester_la_LDFLAGS = -module +libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in index 056ac16d3..3b494cea2 100644 --- a/src/charon/plugins/load_tester/Makefile.in +++ b/src/charon/plugins/load_tester/Makefile.in @@ -78,12 +78,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -188,7 +191,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -233,7 +238,7 @@ libstrongswan_load_tester_la_SOURCES = \ load_tester_listener.c load_tester_listener.h \ load_tester_diffie_hellman.c load_tester_diffie_hellman.h -libstrongswan_load_tester_la_LDFLAGS = -module +libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c index d37f7a7bd..e463d2adc 100644 --- a/src/charon/plugins/load_tester/load_tester_ipsec.c +++ b/src/charon/plugins/load_tester/load_tester_ipsec.c @@ -84,6 +84,16 @@ static status_t update_sa(private_load_tester_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_load_tester_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + return NOT_SUPPORTED; +} + +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src, @@ -151,6 +161,7 @@ load_tester_ipsec_t *load_tester_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c index 12ac7b090..93ed2e3c5 100644 --- a/src/charon/plugins/load_tester/load_tester_plugin.c +++ b/src/charon/plugins/load_tester/load_tester_plugin.c @@ -202,8 +202,8 @@ plugin_t *plugin_create() shutdown_on = this->iterations * this->initiators; } - this->mutex = mutex_create(MUTEX_DEFAULT); - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); this->config = load_tester_config_create(); this->creds = load_tester_creds_create(); this->listener = load_tester_listener_create(shutdown_on); diff --git a/src/charon/plugins/medcli/Makefile.am b/src/charon/plugins/medcli/Makefile.am index f15950af9..a5f018f82 100644 --- a/src/charon/plugins/medcli/Makefile.am +++ b/src/charon/plugins/medcli/Makefile.am @@ -8,5 +8,5 @@ libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \ medcli_creds.h medcli_creds.c \ medcli_config.h medcli_config.c \ medcli_listener.h medcli_listener.c -libstrongswan_medcli_la_LDFLAGS = -module +libstrongswan_medcli_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in index cef486411..9a2b3f889 100644 --- a/src/charon/plugins/medcli/Makefile.in +++ b/src/charon/plugins/medcli/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \ medcli_config.h medcli_config.c \ medcli_listener.h medcli_listener.c -libstrongswan_medcli_la_LDFLAGS = -module +libstrongswan_medcli_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/medsrv/Makefile.am b/src/charon/plugins/medsrv/Makefile.am index 476da1878..f3611a79e 100644 --- a/src/charon/plugins/medsrv/Makefile.am +++ b/src/charon/plugins/medsrv/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-medsrv.la libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \ medsrv_creds.h medsrv_creds.c \ medsrv_config.h medsrv_config.c -libstrongswan_medsrv_la_LDFLAGS = -module +libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in index ec537e505..ba599499b 100644 --- a/src/charon/plugins/medsrv/Makefile.in +++ b/src/charon/plugins/medsrv/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \ medsrv_creds.h medsrv_creds.c \ medsrv_config.h medsrv_config.c -libstrongswan_medsrv_la_LDFLAGS = -module +libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am index 9a0b48cd2..b74a4e46f 100644 --- a/src/charon/plugins/nm/Makefile.am +++ b/src/charon/plugins/nm/Makefile.am @@ -9,5 +9,5 @@ libstrongswan_nm_la_SOURCES = \ nm_service.h nm_service.c \ nm_creds.h nm_creds.c \ nm_handler.h nm_handler.c -libstrongswan_nm_la_LDFLAGS = -module +libstrongswan_nm_la_LDFLAGS = -module -avoid-version libstrongswan_nm_la_LIBADD = ${nm_LIBS} diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in index a75af8a0f..c7c428c2a 100644 --- a/src/charon/plugins/nm/Makefile.in +++ b/src/charon/plugins/nm/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -228,7 +233,7 @@ libstrongswan_nm_la_SOURCES = \ nm_creds.h nm_creds.c \ nm_handler.h nm_handler.c -libstrongswan_nm_la_LDFLAGS = -module +libstrongswan_nm_la_LDFLAGS = -module -avoid-version libstrongswan_nm_la_LIBADD = ${nm_LIBS} all: all-am diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c index d93b81c9a..4ea2c36dd 100644 --- a/src/charon/plugins/nm/nm_creds.c +++ b/src/charon/plugins/nm/nm_creds.c @@ -322,7 +322,7 @@ nm_creds_t *nm_creds_create() this->public.clear = (void(*)(nm_creds_t*))clear; this->public.destroy = (void(*)(nm_creds_t*))destroy; - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->cert = NULL; this->user = NULL; diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c index bca4d9e09..88a3cc95e 100644 --- a/src/charon/plugins/nm/nm_service.c +++ b/src/charon/plugins/nm/nm_service.c @@ -14,6 +14,7 @@ */ #include <nm-setting-vpn.h> +#include <nm-setting-connection.h> #include "nm_service.h" #include <daemon.h> @@ -25,8 +26,6 @@ #include <stdio.h> -#define CONFIG_NAME "NetworkManager" - G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN) /** @@ -43,6 +42,8 @@ typedef struct { nm_creds_t *creds; /* attribute handler for DNS/NBNS server information */ nm_handler_t *handler; + /* name of the connection */ + char *name; } NMStrongswanPluginPrivate; #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \ @@ -121,14 +122,14 @@ static void signal_ipv4_config(NMVPNPlugin *plugin, /** * signal failure to NM, connecting failed */ -static void signal_failure(NMVPNPlugin *plugin) +static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure) { nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler; handler->reset(handler); /* TODO: NM does not handle this failure!? */ - nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); + nm_vpn_plugin_failure(plugin, failure); nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED); } @@ -140,16 +141,10 @@ static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa, { NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; - if (private->ike_sa == ike_sa) + if (private->ike_sa == ike_sa && state == IKE_DESTROYING) { - switch (state) - { - case IKE_DESTROYING: - signal_failure(private->plugin); - return FALSE; - default: - break; - } + signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); + return FALSE; } return TRUE; } @@ -161,32 +156,63 @@ static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state) { NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; + + if (private->ike_sa == ike_sa && state == CHILD_DESTROYING) + { + signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED); + return FALSE; + } + return TRUE; +} +/** + * Implementation of listener_t.child_updown + */ +static bool child_updown(listener_t *listener, ike_sa_t *ike_sa, + child_sa_t *child_sa, bool up) +{ + NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; + if (private->ike_sa == ike_sa) { - switch (state) + if (up) + { /* disable initiate-failure-detection hooks */ + private->listener.ike_state_change = NULL; + private->listener.child_state_change = NULL; + signal_ipv4_config(private->plugin, ike_sa, child_sa); + } + else { - case CHILD_INSTALLED: - signal_ipv4_config(private->plugin, ike_sa, child_sa); - return FALSE; - case CHILD_DESTROYING: - signal_failure(private->plugin); - return FALSE; - default: - break; + signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED); + return FALSE; } } return TRUE; } /** + * Implementation of listener_t.ike_rekey + */ +static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new) +{ + NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; + + if (private->ike_sa == old) + { /* follow a rekeyed IKE_SA */ + private->ike_sa = new; + } + return TRUE; +} + +/** * Connect function called from NM via DBUS */ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, GError **err) { - nm_creds_t *creds; - NMSettingVPN *settings; + NMStrongswanPluginPrivate *priv; + NMSettingConnection *conn; + NMSettingVPN *vpn; identification_t *user = NULL, *gateway; const char *address, *str; bool virtual, encap, ipcomp; @@ -204,25 +230,34 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, /** * Read parameters */ - settings = NM_SETTING_VPN(nm_connection_get_setting(connection, - NM_TYPE_SETTING_VPN)); - - DBG4(DBG_CFG, "received NetworkManager connection: %s", - nm_setting_to_string(NM_SETTING(settings))); - address = nm_setting_vpn_get_data_item(settings, "address"); + priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); + conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection, + NM_TYPE_SETTING_CONNECTION)); + vpn = NM_SETTING_VPN(nm_connection_get_setting(connection, + NM_TYPE_SETTING_VPN)); + if (priv->name) + { + free(priv->name); + } + priv->name = strdup(nm_setting_connection_get_id(conn)); + DBG1(DBG_CFG, "received initiate for NetworkManager connection %s", + priv->name); + DBG4(DBG_CFG, "%s", + nm_setting_to_string(NM_SETTING(vpn))); + address = nm_setting_vpn_get_data_item(vpn, "address"); if (!address || !*address) { g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, "Gateway address missing."); return FALSE; } - str = nm_setting_vpn_get_data_item(settings, "virtual"); + str = nm_setting_vpn_get_data_item(vpn, "virtual"); virtual = str && streq(str, "yes"); - str = nm_setting_vpn_get_data_item(settings, "encap"); + str = nm_setting_vpn_get_data_item(vpn, "encap"); encap = str && streq(str, "yes"); - str = nm_setting_vpn_get_data_item(settings, "ipcomp"); + str = nm_setting_vpn_get_data_item(vpn, "ipcomp"); ipcomp = str && streq(str, "yes"); - str = nm_setting_vpn_get_data_item(settings, "method"); + str = nm_setting_vpn_get_data_item(vpn, "method"); if (str) { if (streq(str, "psk")) @@ -243,16 +278,15 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, /** * Register credentials */ - creds = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds; - creds->clear(creds); + priv->creds->clear(priv->creds); /* gateway/CA cert */ - str = nm_setting_vpn_get_data_item(settings, "certificate"); + str = nm_setting_vpn_get_data_item(vpn, "certificate"); if (str) { cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, str, BUILD_END); - creds->set_certificate(creds, cert); + priv->creds->set_certificate(priv->creds, cert); } if (!cert) { @@ -279,19 +313,19 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, if (auth_class == AUTH_CLASS_EAP) { /* username/password authentication ... */ - str = nm_setting_vpn_get_data_item(settings, "user"); + str = nm_setting_vpn_get_data_item(vpn, "user"); if (str) { user = identification_create_from_string((char*)str); - str = nm_setting_vpn_get_secret(settings, "password"); - creds->set_username_password(creds, user, (char*)str); + str = nm_setting_vpn_get_secret(vpn, "password"); + priv->creds->set_username_password(priv->creds, user, (char*)str); } } if (auth_class == AUTH_CLASS_PUBKEY) { /* ... or certificate/private key authenitcation */ - str = nm_setting_vpn_get_data_item(settings, "usercert"); + str = nm_setting_vpn_get_data_item(vpn, "usercert"); if (str) { public_key_t *public; @@ -308,7 +342,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, return FALSE; } /* try agent */ - str = nm_setting_vpn_get_secret(settings, "agent"); + str = nm_setting_vpn_get_secret(vpn, "agent"); if (agent && str) { public = cert->get_public_key(cert); @@ -329,14 +363,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, } } /* ... or key file */ - str = nm_setting_vpn_get_data_item(settings, "userkey"); + str = nm_setting_vpn_get_data_item(vpn, "userkey"); if (!agent && str) { chunk_t secret, chunk; bool pgp = FALSE; - secret.ptr = (char*)nm_setting_vpn_get_secret(settings, - "password"); + secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password"); if (secret.ptr) { secret.len = strlen(secret.ptr); @@ -358,7 +391,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, { user = cert->get_subject(cert); user = user->clone(user); - creds->set_cert_and_key(creds, cert, private); + priv->creds->set_cert_and_key(priv->creds, cert, private); } else { @@ -382,7 +415,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, */ ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); - peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg, + peer_cfg = peer_cfg_create(priv->name, 2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */ 36000, 0, /* rekey 10h, reauth none */ 600, 600, /* jitter, over 10min */ @@ -398,11 +431,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, auth->add(auth, AUTH_RULE_IDENTITY, gateway); peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); - child_cfg = child_cfg_create(CONFIG_NAME, + child_cfg = child_cfg_create(priv->name, 10800, 10200, /* lifetime 3h, rekey 2h50min */ 300, /* jitter 5min */ NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */ - ACTION_NONE, ACTION_RESTART, ipcomp); + ACTION_NONE, ACTION_NONE, ipcomp); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); @@ -413,7 +446,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, peer_cfg->add_child_cfg(peer_cfg, child_cfg); /** - * Start to initiate + * Prepare IKE_SA */ ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, peer_cfg); @@ -425,21 +458,27 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, { peer_cfg->destroy(peer_cfg); } + + /** + * Register listener, enable initiate-failure-detection hooks + */ + priv->ike_sa = ike_sa; + priv->listener.ike_state_change = ike_state_change; + priv->listener.child_state_change = child_state_change; + charon->bus->add_listener(charon->bus, &priv->listener); + + /** + * Initiate + */ if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) { + charon->bus->remove_listener(charon->bus, &priv->listener); charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED, "Initiating failed."); return FALSE; } - - /** - * Register listener - */ - NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->ike_sa = ike_sa; - charon->bus->add_listener(charon->bus, - &NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->listener); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); return TRUE; } @@ -501,14 +540,16 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection, */ static gboolean disconnect(NMVPNPlugin *plugin, GError **err) { + NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); enumerator_t *enumerator; ike_sa_t *ike_sa; u_int id; + /* our ike_sa pointer might be invalid, lookup sa */ enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); while (enumerator->enumerate(enumerator, &ike_sa)) { - if (streq(CONFIG_NAME, ike_sa->get_name(ike_sa))) + if (priv->ike_sa == ike_sa) { id = ike_sa->get_unique_id(ike_sa); enumerator->destroy(enumerator); @@ -529,13 +570,13 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err) */ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin) { - NMStrongswanPluginPrivate *private; + NMStrongswanPluginPrivate *priv; - private = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); - private->plugin = NM_VPN_PLUGIN(plugin); - memset(&private->listener.log, 0, sizeof(listener_t)); - private->listener.ike_state_change = ike_state_change; - private->listener.child_state_change = child_state_change; + priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); + priv->plugin = NM_VPN_PLUGIN(plugin); + memset(&priv->listener.log, 0, sizeof(listener_t)); + priv->listener.child_updown = child_updown; + priv->listener.ike_rekey = ike_rekey; } /** @@ -565,8 +606,12 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds, NULL); if (plugin) { - NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds = creds; - NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler = handler; + NMStrongswanPluginPrivate *priv; + + priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); + priv->creds = creds; + priv->handler = handler; + priv->name = NULL; } return plugin; } diff --git a/src/charon/plugins/resolv_conf/Makefile.am b/src/charon/plugins/resolv_conf/Makefile.am index 917964f93..be7f862f2 100644 --- a/src/charon/plugins/resolv_conf/Makefile.am +++ b/src/charon/plugins/resolv_conf/Makefile.am @@ -8,6 +8,6 @@ plugin_LTLIBRARIES = libstrongswan-resolv-conf.la libstrongswan_resolv_conf_la_SOURCES = \ resolv_conf_plugin.h resolv_conf_plugin.c \ resolv_conf_handler.h resolv_conf_handler.c -libstrongswan_resolv_conf_la_LDFLAGS = -module +libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/resolv_conf/Makefile.in b/src/charon/plugins/resolv_conf/Makefile.in index 91ddae582..19c20467a 100644 --- a/src/charon/plugins/resolv_conf/Makefile.in +++ b/src/charon/plugins/resolv_conf/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -229,7 +234,7 @@ libstrongswan_resolv_conf_la_SOURCES = \ resolv_conf_plugin.h resolv_conf_plugin.c \ resolv_conf_handler.h resolv_conf_handler.c -libstrongswan_resolv_conf_la_LDFLAGS = -module +libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c index 19e3b3275..749cfbc5b 100644 --- a/src/charon/plugins/resolv_conf/resolv_conf_handler.c +++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c @@ -183,7 +183,7 @@ resolv_conf_handler_t *resolv_conf_handler_create() this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))release; this->public.destroy = (void(*)(resolv_conf_handler_t*))destroy; - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->file = lib->settings->get_str(lib->settings, "charon.plugins.resolv-conf.file", RESOLV_CONF); diff --git a/src/charon/plugins/smp/Makefile.am b/src/charon/plugins/smp/Makefile.am index 1679f1c68..a434b388b 100644 --- a/src/charon/plugins/smp/Makefile.am +++ b/src/charon/plugins/smp/Makefile.am @@ -5,6 +5,6 @@ AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\" plugin_LTLIBRARIES = libstrongswan-smp.la libstrongswan_smp_la_SOURCES = smp.h smp.c -libstrongswan_smp_la_LDFLAGS = -module +libstrongswan_smp_la_LDFLAGS = -module -avoid-version libstrongswan_smp_la_LIBADD = ${xml_LIBS} diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in index f06321ba7..d23d2d001 100644 --- a/src/charon/plugins/smp/Makefile.in +++ b/src/charon/plugins/smp/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${xml_CF AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\" plugin_LTLIBRARIES = libstrongswan-smp.la libstrongswan_smp_la_SOURCES = smp.h smp.c -libstrongswan_smp_la_LDFLAGS = -module +libstrongswan_smp_la_LDFLAGS = -module -avoid-version libstrongswan_smp_la_LIBADD = ${xml_LIBS} all: all-am diff --git a/src/charon/plugins/sql/Makefile.am b/src/charon/plugins/sql/Makefile.am index ea39ce0d5..bf4963f29 100644 --- a/src/charon/plugins/sql/Makefile.am +++ b/src/charon/plugins/sql/Makefile.am @@ -10,7 +10,7 @@ plugin_LTLIBRARIES = libstrongswan-sql.la libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \ sql_config.h sql_config.c sql_cred.h sql_cred.c \ sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c -libstrongswan_sql_la_LDFLAGS = -module +libstrongswan_sql_la_LDFLAGS = -module -avoid-version ipsec_PROGRAMS = pool pool_SOURCES = pool.c diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in index 0848ea0dd..f6fd8e4f7 100644 --- a/src/charon/plugins/sql/Makefile.in +++ b/src/charon/plugins/sql/Makefile.in @@ -82,12 +82,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -152,6 +154,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -192,7 +195,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -237,7 +242,7 @@ libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \ sql_config.h sql_config.c sql_cred.h sql_cred.c \ sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c -libstrongswan_sql_la_LDFLAGS = -module +libstrongswan_sql_la_LDFLAGS = -module -avoid-version pool_SOURCES = pool.c pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la all: all-am diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c index 7d393b6f7..ebcc9adc7 100644 --- a/src/charon/plugins/sql/pool.c +++ b/src/charon/plugins/sql/pool.c @@ -637,8 +637,19 @@ int main(int argc, char *argv[]) } operation = OP_USAGE; dbg = dbg_stderr; - library_init(STRONGSWAN_CONF); atexit(library_deinit); + + /* initialize library */ + if (!library_init(STRONGSWAN_CONF)) + { + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "pool", argv[0])) + { + fprintf(stderr, "integrity check of pool failed\n"); + exit(SS_RC_DAEMON_INTEGRITY); + } lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, lib->settings->get_str(lib->settings, "pool.load", PLUGINS)); diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c index 95d0d30d4..77601e612 100644 --- a/src/charon/plugins/sql/sql_attribute.c +++ b/src/charon/plugins/sql/sql_attribute.c @@ -92,25 +92,18 @@ static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout) } /** - * Lookup a lease + * Look up an existing lease */ -static host_t *get_address(private_sql_attribute_t *this, char *name, - u_int pool, u_int timeout, u_int identity) +static host_t* check_lease(private_sql_attribute_t *this, char *name, + u_int pool, u_int identity) { - enumerator_t *e; - u_int id; - chunk_t address; - host_t *host; - time_t now = time(NULL); - - /* We check for leases for that identity first and for other expired - * leases afterwards. We select an address as a candidate, but double - * check if it is still valid in the update. This allows us to work - * without locking. */ - - /* check for an existing lease for that identity */ while (TRUE) { + u_int id; + chunk_t address; + enumerator_t *e; + time_t now = time(NULL); + e = this->db->query(this->db, "SELECT id, address FROM addresses " "WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1", @@ -122,11 +115,14 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, } address = chunk_clonea(address); e->destroy(e); + if (this->db->execute(this->db, NULL, "UPDATE addresses SET acquired = ?, released = 0 " "WHERE id = ? AND identity = ? AND released != 0", DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0) { + host_t *host; + host = host_create_from_chunk(AF_UNSPEC, address, 0); if (host) { @@ -136,14 +132,43 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, } } } - - /* check for an expired lease */ + return NULL; +} + +/** + * We check for unallocated addresses or expired leases. First we select an + * address as a candidate, but double check later on if it is still available + * during the update operation. This allows us to work without locking. + */ +static host_t* get_lease(private_sql_attribute_t *this, char *name, + u_int pool, u_int timeout, u_int identity) +{ while (TRUE) { - e = this->db->query(this->db, + u_int id; + chunk_t address; + enumerator_t *e; + time_t now = time(NULL); + int hits; + + if (timeout) + { + /* check for an expired lease */ + e = this->db->query(this->db, "SELECT id, address FROM addresses " "WHERE pool = ? AND released != 0 AND released < ? LIMIT 1", DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB); + } + else + { + /* with static leases, check for an unallocated address */ + e = this->db->query(this->db, + "SELECT id, address FROM addresses " + "WHERE pool = ? AND identity = 0 LIMIT 1", + DB_UINT, pool, DB_UINT, DB_BLOB); + + } + if (!e || !e->enumerate(e, &id, &address)) { DESTROY_IF(e); @@ -152,13 +177,27 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, address = chunk_clonea(address); e->destroy(e); - if (this->db->execute(this->db, NULL, - "UPDATE addresses SET " - "acquired = ?, released = 0, identity = ? " - "WHERE id = ? AND released != 0 AND released < ?", - DB_UINT, now, DB_UINT, identity, - DB_UINT, id, DB_UINT, now - timeout) > 0) + if (timeout) + { + hits = this->db->execute(this->db, NULL, + "UPDATE addresses SET " + "acquired = ?, released = 0, identity = ? " + "WHERE id = ? AND released != 0 AND released < ?", + DB_UINT, now, DB_UINT, identity, + DB_UINT, id, DB_UINT, now - timeout); + } + else { + hits = this->db->execute(this->db, NULL, + "UPDATE addresses SET " + "acquired = ?, released = 0, identity = ? " + "WHERE id = ? AND identity = 0", + DB_UINT, now, DB_UINT, identity, DB_UINT, id); + } + if (hits > 0) + { + host_t *host; + host = host_create_from_chunk(AF_UNSPEC, address, 0); if (host) { @@ -169,37 +208,75 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, } } DBG1(DBG_CFG, "no available address found in pool '%s'", name); - return 0; + return NULL; } /** * Implementation of attribute_provider_t.acquire_address */ static host_t* acquire_address(private_sql_attribute_t *this, - char *name, identification_t *id, + char *names, identification_t *id, host_t *requested) { - enumerator_t *enumerator; - u_int pool, timeout, identity; host_t *address = NULL; - + u_int identity, pool, timeout; + identity = get_identity(this, id); if (identity) { - enumerator = enumerator_create_token(name, ",", " "); - while (enumerator->enumerate(enumerator, &name)) + /* check for a single pool first (no concatenation and enumeration) */ + if (strchr(names, ',') == NULL) { - pool = get_pool(this, name, &timeout); + pool = get_pool(this, names, &timeout); if (pool) { - address = get_address(this, name, pool, timeout, identity); - if (address) + /* check for an existing lease */ + address = check_lease(this, names, pool, identity); + if (address == NULL) + { + /* get an unallocated address or expired lease */ + address = get_lease(this, names, pool, timeout, identity); + } + } + } + else + { + enumerator_t *enumerator; + char *name; + + /* in a first step check for an existing lease over all pools */ + enumerator = enumerator_create_token(names, ",", " "); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, &timeout); + if (pool) + { + address = check_lease(this, name, pool, identity); + if (address) + { + enumerator->destroy(enumerator); + return address; + } + } + } + enumerator->destroy(enumerator); + + /* in a second step get an unallocated address or expired lease */ + enumerator = enumerator_create_token(names, ",", " "); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, &timeout); + if (pool) { - break; + address = get_lease(this, name, pool, timeout, identity); + if (address) + { + break; + } } } + enumerator->destroy(enumerator); } - enumerator->destroy(enumerator); } return address; } diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c index 3e5efce34..e7dfe573b 100644 --- a/src/charon/plugins/sql/sql_config.c +++ b/src/charon/plugins/sql/sql_config.c @@ -295,10 +295,10 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, mediation, mediated_cfg, peer_id); auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method); - auth->add(auth, AUTH_RULE_IDENTITY, local_id->clone(local_id)); + auth->add(auth, AUTH_RULE_IDENTITY, local_id); peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); auth = auth_cfg_create(); - auth->add(auth, AUTH_RULE_IDENTITY, remote_id->clone(remote_id)); + auth->add(auth, AUTH_RULE_IDENTITY, remote_id); if (eap_type) { auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am index fb58ba62b..79a63f2c2 100644 --- a/src/charon/plugins/stroke/Makefile.am +++ b/src/charon/plugins/stroke/Makefile.am @@ -18,5 +18,5 @@ libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \ stroke_list.h stroke_list.c \ stroke_shared_key.h stroke_shared_key.c -libstrongswan_stroke_la_LDFLAGS = -module +libstrongswan_stroke_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in index f246286a0..19822ebc8 100644 --- a/src/charon/plugins/stroke/Makefile.in +++ b/src/charon/plugins/stroke/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -237,7 +242,7 @@ libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \ stroke_list.h stroke_list.c \ stroke_shared_key.h stroke_shared_key.c -libstrongswan_stroke_la_LDFLAGS = -module +libstrongswan_stroke_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c index a7925ce3e..d3211fd67 100644 --- a/src/charon/plugins/stroke/stroke_attribute.c +++ b/src/charon/plugins/stroke/stroke_attribute.c @@ -539,7 +539,7 @@ stroke_attribute_t *stroke_attribute_create() this->public.destroy = (void(*)(stroke_attribute_t*))destroy; this->pools = linked_list_create(); - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c index fab06e6c5..c354d8cb8 100644 --- a/src/charon/plugins/stroke/stroke_ca.c +++ b/src/charon/plugins/stroke/stroke_ca.c @@ -447,7 +447,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) this->public.destroy = (void(*)(stroke_ca_t*))destroy; this->sections = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->cred = cred; return &this->public; diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c index 028e71e71..0b6a4ac31 100644 --- a/src/charon/plugins/stroke/stroke_config.c +++ b/src/charon/plugins/stroke/stroke_config.c @@ -924,7 +924,7 @@ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred) this->public.destroy = (void(*)(stroke_config_t*))destroy; this->list = linked_list_create(); - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); this->ca = ca; this->cred = cred; diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c index dc73299b8..31bcfe9f4 100644 --- a/src/charon/plugins/stroke/stroke_cred.c +++ b/src/charon/plugins/stroke/stroke_cred.c @@ -16,6 +16,8 @@ #include <sys/stat.h> #include <limits.h> +#include <glob.h> +#include <libgen.h> #include "stroke_cred.h" #include "stroke_shared_key.h" @@ -41,6 +43,8 @@ #define CRL_DIR IPSEC_D_DIR "/crls" #define SECRETS_FILE CONFIG_DIR "/ipsec.secrets" +#define MAX_SECRETS_RECURSION 10 + typedef struct private_stroke_cred_t private_stroke_cred_t; /** @@ -691,7 +695,7 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line) /** * reload ipsec.secrets */ -static void load_secrets(private_stroke_cred_t *this) +static void load_secrets(private_stroke_cred_t *this, char *file, int level) { size_t bytes; int line_nr = 0; @@ -700,9 +704,9 @@ static void load_secrets(private_stroke_cred_t *this) private_key_t *private; shared_key_t *shared; - DBG1(DBG_CFG, "loading secrets from '%s'", SECRETS_FILE); + DBG1(DBG_CFG, "loading secrets from '%s'", file); - fd = fopen(SECRETS_FILE, "r"); + fd = fopen(file, "r"); if (fd == NULL) { DBG1(DBG_CFG, "opening secrets file '%s' failed"); @@ -719,15 +723,19 @@ static void load_secrets(private_stroke_cred_t *this) src = chunk; this->lock->write_lock(this->lock); - while (this->shared->remove_last(this->shared, - (void**)&shared) == SUCCESS) - { - shared->destroy(shared); - } - while (this->private->remove_last(this->private, - (void**)&private) == SUCCESS) + if (level == 0) { - private->destroy(private); + /* flush secrets on non-recursive invocation */ + while (this->shared->remove_last(this->shared, + (void**)&shared) == SUCCESS) + { + shared->destroy(shared); + } + while (this->private->remove_last(this->private, + (void**)&private) == SUCCESS) + { + private->destroy(private); + } } while (fetchline(&src, &line)) @@ -741,6 +749,66 @@ static void load_secrets(private_stroke_cred_t *this) { continue; } + if (line.len > strlen("include ") && + strneq(line.ptr, "include ", strlen("include "))) + { + glob_t buf; + char **expanded, *dir, pattern[PATH_MAX]; + u_char *pos; + + if (level > MAX_SECRETS_RECURSION) + { + DBG1(DBG_CFG, "maximum level of %d includes reached, ignored", + MAX_SECRETS_RECURSION); + continue; + } + /* terminate filename by space */ + line = chunk_skip(line, strlen("include ")); + pos = memchr(line.ptr, ' ', line.len); + if (pos) + { + line.len = pos - line.ptr; + } + if (line.len && line.ptr[0] == '/') + { + if (line.len + 1 > sizeof(pattern)) + { + DBG1(DBG_CFG, "include pattern too long, ignored"); + continue; + } + snprintf(pattern, sizeof(pattern), "%.*s", line.len, line.ptr); + } + else + { /* use directory of current file if relative */ + dir = strdup(file); + dir = dirname(dir); + + if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern)) + { + DBG1(DBG_CFG, "include pattern too long, ignored"); + free(dir); + continue; + } + snprintf(pattern, sizeof(pattern), "%s/%.*s", + dir, line.len, line.ptr); + free(dir); + } + if (glob(pattern, GLOB_ERR, NULL, &buf) != 0) + { + DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern); + globfree(&buf); + } + else + { + for (expanded = buf.gl_pathv; *expanded != NULL; expanded++) + { + load_secrets(this, *expanded, level + 1); + } + } + globfree(&buf); + continue; + } + if (line.len > 2 && strneq(": ", line.ptr, 2)) { /* no ids, skip the ':' */ @@ -989,7 +1057,7 @@ static void reread(private_stroke_cred_t *this, stroke_msg_t *msg) if (msg->reread.flags & REREAD_SECRETS) { DBG1(DBG_CFG, "rereading secrets"); - load_secrets(this); + load_secrets(this, SECRETS_FILE, 0); } if (msg->reread.flags & REREAD_CACERTS) { @@ -1057,10 +1125,10 @@ stroke_cred_t *stroke_cred_create() this->certs = linked_list_create(); this->shared = linked_list_create(); this->private = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); load_certs(this); - load_secrets(this); + load_secrets(this, SECRETS_FILE, 0); this->cachecrl = FALSE; diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c index 564a511a1..6f421bd30 100644 --- a/src/charon/plugins/stroke/stroke_list.c +++ b/src/charon/plugins/stroke/stroke_list.c @@ -146,8 +146,8 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) */ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) { - u_int32_t rekey, now = time(NULL); - u_int32_t use_in, use_out; + time_t use_in, use_out, rekey, now = time(NULL); + u_int64_t bytes_in, bytes_out; proposal_t *proposal; child_cfg_t *config = child_sa->get_config(child_sa); @@ -205,6 +205,20 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) } } } + + child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in); + fprintf(out, ", %llu bytes_i", bytes_in); + if (use_in) + { + fprintf(out, " (%ds ago)", now - use_in); + } + + child_sa->get_usestats(child_sa, FALSE, &use_out, &bytes_out); + fprintf(out, ", %llu bytes_o", bytes_out); + if (use_out) + { + fprintf(out, " (%ds ago)", now - use_out); + } fprintf(out, ", rekeying "); rekey = child_sa->get_lifetime(child_sa, FALSE); @@ -224,25 +238,6 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) fprintf(out, "disabled"); } - fprintf(out, ", last use: "); - use_in = child_sa->get_usetime(child_sa, TRUE); - if (use_in) - { - fprintf(out, "%ds_i ", now - use_in); - } - else - { - fprintf(out, "no_i "); - } - use_out = child_sa->get_usetime(child_sa, FALSE); - if (use_out) - { - fprintf(out, "%ds_o ", now - use_out); - } - else - { - fprintf(out, "no_o "); - } } } diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c index f61171e22..9b6a8a3a7 100644 --- a/src/charon/plugins/stroke/stroke_socket.c +++ b/src/charon/plugins/stroke/stroke_socket.c @@ -27,6 +27,7 @@ #include <processing/jobs/callback_job.h> #include <daemon.h> +#include <utils/mutex.h> /* for Mac OS X compatible accept */ #include "stroke_config.h" #include "stroke_control.h" diff --git a/src/charon/plugins/uci/Makefile.am b/src/charon/plugins/uci/Makefile.am index 0136bf5e9..9fdbfb709 100644 --- a/src/charon/plugins/uci/Makefile.am +++ b/src/charon/plugins/uci/Makefile.am @@ -8,7 +8,7 @@ libstrongswan_uci_la_SOURCES = \ uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \ uci_config.h uci_config.c uci_creds.h uci_creds.c \ uci_control.h uci_control.c -libstrongswan_uci_la_LDFLAGS = -module +libstrongswan_uci_la_LDFLAGS = -module -avoid-version libstrongswan_uci_la_LIBADD = -luci diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in index e599135cb..c4fb335d7 100644 --- a/src/charon/plugins/uci/Makefile.in +++ b/src/charon/plugins/uci/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_uci_la_SOURCES = \ uci_config.h uci_config.c uci_creds.h uci_creds.c \ uci_control.h uci_control.c -libstrongswan_uci_la_LDFLAGS = -module +libstrongswan_uci_la_LDFLAGS = -module -avoid-version libstrongswan_uci_la_LIBADD = -luci all: all-am diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am index 50c5e0362..64846f995 100644 --- a/src/charon/plugins/unit_tester/Makefile.am +++ b/src/charon/plugins/unit_tester/Makefile.am @@ -20,5 +20,5 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \ tests/test_agent.c \ tests/test_id.c -libstrongswan_unit_tester_la_LDFLAGS = -module +libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in index 2ee5e48d8..0bf0cf301 100644 --- a/src/charon/plugins/unit_tester/Makefile.in +++ b/src/charon/plugins/unit_tester/Makefile.in @@ -79,12 +79,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -189,7 +192,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -241,7 +246,7 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \ tests/test_agent.c \ tests/test_id.c -libstrongswan_unit_tester_la_LDFLAGS = -module +libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h index dcf2a5d18..b99940c1a 100644 --- a/src/charon/plugins/unit_tester/tests.h +++ b/src/charon/plugins/unit_tester/tests.h @@ -36,5 +36,8 @@ DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE) DEFINE_TEST("IP pool", test_pool, FALSE) DEFINE_TEST("SSH agent", test_agent, FALSE) DEFINE_TEST("ID parts", test_id_parts, FALSE) +DEFINE_TEST("ID wildcards", test_id_wildcards, FALSE) +DEFINE_TEST("ID equals", test_id_equals, FALSE) +DEFINE_TEST("ID matches", test_id_matches, FALSE) /** @}*/ diff --git a/src/charon/plugins/unit_tester/tests/test_id.c b/src/charon/plugins/unit_tester/tests/test_id.c index 56dab2421..a1ef76be8 100644 --- a/src/charon/plugins/unit_tester/tests/test_id.c +++ b/src/charon/plugins/unit_tester/tests/test_id.c @@ -67,3 +67,183 @@ bool test_id_parts() return TRUE; } +/******************************************************************************* + * identification contains_wildcards() test + ******************************************************************************/ + +static bool test_id_wildcards_has(char *string) +{ + identification_t *id; + bool contains; + + id = identification_create_from_string(string); + contains = id->contains_wildcards(id); + id->destroy(id); + return contains; +} + +bool test_id_wildcards() +{ + if (!test_id_wildcards_has("C=*, O=strongSwan, CN=gw")) + { + return FALSE; + } + if (!test_id_wildcards_has("C=CH, O=strongSwan, CN=*")) + { + return FALSE; + } + if (test_id_wildcards_has("C=**, O=a*, CN=*a")) + { + return FALSE; + } + if (!test_id_wildcards_has("*@strongswan.org")) + { + return FALSE; + } + if (!test_id_wildcards_has("*.strongswan.org")) + { + return FALSE; + } + return TRUE; +} + +/******************************************************************************* + * identification equals test + ******************************************************************************/ + +static bool test_id_equals_one(identification_t *a, char *b_str) +{ + identification_t *b; + bool equals; + + b = identification_create_from_string(b_str); + equals = a->equals(a, b); + b->destroy(b); + return equals; +} + +bool test_id_equals() +{ + identification_t *a; + chunk_t encoding, fuzzed; + int i; + + a = identification_create_from_string( + "C=CH, E=martin@strongswan.org, CN=martin"); + + if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + if (!test_id_equals_one(a, "C=ch, E=martin@STRONGSWAN.ORG, CN=Martin")) + { + return FALSE; + } + if (test_id_equals_one(a, "C=CN, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin")) + { + return FALSE; + } + if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin")) + { + return FALSE; + } + encoding = chunk_clone(a->get_encoding(a)); + a->destroy(a); + + /* simple fuzzing, increment each byte of encoding */ + for (i = 0; i < encoding.len; i++) + { + if (i == 11 || i == 30 || i == 62) + { /* skip ASN.1 type fields, as equals() handles them graceful */ + continue; + } + fuzzed = chunk_clone(encoding); + fuzzed.ptr[i]++; + a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed); + if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + a->destroy(a); + free(fuzzed.ptr); + } + + /* and decrement each byte of encoding */ + for (i = 0; i < encoding.len; i++) + { + if (i == 11 || i == 30 || i == 62) + { + continue; + } + fuzzed = chunk_clone(encoding); + fuzzed.ptr[i]--; + a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed); + if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + a->destroy(a); + free(fuzzed.ptr); + } + free(encoding.ptr); + return TRUE; +} + +/******************************************************************************* + * identification matches test + ******************************************************************************/ + +static id_match_t test_id_matches_one(identification_t *a, char *b_str) +{ + identification_t *b; + id_match_t match; + + b = identification_create_from_string(b_str); + match = a->matches(a, b); + b->destroy(b); + return match; +} + +bool test_id_matches() +{ + identification_t *a; + + a = identification_create_from_string( + "C=CH, E=martin@strongswan.org, CN=martin"); + + if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin") + != ID_MATCH_PERFECT) + { + return FALSE; + } + if (test_id_matches_one(a, "C=CH, E=*, CN=martin") != ID_MATCH_ONE_WILDCARD) + { + return FALSE; + } + if (test_id_matches_one(a, "C=CH, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 1) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 2) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=*, CN=*, O=BADInc") != ID_MATCH_NONE) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=*") != ID_MATCH_NONE) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=a@b.c, CN=*") != ID_MATCH_NONE) + { + return FALSE; + } + a->destroy(a); + return TRUE; +} diff --git a/src/charon/plugins/unit_tester/tests/test_mutex.c b/src/charon/plugins/unit_tester/tests/test_mutex.c index a305d5082..cb315276b 100644 --- a/src/charon/plugins/unit_tester/tests/test_mutex.c +++ b/src/charon/plugins/unit_tester/tests/test_mutex.c @@ -65,7 +65,7 @@ bool test_mutex() int i; pthread_t threads[THREADS]; - mutex = mutex_create(MUTEX_RECURSIVE); + mutex = mutex_create(MUTEX_TYPE_RECURSIVE); for (i = 0; i < 10; i++) { diff --git a/src/charon/plugins/updown/Makefile.am b/src/charon/plugins/updown/Makefile.am index de60d9fbf..fe6e0bb52 100644 --- a/src/charon/plugins/updown/Makefile.am +++ b/src/charon/plugins/updown/Makefile.am @@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-updown.la libstrongswan_updown_la_SOURCES = \ updown_plugin.h updown_plugin.c \ updown_listener.h updown_listener.c -libstrongswan_updown_la_LDFLAGS = -module +libstrongswan_updown_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in index d0aac79f9..b1b6fb497 100644 --- a/src/charon/plugins/updown/Makefile.in +++ b/src/charon/plugins/updown/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_updown_la_SOURCES = \ updown_plugin.h updown_plugin.c \ updown_listener.h updown_listener.c -libstrongswan_updown_la_LDFLAGS = -module +libstrongswan_updown_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/processing/jobs/callback_job.c b/src/charon/processing/jobs/callback_job.c index 82b4643eb..f4beb5abd 100644 --- a/src/charon/processing/jobs/callback_job.c +++ b/src/charon/processing/jobs/callback_job.c @@ -182,7 +182,7 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data, this->public.cancel = (void(*)(callback_job_t*))cancel; /* private variables */ - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->callback = cb; this->data = data; this->cleanup = cleanup; diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c index eb1db331b..4a3943323 100644 --- a/src/charon/processing/processor.c +++ b/src/charon/processing/processor.c @@ -240,9 +240,9 @@ processor_t *processor_create(size_t pool_size) this->public.destroy = (void(*)(processor_t*))destroy; this->list = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->job_added = condvar_create(CONDVAR_DEFAULT); - this->thread_terminated = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT); + this->thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT); this->total_threads = 0; this->desired_threads = 0; this->idle_threads = 0; diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c index b3633f263..1f59205af 100644 --- a/src/charon/processing/scheduler.c +++ b/src/charon/processing/scheduler.c @@ -347,8 +347,8 @@ scheduler_t * scheduler_create() this->heap_size = HEAP_SIZE_DEFAULT; this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*)); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL); charon->processor->queue_job(charon->processor, (job_t*)this->job); diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c index b8316036e..24a4fd6ed 100644 --- a/src/charon/sa/authenticators/eap/eap_manager.c +++ b/src/charon/sa/authenticators/eap/eap_manager.c @@ -163,7 +163,7 @@ eap_manager_t *eap_manager_create() this->public.destroy = (void(*)(eap_manager_t*))destroy; this->methods = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c index 9202e972e..14d174ab5 100644 --- a/src/charon/sa/child_sa.c +++ b/src/charon/sa/child_sa.c @@ -136,6 +136,26 @@ struct private_child_sa_t { * config used to create this child */ child_cfg_t *config; + + /** + * time of last use in seconds (inbound) + */ + u_int32_t my_usetime; + + /** + * time of last use in seconds (outbound) + */ + u_int32_t other_usetime; + + /** + * last number of inbound bytes + */ + u_int64_t my_usebytes; + + /** + * last number of outbound bytes + */ + u_int64_t other_usebytes; }; /** @@ -355,20 +375,72 @@ static enumerator_t* create_policy_enumerator(private_child_sa_t *this) } /** - * Implementation of child_sa_t.get_usetime + * update the cached usebytes + * returns SUCCESS if the usebytes have changed, FAILED if not or no SPIs + * are available, and NOT_SUPPORTED if the kernel interface does not support + * querying the usebytes. + */ +static status_t update_usebytes(private_child_sa_t *this, bool inbound) +{ + status_t status = FAILED; + u_int64_t bytes; + + if (inbound) + { + if (this->my_spi) + { + status = charon->kernel_interface->query_sa( + charon->kernel_interface, + this->other_addr, this->my_addr, + this->my_spi, this->protocol, &bytes); + if (status == SUCCESS) + { + if (bytes > this->my_usebytes) + { + this->my_usebytes = bytes; + return SUCCESS; + } + return FAILED; + } + } + } + else + { + if (this->other_spi) + { + status = charon->kernel_interface->query_sa( + charon->kernel_interface, + this->my_addr, this->other_addr, + this->other_spi, this->protocol, &bytes); + if (status == SUCCESS) + { + if (bytes > this->other_usebytes) + { + this->other_usebytes = bytes; + return SUCCESS; + } + return FAILED; + } + } + } + return status; +} + +/** + * updates the cached usetime */ -static u_int32_t get_usetime(private_child_sa_t *this, bool inbound) +static void update_usetime(private_child_sa_t *this, bool inbound) { enumerator_t *enumerator; traffic_selector_t *my_ts, *other_ts; u_int32_t last_use = 0; - + enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { u_int32_t in, out, fwd; - if (inbound) + if (inbound) { if (charon->kernel_interface->query_policy(charon->kernel_interface, other_ts, my_ts, POLICY_IN, &in) == SUCCESS) @@ -394,7 +466,42 @@ static u_int32_t get_usetime(private_child_sa_t *this, bool inbound) } } enumerator->destroy(enumerator); - return last_use; + + if (last_use == 0) + { + return; + } + if (inbound) + { + this->my_usetime = last_use; + } + else + { + this->other_usetime = last_use; + } +} + +/** + * Implementation of child_sa_t.get_usestats + */ +static void get_usestats(private_child_sa_t *this, bool inbound, + time_t *time, u_int64_t *bytes) +{ + if (update_usebytes(this, inbound) != FAILED) + { + /* there was traffic since last update or the kernel interface + * does not support querying the number of usebytes. + */ + update_usetime(this, inbound); + } + if (time) + { + *time = inbound ? this->my_usetime : this->other_usetime; + } + if (bytes) + { + *bytes = inbound ? this->my_usebytes : this->other_usebytes; + } } /** @@ -566,13 +673,13 @@ static status_t add_policies(private_child_sa_t *this, * Implementation of child_sa_t.update. */ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, - host_t *vip, bool encap) + host_t *vip, bool encap) { child_sa_state_t old; bool transport_proxy_mode; /* anything changed at all? */ - if (me->equals(me, this->my_addr) && + if (me->equals(me, this->my_addr) && other->equals(other, this->other_addr) && this->encap == encap) { return SUCCESS; @@ -661,7 +768,7 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, me, other, my_ts, other_ts, POLICY_OUT, this->other_spi, this->protocol, this->reqid, this->mode, this->ipcomp, this->other_cpi, FALSE); - charon->kernel_interface->add_policy(charon->kernel_interface, + charon->kernel_interface->add_policy(charon->kernel_interface, other, me, other_ts, my_ts, POLICY_IN, this->my_spi, this->protocol, this->reqid, this->mode, this->ipcomp, this->my_cpi, FALSE); @@ -775,7 +882,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal; this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal; this->public.get_lifetime = (u_int32_t(*)(child_sa_t*, bool))get_lifetime; - this->public.get_usetime = (u_int32_t(*)(child_sa_t*, bool))get_usetime; + this->public.get_usestats = (void(*)(child_sa_t*,bool,time_t*,u_int64_t*))get_usestats; this->public.has_encap = (bool(*)(child_sa_t*))has_encap; this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp; this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp; @@ -798,6 +905,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->encap = encap; this->ipcomp = IPCOMP_NONE; this->state = CHILD_CREATED; + this->my_usetime = 0; + this->other_usetime = 0; + this->my_usebytes = 0; + this->other_usebytes = 0; /* reuse old reqid if we are rekeying an existing CHILD_SA */ this->reqid = rekey ? rekey : ++reqid; this->my_ts = linked_list_create(); @@ -810,7 +921,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->config = config; config->get_ref(config); - /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */ + /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */ if (config->get_mode(config) == MODE_TRANSPORT && config->use_proxy_mode(config)) { @@ -837,7 +948,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, host = host_create_from_chunk(family, addr, 0); free(addr.ptr); DBG1(DBG_CHD, "my address: %H is a transport mode proxy for %H", - this->my_addr, host); + this->my_addr, host); this->my_addr->destroy(this->my_addr); this->my_addr = host; } @@ -858,7 +969,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, host = host_create_from_chunk(family, addr, 0); free(addr.ptr); DBG1(DBG_CHD, "other address: %H is a transport mode proxy for %H", - this->other_addr, host); + this->other_addr, host); this->other_addr->destroy(this->other_addr); this->other_addr = host; } diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h index ec9b36dab..698da8bc7 100644 --- a/src/charon/sa/child_sa.h +++ b/src/charon/sa/child_sa.h @@ -85,11 +85,11 @@ extern enum_name_t *child_sa_state_names; /** * Represents an IPsec SAs between two hosts. - * + * * A child_sa_t contains two SAs. SAs for both * directions are managed in one child_sa_t object. Both * SAs and the policies have the same reqid. - * + * * The procedure for child sa setup is as follows: * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc * - A send the proposals with the allocated SPIs to B @@ -98,7 +98,7 @@ extern enum_name_t *child_sa_state_names; * - B calls child_sa_t.install for both, the allocated and received SPI * - B sends the proposal with the allocated SPI to A * - A calls child_sa_t.install for both, the allocated and recevied SPI - * + * * Once SAs are set up, policies can be added using add_policies. */ struct child_sa_t { @@ -112,7 +112,7 @@ struct child_sa_t { /** * Get the reqid of the CHILD SA. - * + * * Every CHILD_SA has a reqid. The kernel uses this ID to * identify it. * @@ -131,19 +131,19 @@ struct child_sa_t { * Get the state of the CHILD_SA. * * @return CHILD_SA state - */ + */ child_sa_state_t (*get_state) (child_sa_t *this); /** * Set the state of the CHILD_SA. * * @param state state to set on CHILD_SA - */ + */ void (*set_state) (child_sa_t *this, child_sa_state_t state); /** * Get the SPI of this CHILD_SA. - * + * * Set the boolean parameter inbound to TRUE to * get the SPI for which we receive packets, use * FALSE to get those we use for sending packets. @@ -155,7 +155,7 @@ struct child_sa_t { /** * Get the CPI of this CHILD_SA. - * + * * Set the boolean parameter inbound to TRUE to * get the CPI for which we receive packets, use * FALSE to get those we use for sending packets. @@ -202,7 +202,7 @@ struct child_sa_t { /** * Set the IPComp algorithm to use. - * + * * @param ipcomp the IPComp transform to use */ void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp); @@ -219,7 +219,7 @@ struct child_sa_t { * * @param proposal selected proposal */ - void (*set_proposal)(child_sa_t *this, proposal_t *proposal); + void (*set_proposal)(child_sa_t *this, proposal_t *proposal); /** * Check if this CHILD_SA uses UDP encapsulation. @@ -237,19 +237,21 @@ struct child_sa_t { u_int32_t (*get_lifetime)(child_sa_t *this, bool hard); /** - * Get last use time of the CHILD_SA. + * Get last use time and the number of bytes processed. * - * @param inbound TRUE for inbound traffic, FALSE for outbound - * @return time of last use in seconds + * @param inbound TRUE for inbound traffic, FALSE for outbound + * @param[out] time time of last use in seconds (NULL to ignore) + * @param[out] bytes number of processed bytes (NULL to ignore) */ - u_int32_t (*get_usetime)(child_sa_t *this, bool inbound); + void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time, + u_int64_t *bytes); /** * Get the traffic selectors list added for one side. * * @param local TRUE for own traffic selectors, FALSE for remote * @return list of traffic selectors - */ + */ linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local); /** @@ -296,7 +298,7 @@ struct child_sa_t { * @param my_ts traffic selectors for local site * @param other_ts traffic selectors for remote site * @return SUCCESS or FAILED - */ + */ status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list, linked_list_t *other_ts_list); /** diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c index a1b037de4..f26cf9405 100644 --- a/src/charon/sa/connect_manager.c +++ b/src/charon/sa/connect_manager.c @@ -1568,7 +1568,7 @@ connect_manager_t *connect_manager_create() this->checklists = linked_list_create(); this->initiated = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); return (connect_manager_t*)this; } diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index 6b7fa3582..be973a2ce 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -260,7 +260,7 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound) { enumerator_t *enumerator; child_sa_t *child_sa; - time_t use_time; + time_t use_time, current; if (inbound) { @@ -273,7 +273,8 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound) enumerator = this->child_sas->create_enumerator(this->child_sas); while (enumerator->enumerate(enumerator, &child_sa)) { - use_time = max(use_time, child_sa->get_usetime(child_sa, inbound)); + child_sa->get_usestats(child_sa, inbound, ¤t, NULL); + use_time = max(use_time, current); } enumerator->destroy(enumerator); @@ -1169,7 +1170,8 @@ static status_t initiate(private_ike_sa_t *this, #endif /* ME */ { /* normal IKE_SA with CHILD_SA */ - task = (task_t*)child_create_create(&this->public, child_cfg, tsi, tsr); + task = (task_t*)child_create_create(&this->public, child_cfg, FALSE, + tsi, tsr); child_cfg->destroy(child_cfg); if (reqid) { @@ -1747,6 +1749,7 @@ static status_t roam(private_ike_sa_t *this, bool address) { case IKE_CREATED: case IKE_DELETING: + case IKE_DESTROYING: case IKE_PASSIVE: return SUCCESS; default: @@ -1775,10 +1778,46 @@ static status_t roam(private_ike_sa_t *this, bool address) DBG2(DBG_IKE, "keeping connection path %H - %H", src, this->other_host); src->destroy(src); + set_condition(this, COND_STALE, FALSE); + return SUCCESS; + } + src->destroy(src); + + } + else + { + /* check if we find a route at all */ + enumerator_t *enumerator; + host_t *addr; + + src = charon->kernel_interface->get_source_addr(charon->kernel_interface, + this->other_host, NULL); + if (!src) + { + enumerator = this->additional_addresses->create_enumerator( + this->additional_addresses); + while (enumerator->enumerate(enumerator, &addr)) + { + DBG1(DBG_IKE, "looking for a route to %H ...", addr); + src = charon->kernel_interface->get_source_addr( + charon->kernel_interface, addr, NULL); + if (src) + { + break; + } + } + enumerator->destroy(enumerator); + } + if (!src) + { + DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred", + this->other_host); + set_condition(this, COND_STALE, TRUE); return SUCCESS; } src->destroy(src); } + set_condition(this, COND_STALE, FALSE); /* update addresses with mobike, if supported ... */ if (supports_extension(this, EXT_MOBIKE)) diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index b751bda0c..41d7a7976 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -127,6 +127,11 @@ enum ike_condition_t { * Local peer is the "original" IKE initiator. Unaffected from rekeying. */ COND_ORIGINAL_INITIATOR = (1<<6), + + /** + * IKE_SA is stale, the peer is currently unreachable (MOBIKE) + */ + COND_STALE = (1<<7), }; /** diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c index efe7c228c..ec1a7f741 100644 --- a/src/charon/sa/ike_sa_manager.c +++ b/src/charon/sa/ike_sa_manager.c @@ -133,7 +133,7 @@ static entry_t *entry_create() entry_t *this = malloc_thing(entry_t); this->waiting_threads = 0; - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); /* we set checkout flag when we really give it out */ this->checked_out = FALSE; @@ -1050,7 +1050,8 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, enumerator_t *enumerator; entry_t *entry; ike_sa_t *ike_sa = NULL; - peer_cfg_t *current_cfg; + peer_cfg_t *current_peer; + ike_cfg_t *current_ike; u_int segment; if (!this->reuse_ikesa) @@ -1072,14 +1073,18 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, continue; } - current_cfg = entry->ike_sa->get_peer_cfg(entry->ike_sa); - if (current_cfg && current_cfg->equals(current_cfg, peer_cfg)) + current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); + if (current_peer && current_peer->equals(current_peer, peer_cfg)) { - DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config", - current_cfg->get_name(current_cfg)); - entry->checked_out = TRUE; - ike_sa = entry->ike_sa; - break; + current_ike = current_peer->get_ike_cfg(current_peer); + if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg))) + { + DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config", + current_peer->get_name(current_peer)); + entry->checked_out = TRUE; + ike_sa = entry->ike_sa; + break; + } } } enumerator->destroy(enumerator); @@ -1554,6 +1559,17 @@ static void flush(private_ike_sa_manager_t *this) while (enumerator->enumerate(enumerator, &entry, &segment)) { charon->bus->set_sa(charon->bus, entry->ike_sa); + /* as the delete never gets processed, fire down events */ + switch (entry->ike_sa->get_state(entry->ike_sa)) + { + case IKE_ESTABLISHED: + case IKE_REKEYING: + case IKE_DELETING: + charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE); + break; + default: + break; + } entry->ike_sa->delete(entry->ike_sa); } enumerator->destroy(enumerator); @@ -1695,7 +1711,7 @@ ike_sa_manager_t *ike_sa_manager_create() this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t)); for (i = 0; i < this->segment_count; ++i) { - this->segments[i].mutex = mutex_create(MUTEX_RECURSIVE); + this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE); this->segments[i].count = 0; } @@ -1704,7 +1720,7 @@ ike_sa_manager_t *ike_sa_manager_create() this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t)); for (i = 0; i < this->segment_count; ++i) { - this->half_open_segments[i].lock = rwlock_create(RWLOCK_DEFAULT); + this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->half_open_segments[i].count = 0; } @@ -1713,7 +1729,7 @@ ike_sa_manager_t *ike_sa_manager_create() this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t)); for (i = 0; i < this->segment_count; ++i) { - this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_DEFAULT); + this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->connected_peers_segments[i].count = 0; } diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c index 117d260ba..46fb79587 100644 --- a/src/charon/sa/keymat.c +++ b/src/charon/sa/keymat.c @@ -419,6 +419,9 @@ static bool derive_child_keys(private_keymat_t *this, case ENCR_AES_CCM_ICV8: case ENCR_AES_CCM_ICV12: case ENCR_AES_CCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: enc_size += 3; break; case ENCR_AES_GCM_ICV8: diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c index 890e567c7..a69c00173 100644 --- a/src/charon/sa/mediation_manager.c +++ b/src/charon/sa/mediation_manager.c @@ -331,7 +331,7 @@ mediation_manager_t *mediation_manager_create() this->public.check_and_register = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*,identification_t*))check_and_register; this->peers = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); return (mediation_manager_t*)this; } diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c index 2cd9532eb..f33fcd6d4 100644 --- a/src/charon/sa/task_manager.c +++ b/src/charon/sa/task_manager.c @@ -220,6 +220,10 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id) { DBG1(DBG_IKE, "giving up after %d retransmits", this->initiating.retransmitted - 1); + if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING) + { + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + } return DESTROY_ME; } @@ -240,6 +244,7 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id) { DBG1(DBG_IKE, "giving up after %d path probings", this->initiating.retransmitted - 1); + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); return DESTROY_ME; } @@ -431,6 +436,12 @@ static status_t build_request(private_task_manager_t *this) break; case FAILED: default: + if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING) + { + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + } + /* FALL */ + case DESTROY_ME: /* critical failure, destroy IKE_SA */ iterator->destroy(iterator); message->destroy(message); @@ -451,6 +462,7 @@ static status_t build_request(private_task_manager_t *this) * close the SA */ message->destroy(message); flush(this); + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); return DESTROY_ME; } @@ -474,6 +486,7 @@ static status_t process_response(private_task_manager_t *this, DBG1(DBG_IKE, "received %N response, but expected %N", exchange_type_names, message->get_exchange_type(message), exchange_type_names, this->initiating.type); + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); return DESTROY_ME; } @@ -494,6 +507,9 @@ static status_t process_response(private_task_manager_t *this, break; case FAILED: default: + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + /* FALL */ + case DESTROY_ME: /* critical failure, destroy IKE_SA */ iterator->remove(iterator); iterator->destroy(iterator); @@ -604,6 +620,9 @@ static status_t build_response(private_task_manager_t *this, message_t *request) break; case FAILED: default: + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + /* FALL */ + case DESTROY_ME: /* destroy IKE_SA, but SEND response first */ delete = TRUE; break; @@ -631,6 +650,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request) message->destroy(message); if (status != SUCCESS) { + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); return DESTROY_ME; } @@ -678,7 +698,8 @@ static status_t process_request(private_task_manager_t *this, this->passive_tasks->insert_last(this->passive_tasks, task); task = (task_t*)ike_config_create(this->ike_sa, FALSE); this->passive_tasks->insert_last(this->passive_tasks, task); - task = (task_t*)child_create_create(this->ike_sa, NULL, NULL, NULL); + task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE, + NULL, NULL); this->passive_tasks->insert_last(this->passive_tasks, task); task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE); this->passive_tasks->insert_last(this->passive_tasks, task); @@ -726,8 +747,8 @@ static status_t process_request(private_task_manager_t *this, } else { - task = (task_t*)child_create_create(this->ike_sa, - NULL, NULL, NULL); + task = (task_t*)child_create_create(this->ike_sa, NULL, + FALSE, NULL, NULL); } } else @@ -831,6 +852,9 @@ static status_t process_request(private_task_manager_t *this, break; case FAILED: default: + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + /* FALL */ + case DESTROY_ME: /* critical failure, destroy IKE_SA */ iterator->remove(iterator); iterator->destroy(iterator); diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c index f51443738..558938f2e 100644 --- a/src/charon/sa/tasks/child_create.c +++ b/src/charon/sa/tasks/child_create.c @@ -158,6 +158,11 @@ struct private_child_create_t { * successfully established the CHILD? */ bool established; + + /** + * whether the CHILD_SA rekeys an existing one + */ + bool rekey; }; /** @@ -249,7 +254,7 @@ static bool allocate_spi(private_child_create_t *this) */ static status_t select_and_install(private_child_create_t *this, bool no_dh) { - status_t status; + status_t status, status_i, status_o; chunk_t nonce_i, nonce_r; chunk_t encr_i = chunk_empty, encr_r = chunk_empty; chunk_t integ_i = chunk_empty, integ_r = chunk_empty; @@ -401,22 +406,22 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) this->my_cpi = this->other_cpi = 0; this->ipcomp = IPCOMP_NONE; } - status = FAILED; + status_i = status_o = FAILED; if (this->keymat->derive_child_keys(this->keymat, this->proposal, this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r)) { if (this->initiator) { - status = this->child_sa->install(this->child_sa, encr_r, integ_r, + status_i = this->child_sa->install(this->child_sa, encr_r, integ_r, this->my_spi, this->my_cpi, TRUE); - status = this->child_sa->install(this->child_sa, encr_i, integ_i, + status_o = this->child_sa->install(this->child_sa, encr_i, integ_i, this->other_spi, this->other_cpi, FALSE); } else { - status = this->child_sa->install(this->child_sa, encr_i, integ_i, + status_i = this->child_sa->install(this->child_sa, encr_i, integ_i, this->my_spi, this->my_cpi, TRUE); - status = this->child_sa->install(this->child_sa, encr_r, integ_r, + status_o = this->child_sa->install(this->child_sa, encr_r, integ_r, this->other_spi, this->other_cpi, FALSE); } } @@ -425,9 +430,12 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) chunk_clear(&encr_i); chunk_clear(&encr_r); - if (status != SUCCESS) + if (status_i != SUCCESS || status_o != SUCCESS) { - DBG1(DBG_IKE, "unable to install IPsec SA (SAD) in kernel"); + DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel", + (status_i != SUCCESS) ? "inbound " : "", + (status_i != SUCCESS && status_o != SUCCESS) ? "and ": "", + (status_o != SUCCESS) ? "outbound " : ""); return FAILED; } @@ -939,7 +947,11 @@ static status_t build_r(private_child_create_t *this, message_t *message) ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), this->child_sa->get_traffic_selectors(this->child_sa, TRUE), this->child_sa->get_traffic_selectors(this->child_sa, FALSE)); - + + if (!this->rekey) + { /* invoke the child_up() hook if we are not rekeying */ + charon->bus->child_updown(charon->bus, this->child_sa, TRUE); + } return SUCCESS; } @@ -1052,6 +1064,11 @@ static status_t process_i(private_child_create_t *this, message_t *message) ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), this->child_sa->get_traffic_selectors(this->child_sa, TRUE), this->child_sa->get_traffic_selectors(this->child_sa, FALSE)); + + if (!this->rekey) + { /* invoke the child_up() hook if we are not rekeying */ + charon->bus->child_updown(charon->bus, this->child_sa, TRUE); + } } else { @@ -1174,7 +1191,8 @@ static void destroy(private_child_create_t *this) /* * Described in header. */ -child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config, +child_create_t *child_create_create(ike_sa_t *ike_sa, + child_cfg_t *config, bool rekey, traffic_selector_t *tsi, traffic_selector_t *tsr) { private_child_create_t *this = malloc_thing(private_child_create_t); @@ -1222,6 +1240,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config, this->other_cpi = 0; this->reqid = 0; this->established = FALSE; + this->rekey = rekey; return &this->public; } diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h index ce2829a9a..41f4fe2c8 100644 --- a/src/charon/sa/tasks/child_create.h +++ b/src/charon/sa/tasks/child_create.h @@ -71,11 +71,13 @@ struct child_create_t { * * @param ike_sa IKE_SA this task works for * @param config child_cfg if task initiator, NULL if responder + * @param rekey whether we do a rekey or not * @param tsi source of triggering packet, or NULL * @param tsr destination of triggering packet, or NULL * @return child_create task to handle by the task_manager */ -child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config, +child_create_t *child_create_create(ike_sa_t *ike_sa, + child_cfg_t *config, bool rekey, traffic_selector_t *tsi, traffic_selector_t *tsr); #endif /** CHILD_CREATE_H_ @}*/ diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c index 0d89c148e..7abb07a84 100644 --- a/src/charon/sa/tasks/child_delete.c +++ b/src/charon/sa/tasks/child_delete.c @@ -52,11 +52,16 @@ struct private_child_delete_t { u_int32_t spi; /** - * wheter to enforce delete action policy + * whether to enforce delete action policy */ bool check_delete_action; /** + * is this delete exchange following a rekey? + */ + bool rekeyed; + + /** * CHILD_SAs which get deleted */ linked_list_t *child_sas; @@ -148,6 +153,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message) switch (child_sa->get_state(child_sa)) { case CHILD_REKEYING: + this->rekeyed = TRUE; /* we reply as usual, rekeying will fail */ break; case CHILD_DELETING: @@ -190,6 +196,11 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) { + /* signal child down event if we are not rekeying */ + if (!this->rekeyed) + { + charon->bus->child_updown(charon->bus, child_sa, FALSE); + } spi = child_sa->get_spi(child_sa, TRUE); protocol = child_sa->get_protocol(child_sa); child_cfg = child_sa->get_config(child_sa); @@ -229,15 +240,19 @@ static void log_children(private_child_delete_t *this) { iterator_t *iterator; child_sa_t *child_sa; + u_int64_t bytes_in, bytes_out; iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) { + child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in); + child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out); + DBG0(DBG_IKE, "closing CHILD_SA %s{%d} " - "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + "with SPIs %.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R", child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), - ntohl(child_sa->get_spi(child_sa, TRUE)), - ntohl(child_sa->get_spi(child_sa, FALSE)), + ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in, + ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out, child_sa->get_traffic_selectors(child_sa, TRUE), child_sa->get_traffic_selectors(child_sa, FALSE)); } @@ -258,7 +273,10 @@ static status_t build_i(private_child_delete_t *this, message_t *message) return SUCCESS; } this->child_sas->insert_last(this->child_sas, child_sa); - + if (child_sa->get_state(child_sa) == CHILD_REKEYING) + { + this->rekeyed = TRUE; + } log_children(this); build_payloads(this, message); return NEED_MORE; @@ -359,6 +377,7 @@ child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol, this->child_sas = linked_list_create(); this->protocol = protocol; this->spi = spi; + this->rekeyed = FALSE; if (protocol != PROTO_NONE) { diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c index 6ab00dc5b..601e054ea 100644 --- a/src/charon/sa/tasks/child_rekey.c +++ b/src/charon/sa/tasks/child_rekey.c @@ -157,7 +157,8 @@ static status_t build_i(private_child_rekey_t *this, message_t *message) /* ... our CHILD_CREATE task does the hard work for us. */ reqid = this->child_sa->get_reqid(this->child_sa); - this->child_create = child_create_create(this->ike_sa, config, NULL, NULL); + this->child_create = child_create_create(this->ike_sa, config, TRUE, + NULL, NULL); this->child_create->use_reqid(this->child_create, reqid); this->child_create->task.build(&this->child_create->task, message); @@ -207,6 +208,10 @@ static status_t build_r(private_child_rekey_t *this, message_t *message) } this->child_sa->set_state(this->child_sa, CHILD_REKEYING); + + /* invoke rekey hook */ + charon->bus->child_rekey(charon->bus, this->child_sa, + this->child_create->get_child(this->child_create)); return SUCCESS; } @@ -303,6 +308,12 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) } } + if (to_delete != this->child_create->get_child(this->child_create)) + { /* invoke rekey hook if rekeying successful */ + charon->bus->child_rekey(charon->bus, this->child_sa, + this->child_create->get_child(this->child_create)); + } + spi = to_delete->get_spi(to_delete, TRUE); protocol = to_delete->get_protocol(to_delete); @@ -416,7 +427,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol, this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; this->initiator = FALSE; - this->child_create = child_create_create(ike_sa, NULL, NULL, NULL); + this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL); } this->ike_sa = ike_sa; diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index 8d6cd56bd..d0b2a7e91 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -738,6 +738,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); + charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE); return SUCCESS; } return NEED_MORE; @@ -916,6 +917,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); + charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE); return SUCCESS; } return NEED_MORE; diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c index f308a6358..cde117934 100644 --- a/src/charon/sa/tasks/ike_delete.c +++ b/src/charon/sa/tasks/ike_delete.c @@ -21,7 +21,7 @@ typedef struct private_ike_delete_t private_ike_delete_t; -/**file +/** * Private members of a ike_delete_t task. */ struct private_ike_delete_t { @@ -42,6 +42,11 @@ struct private_ike_delete_t { bool initiator; /** + * are we deleting a rekeyed SA? + */ + bool rekeyed; + + /** * are we responding to a delete, but have initated our own? */ bool simultaneous; @@ -64,6 +69,11 @@ static status_t build_i(private_ike_delete_t *this, message_t *message) delete_payload = delete_payload_create(PROTO_IKE); message->add_payload(message, (payload_t*)delete_payload); + + if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING) + { + this->rekeyed = TRUE; + } this->ike_sa->set_state(this->ike_sa, IKE_DELETING); DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]", @@ -79,8 +89,12 @@ static status_t build_i(private_ike_delete_t *this, message_t *message) static status_t process_i(private_ike_delete_t *this, message_t *message) { DBG0(DBG_IKE, "IKE_SA deleted"); - /* completed, delete IKE_SA by returning FAILED */ - return FAILED; + if (!this->rekeyed) + { /* invoke ike_down() hook if SA has not been rekeyed */ + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + } + /* completed, delete IKE_SA by returning DESTROY_ME */ + return DESTROY_ME; } /** @@ -106,14 +120,17 @@ static status_t process_r(private_ike_delete_t *this, message_t *message) case IKE_ESTABLISHED: this->ike_sa->set_state(this->ike_sa, IKE_DELETING); this->ike_sa->reestablish(this->ike_sa); + return NEED_MORE; + case IKE_REKEYING: + this->rekeyed = TRUE; break; case IKE_DELETING: this->simultaneous = TRUE; - /* FALL */ + break; default: - this->ike_sa->set_state(this->ike_sa, IKE_DELETING); break; } + this->ike_sa->set_state(this->ike_sa, IKE_DELETING); return NEED_MORE; } @@ -129,8 +146,12 @@ static status_t build_r(private_ike_delete_t *this, message_t *message) /* wait for peer's response for our delete request, but set a timeout */ return SUCCESS; } - /* completed, delete IKE_SA by returning FAILED */ - return FAILED; + if (!this->rekeyed) + { /* invoke ike_down() hook if SA has not been rekeyed */ + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + } + /* completed, delete IKE_SA by returning DESTROY_ME */ + return DESTROY_ME; } /** @@ -182,6 +203,7 @@ ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator) this->ike_sa = ike_sa; this->initiator = initiator; + this->rekeyed = FALSE; this->simultaneous = FALSE; return &this->public; diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c index bead408a6..3a049b566 100644 --- a/src/charon/sa/tasks/ike_rekey.c +++ b/src/charon/sa/tasks/ike_rekey.c @@ -367,6 +367,8 @@ static void destroy(private_ike_rekey_t *this) if (this->new_sa->get_state(this->new_sa) == IKE_ESTABLISHED && this->new_sa->inherit(this->new_sa, this->ike_sa) != DESTROY_ME) { + /* invoke hook if rekeying was successful */ + charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa); charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa); } else diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h index f9b409f35..3d2014599 100644 --- a/src/charon/sa/tasks/task.h +++ b/src/charon/sa/tasks/task.h @@ -100,7 +100,8 @@ struct task_t { * * @param message message to add payloads to * @return - * - FAILED if a critical error occured + * - FAILED if a critical error occured + * - DESTROY_ME if IKE_SA has been properly deleted * - NEED_MORE if another call to build/process needed * - SUCCESS if task completed */ @@ -112,6 +113,7 @@ struct task_t { * @param message message to read payloads from * @return * - FAILED if a critical error occured + * - DESTROY_ME if IKE_SA has been properly deleted * - NEED_MORE if another call to build/process needed * - SUCCESS if task completed */ diff --git a/src/charon/sa/trap_manager.c b/src/charon/sa/trap_manager.c index a74fab93f..570335eb4 100644 --- a/src/charon/sa/trap_manager.c +++ b/src/charon/sa/trap_manager.c @@ -156,6 +156,10 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer, me->destroy(me); other->destroy(other); + /* while we don't know the finally negotiated protocol (ESP|AH), we + * could iterate all proposals for a best guest (TODO). But as we + * support ESP only for now, we set here. */ + child_sa->set_protocol(child_sa, PROTO_ESP); child_sa->set_mode(child_sa, child->get_mode(child)); status = child_sa->add_policies(child_sa, my_ts, other_ts); my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); @@ -358,7 +362,7 @@ trap_manager_t *trap_manager_create() this->public.destroy = (void(*)(trap_manager_t*))destroy; this->traps = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); /* register listener for IKE state changes */ this->listener.traps = this; diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am new file mode 100644 index 000000000..bd42c231f --- /dev/null +++ b/src/checksum/Makefile.am @@ -0,0 +1,36 @@ +ipsec_LTLIBRARIES = libchecksum.la +noinst_PROGRAMS = checksum_builder + +nodist_libchecksum_la_SOURCES = checksum.c +libchecksum_la_LDFLAGS = -module -avoid-version + +checksum_builder_SOURCES = checksum_builder.c +checksum_builder_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la + +BUILT_SOURCES = checksum.c +CLEANFILES = checksum.c +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic + +libs = $(shell find $(top_builddir)/src/libstrongswan $(top_builddir)/src/charon \ + -name 'libstrongswan*.so') + +if USE_CHARON + libs += $(top_builddir)/src/charon/.libs/charon +endif + +if USE_PLUTO + libs += $(top_builddir)/src/pluto/.libs/pluto +endif + +if USE_TOOLS + libs += $(top_builddir)/src/openac/.libs/openac + libs += $(top_builddir)/src/scepclient/.libs/scepclient +endif + +if USE_SQL + libs += $(top_builddir)/src/charon/plugins/sql/.libs/pool +endif + +checksum.c : checksum_builder $(libs) + ./checksum_builder $(libs) > checksum.c diff --git a/src/libstrongswan/fips/Makefile.in b/src/checksum/Makefile.in index cdced9423..4d38df2dd 100644 --- a/src/libstrongswan/fips/Makefile.in +++ b/src/checksum/Makefile.in @@ -14,6 +14,7 @@ @SET_MAKE@ + VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -32,10 +33,14 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -noinst_PROGRAMS = fips_signer$(EXEEXT) -@USE_SHA1_TRUE@am__append_1 = -DUSE_SHA1 -@USE_OPENSSL_TRUE@am__append_2 = -DUSE_OPENSSL -subdir = src/libstrongswan/fips +noinst_PROGRAMS = checksum_builder$(EXEEXT) +@USE_CHARON_TRUE@am__append_1 = $(top_builddir)/src/charon/.libs/charon +@USE_PLUTO_TRUE@am__append_2 = $(top_builddir)/src/pluto/.libs/pluto +@USE_TOOLS_TRUE@am__append_3 = \ +@USE_TOOLS_TRUE@ $(top_builddir)/src/openac/.libs/openac \ +@USE_TOOLS_TRUE@ $(top_builddir)/src/scepclient/.libs/scepclient +@USE_SQL_TRUE@am__append_4 = $(top_builddir)/src/charon/plugins/sql/.libs/pool +subdir = src/checksum DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in @@ -43,10 +48,26 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(ipsecdir)" +ipsecLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(ipsec_LTLIBRARIES) +libchecksum_la_LIBADD = +nodist_libchecksum_la_OBJECTS = checksum.lo +libchecksum_la_OBJECTS = $(nodist_libchecksum_la_OBJECTS) +libchecksum_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libchecksum_la_LDFLAGS) $(LDFLAGS) -o $@ PROGRAMS = $(noinst_PROGRAMS) -am_fips_signer_OBJECTS = fips_signer.$(OBJEXT) -fips_signer_OBJECTS = $(am_fips_signer_OBJECTS) -fips_signer_DEPENDENCIES = ../libstrongswan.la +am_checksum_builder_OBJECTS = checksum_builder.$(OBJEXT) +checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS) +checksum_builder_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -59,18 +80,20 @@ CCLD = $(CC) LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ -SOURCES = $(fips_signer_SOURCES) -DIST_SOURCES = $(fips_signer_SOURCES) +SOURCES = $(nodist_libchecksum_la_SOURCES) $(checksum_builder_SOURCES) +DIST_SOURCES = $(checksum_builder_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -135,6 +158,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -175,7 +199,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -209,14 +235,19 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -fips_signer_SOURCES = fips_signer.c -fips_signer_LDADD = ../libstrongswan.la -BUILT_SOURCES = fips_signature.h -CLEANFILES = fips_signature.h fips_signer +ipsec_LTLIBRARIES = libchecksum.la +nodist_libchecksum_la_SOURCES = checksum.c +libchecksum_la_LDFLAGS = -module -avoid-version +checksum_builder_SOURCES = checksum_builder.c +checksum_builder_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +BUILT_SOURCES = checksum.c +CLEANFILES = checksum.c INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ - -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\" \ - $(am__append_1) $(am__append_2) +AM_CFLAGS = -rdynamic +libs = $(shell find $(top_builddir)/src/libstrongswan \ + $(top_builddir)/src/charon -name 'libstrongswan*.so') \ + $(am__append_1) $(am__append_2) $(am__append_3) \ + $(am__append_4) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-am @@ -231,9 +262,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/fips/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/checksum/Makefile'; \ cd $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libstrongswan/fips/Makefile + $(AUTOMAKE) --gnu src/checksum/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -251,6 +282,35 @@ $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-ipsecLTLIBRARIES: $(ipsec_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" + @list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(ipsecdir)/$$f"; \ + else :; fi; \ + done + +uninstall-ipsecLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipsecdir)/$$p'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipsecdir)/$$p"; \ + done + +clean-ipsecLTLIBRARIES: + -test -z "$(ipsec_LTLIBRARIES)" || rm -f $(ipsec_LTLIBRARIES) + @list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) + $(libchecksum_la_LINK) -rpath $(ipsecdir) $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS) clean-noinstPROGRAMS: @list='$(noinst_PROGRAMS)'; for p in $$list; do \ @@ -258,9 +318,9 @@ clean-noinstPROGRAMS: echo " rm -f $$p $$f"; \ rm -f $$p $$f ; \ done -fips_signer$(EXEEXT): $(fips_signer_OBJECTS) $(fips_signer_DEPENDENCIES) - @rm -f fips_signer$(EXEEXT) - $(LINK) $(fips_signer_OBJECTS) $(fips_signer_LDADD) $(LIBS) +checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) + @rm -f checksum_builder$(EXEEXT) + $(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -268,7 +328,8 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_signer.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/checksum.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/checksum_builder.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -373,8 +434,11 @@ distdir: $(DISTFILES) check-am: all-am check: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) check-am -all-am: Makefile $(PROGRAMS) +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) installdirs: + for dir in "$(DESTDIR)$(ipsecdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-am install-exec: install-exec-am @@ -404,8 +468,8 @@ maintainer-clean-generic: -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ - mostlyclean-am +clean-am: clean-generic clean-ipsecLTLIBRARIES clean-libtool \ + clean-noinstPROGRAMS mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) @@ -423,7 +487,7 @@ info: info-am info-am: -install-data-am: +install-data-am: install-ipsecLTLIBRARIES install-dvi: install-dvi-am @@ -459,26 +523,28 @@ ps: ps-am ps-am: -uninstall-am: +uninstall-am: uninstall-ipsecLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-noinstPROGRAMS ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ + clean-ipsecLTLIBRARIES clean-libtool clean-noinstPROGRAMS \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-ipsecLTLIBRARIES install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-ipsecLTLIBRARIES -fips_signature.h : fips_signer - ./fips_signer +checksum.c : checksum_builder $(libs) + ./checksum_builder $(libs) > checksum.c # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c new file mode 100644 index 000000000..a713eb526 --- /dev/null +++ b/src/checksum/checksum_builder.c @@ -0,0 +1,135 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <stdlib.h> +#include <stdio.h> +#include <dlfcn.h> + +#include <library.h> + +/* we need to fake some charon symbols to dlopen() its plugins */ +void *charon, *eap_type_names, *auth_class_names, *protocol_id_names, +*action_names, *ipsec_mode_names, *ike_sa_state_names, *child_sa_state_names, +*policy_dir_names, *ipcomp_transform_names, *debug_names, *controller_cb_empty; + +int main(int argc, char* argv[]) +{ + int i; + integrity_checker_t *integrity; + + /* avoid confusing leak reports in build process */ + setenv("LEAK_DETECTIVE_DISABLE", "1", 0); + library_init(NULL); + atexit(library_deinit); + + integrity = integrity_checker_create(NULL); + + printf("/**\n"); + printf(" * checksums of files and loaded code segments.\n"); + printf(" * created by %s\n", argv[0]); + printf(" */\n"); + printf("\n"); + printf("#include <library.h>\n"); + printf("\n"); + printf("integrity_checksum_t checksums[] = {\n"); + fprintf(stderr, "integrity test data:\n"); + fprintf(stderr, "module name, file size / checksum segment size / checksum\n"); + for (i = 1; i < argc; i++) + { + char *name, *path, *sname = NULL; + void *handle, *symbol; + u_int32_t fsum, ssum; + size_t fsize = 0; + size_t ssize = 0; + + path = argv[i]; + + if ((name = strstr(path, "libstrongswan-"))) + { + name = strdup(name + strlen("libstrongswan-")); + name[strlen(name) - 3] = '"'; + name[strlen(name) - 2] = ','; + name[strlen(name) - 1] = '\0'; + sname = "plugin_create"; + } + else if (strstr(path, "libstrongswan.so")) + { + name = strdup("libstrongswan\","); + sname = "library_init"; + } + else if (strstr(path, "pool")) + { + name = strdup("pool\","); + } + else if (strstr(path, "charon")) + { + name = strdup("charon\","); + } + else if (strstr(path, "pluto")) + { + name = strdup("pluto\","); + } + else if (strstr(path, "openac")) + { + name = strdup("openac\","); + } + else if (strstr(path, "scepclient")) + { + name = strdup("scepclient\","); + } + else + { + fprintf(stderr, "don't know how to handle '%s', ignored", path); + continue; + } + + fsum = integrity->build_file(integrity, path, &fsize); + ssum = 0; + if (sname) + { + handle = dlopen(path, RTLD_LAZY); + if (handle) + { + symbol = dlsym(handle, sname); + if (symbol) + { + ssum = integrity->build_segment(integrity, symbol, &ssize); + } + else + { + fprintf(stderr, "symbol lookup failed: %s\n", dlerror()); + } + dlclose(handle); + } + else + { + fprintf(stderr, "dlopen failed: %s\n", dlerror()); + } + } + printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n", + name, fsize, fsum, ssize, ssum); + fprintf(stderr, "\"%-20s%7u / 0x%08x %6u / 0x%08x\n", + name, fsize, fsum, ssize, ssum); + free(name); + } + printf("};\n"); + printf("\n"); + printf("int checksum_count = countof(checksums);\n"); + printf("\n"); + integrity->destroy(integrity); + + exit(0); +} + diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index fdbf41f47..817e31104 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -83,12 +83,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -153,6 +155,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -193,7 +196,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c index 72d6d1b5e..2ed96d562 100644 --- a/src/dumm/mconsole.c +++ b/src/dumm/mconsole.c @@ -149,7 +149,7 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t), { if (reply.len && *reply.data) { - DBG1("received mconsole error %d: %*.s", + DBG1("received mconsole error %d: %.*s", reply.err, reply.len, reply.data); } break; diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 7ee0793ec..495d02cc2 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -43,12 +43,14 @@ SOURCES = DIST_SOURCES = DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -113,6 +115,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -153,7 +156,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index d5a6dc82f..de069b928 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -51,12 +51,14 @@ NROFF = nroff MANS = $(dist_man8_MANS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -161,7 +164,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index 98f5ddd88..266898984 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -71,12 +71,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -141,6 +143,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -181,7 +184,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in index 37c32b9fa..31ea3a634 100644 --- a/src/libfreeswan/Makefile.in +++ b/src/libfreeswan/Makefile.in @@ -83,12 +83,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -153,6 +155,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -193,7 +196,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/libfreeswan/anyaddr.c b/src/libfreeswan/anyaddr.c index 2e9fa2787..f2eb8d07a 100644 --- a/src/libfreeswan/anyaddr.c +++ b/src/libfreeswan/anyaddr.c @@ -17,12 +17,13 @@ #include "internal.h" #include "freeswan.h" -/* these are mostly fallbacks for the no-IPv6-support-in-library case */ -#ifndef IN6ADDR_ANY_INIT -#define IN6ADDR_ANY_INIT {{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }} -#endif -#ifndef IN6ADDR_LOOPBACK_INIT -#define IN6ADDR_LOOPBACK_INIT {{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }} +/* OpenSolaris defines strange versions of these macros */ +#ifdef __sun +#undef IN6ADDR_ANY_INIT +#define IN6ADDR_ANY_INIT {{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}} + +#undef IN6ADDR_LOOPBACK_INIT +#define IN6ADDR_LOOPBACK_INIT {{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}} #endif static struct in6_addr v6any = IN6ADDR_ANY_INIT; diff --git a/src/libfreeswan/atoaddr.3 b/src/libfreeswan/atoaddr.3 index fce8884e4..10da2691c 100644 --- a/src/libfreeswan/atoaddr.3 +++ b/src/libfreeswan/atoaddr.3 @@ -54,7 +54,7 @@ on a big-endian host and .B 4.3.2.1 on a little-endian host), a DNS name to be looked up via -.IR gethostbyname (3), +.IR getaddrinfo (3), or an old-style network name to be looked up via .IR getnetbyname (3). .PP @@ -91,10 +91,8 @@ DNS names may be complete (optionally terminated with a ``.'') or incomplete, and are looked up as specified by local system configuration (see .IR resolver (5)). -The -.I h_addr -value returned by -.IR gethostbyname (3) +The first value returned by +.IR getaddrinfo (3) is used, so with current DNS implementations, the result when the name corresponds to more than one address is @@ -102,7 +100,7 @@ difficult to predict. Name lookup resorts to .IR getnetbyname (3) only if -.IR gethostbyname (3) +.IR getaddrinfo (3) fails. .PP A subnet specification is of the form \fInetwork\fB/\fImask\fR. diff --git a/src/libfreeswan/atoaddr.c b/src/libfreeswan/atoaddr.c index dd73be7f3..cbda541d3 100644 --- a/src/libfreeswan/atoaddr.c +++ b/src/libfreeswan/atoaddr.c @@ -12,6 +12,8 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public * License for more details. */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" @@ -41,7 +43,7 @@ const char *src; size_t srclen; /* 0 means "apply strlen" */ struct in_addr *addrp; { - struct hostent *h; + struct addrinfo hints, *res; struct netent *ne = NULL; const char *oops; # define HEXLEN 10 /* strlen("0x11223344") */ @@ -51,6 +53,7 @@ struct in_addr *addrp; char namebuf[ATOADDRBUF]; char *p = namebuf; char *q; + int error; if (srclen == 0) srclen = strlen(src); @@ -87,18 +90,34 @@ struct in_addr *addrp; return "illegal (non-DNS-name) character in name"; /* try as host name, failing that as /etc/networks network name */ - h = gethostbyname(p); - if (h == NULL) + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET; + error = getaddrinfo(p, NULL, &hints, &res); + if (error != 0) + { ne = getnetbyname(p); + if (ne == NULL) + { + if (p != namebuf) + { + FREE(p); + } + return "name lookup failed"; + } + addrp->s_addr = htonl(ne->n_net); + } + else + { + struct sockaddr_in *in = (struct sockaddr_in*)res->ai_addr; + memcpy(&addrp->s_addr, &in->sin_addr.s_addr, sizeof(addrp->s_addr)); + freeaddrinfo(res); + } + if (p != namebuf) + { FREE(p); - if (h == NULL && ne == NULL) - return "name lookup failed"; + } - if (h != NULL) - memcpy(&addrp->s_addr, h->h_addr, sizeof(addrp->s_addr)); - else - addrp->s_addr = htonl(ne->n_net); return NULL; } diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h index cb14cd678..77ce8f2be 100644 --- a/src/libfreeswan/freeswan.h +++ b/src/libfreeswan/freeswan.h @@ -20,11 +20,6 @@ # include <stdio.h> # include <netinet/in.h> -# define uint8_t u_int8_t -# define uint16_t u_int16_t -# define uint32_t u_int32_t -# define uint64_t u_int64_t - # define DEBUG_NO_STATIC static #include <ipsec_param.h> diff --git a/src/libfreeswan/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h index 5ef5e747c..461299c78 100644 --- a/src/libfreeswan/pfkeyv2.h +++ b/src/libfreeswan/pfkeyv2.h @@ -303,33 +303,40 @@ struct sadb_protocol { #define SADB_SASTATE_DEAD 3 #define SADB_SASTATE_MAX 3 -#define SADB_SAFLAGS_PFS 1 +#define SADB_SAFLAGS_PFS 1 #define SADB_X_SAFLAGS_REPLACEFLOW 2 #define SADB_X_SAFLAGS_CLEARFLOW 4 #define SADB_X_SAFLAGS_INFLOW 8 /* Authentication algorithms */ -#define SADB_AALG_NONE 0 -#define SADB_AALG_MD5HMAC 2 -#define SADB_AALG_SHA1HMAC 3 +#define SADB_AALG_NONE 0 +#define SADB_AALG_MD5HMAC 2 +#define SADB_AALG_SHA1HMAC 3 #define SADB_X_AALG_SHA2_256HMAC 5 #define SADB_X_AALG_SHA2_384HMAC 6 #define SADB_X_AALG_SHA2_512HMAC 7 #define SADB_X_AALG_RIPEMD160HMAC 8 #define SADB_X_AALG_AES_XCBC_MAC 9 -#define SADB_X_AALG_NULL 251 /* kame */ -#define SADB_AALG_MAX 251 +#define SADB_X_AALG_NULL 251 /* kame */ +#define SADB_AALG_MAX 251 /* Encryption algorithms */ -#define SADB_EALG_NONE 0 -#define SADB_EALG_DESCBC 2 -#define SADB_EALG_3DESCBC 3 -#define SADB_X_EALG_CASTCBC 6 +#define SADB_EALG_NONE 0 +#define SADB_EALG_DESCBC 2 +#define SADB_EALG_3DESCBC 3 +#define SADB_X_EALG_CASTCBC 6 #define SADB_X_EALG_BLOWFISHCBC 7 -#define SADB_EALG_NULL 11 -#define SADB_X_EALG_AESCBC 12 +#define SADB_EALG_NULL 11 +#define SADB_X_EALG_AESCBC 12 +#define SADB_X_EALG_AESCTR 13 +#define SADB_X_EALG_AES_CCM_ICV8 14 +#define SADB_X_EALG_AES_CCM_ICV12 15 +#define SADB_X_EALG_AES_CCM_ICV16 16 +#define SADB_X_EALG_AES_GCM_ICV8 18 +#define SADB_X_EALG_AES_GCM_ICV12 19 +#define SADB_X_EALG_AES_GCM_ICV16 20 #define SADB_X_EALG_CAMELLIACBC 22 -#define SADB_EALG_MAX 253 /* last EALG */ +#define SADB_EALG_MAX 253 /* last EALG */ /* private allocations should use 249-255 (RFC2407) */ #define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */ #define SADB_X_EALG_TWOFISHCBC 253 /* draft-ietf-ipsec-ciph-aes-cbc-00 */ diff --git a/src/libfreeswan/ttoaddr.3 b/src/libfreeswan/ttoaddr.3 index 70671145e..d43d2b16f 100644 --- a/src/libfreeswan/ttoaddr.3 +++ b/src/libfreeswan/ttoaddr.3 @@ -59,7 +59,7 @@ on a big-endian host and .B 4.3.2.1 on a little-endian host), a DNS name to be looked up via -.IR gethostbyname (3), +.IR getaddrinfo (3), or an old-style network name to be looked up via .IR getnetbyname (3). .PP @@ -100,7 +100,7 @@ abbreviating at most one subsequence of multiple zeros (e.g. which is synonymous with .BR 99:ab:0:0:0:0:54:68 ), or a DNS name to be looked up via -.IR gethostbyname (3). +.IR getaddrinfo (3). The result of applying .I addrtot to an IPv6 address will use @@ -115,10 +115,8 @@ DNS names may be complete (optionally terminated with a ``.'') or incomplete, and are looked up as specified by local system configuration (see .IR resolver (5)). -The -.I h_addr -value returned by -.IR gethostbyname2 (3) +The first value returned by +.IR getaddrinfo (3) is used, so with current DNS implementations, the result when the name corresponds to more than one address is @@ -126,7 +124,7 @@ difficult to predict. IPv4 name lookup resorts to .IR getnetbyname (3) only if -.IR gethostbyname2 (3) +.IR getaddrinfo (3) fails. .PP A subnet specification is of the form \fInetwork\fB/\fImask\fR. diff --git a/src/libfreeswan/ttoaddr.c b/src/libfreeswan/ttoaddr.c index e4ceec863..bda2be5ed 100644 --- a/src/libfreeswan/ttoaddr.c +++ b/src/libfreeswan/ttoaddr.c @@ -157,12 +157,15 @@ int nultermd; /* is it known to be NUL-terminated? */ int af; ip_address *dst; { - struct hostent *h; + struct addrinfo hints, *res; struct netent *ne = NULL; char namebuf[100]; /* enough for most DNS names */ const char *cp; char *p = namebuf; + unsigned char *addr = NULL; size_t n; + int error; + err_t err = NULL; for (cp = src, n = srclen; n > 0; cp++, n--) if (ISASCII(*cp) && strchr(namechars, *cp) == NULL) @@ -181,25 +184,67 @@ ip_address *dst; cp = (const char *)p; } - h = gethostbyname2(cp, af); - if (h == NULL && af == AF_INET) - ne = getnetbyname(cp); + memset(&hints, 0, sizeof(hints)); + hints.ai_family = af; + error = getaddrinfo(cp, NULL, &hints, &res); + if (error != 0) + { /* getaddrinfo failed, try getnetbyname */ + if (af == AF_INET) + { + ne = getnetbyname(cp); + if (ne != NULL) + { + ne->n_net = htonl(ne->n_net); + addr = (unsigned char*)&ne->n_net; + err = initaddr(addr, sizeof(ne->n_net), af, dst); + } + } + } + else + { + struct addrinfo *r = res; + while (r) + { + size_t addr_len; + switch (r->ai_family) + { + case AF_INET: + { + struct sockaddr_in *in = (struct sockaddr_in*)r->ai_addr; + addr_len = 4; + addr = (unsigned char*)&in->sin_addr.s_addr; + break; + } + case AF_INET6: + { + struct sockaddr_in6 *in6 = (struct sockaddr_in6*)r->ai_addr; + addr_len = 16; + addr = (unsigned char*)&in6->sin6_addr.s6_addr; + break; + } + default: + { /* unknown family, try next result */ + r = r->ai_next; + continue; + } + } + err = initaddr(addr, addr_len, r->ai_family, dst); + break; + } + freeaddrinfo(res); + } + if (p != namebuf) + { FREE(p); - if (h == NULL && ne == NULL) - return "does not look numeric and name lookup failed"; + } - if (h != NULL) { - if (h->h_addrtype != af) - return "address-type mismatch from gethostbyname2!!!"; - return initaddr((unsigned char *)h->h_addr, h->h_length, af, dst); - } else { - if (ne->n_addrtype != af) - return "address-type mismatch from getnetbyname!!!"; - ne->n_net = htonl(ne->n_net); - return initaddr((unsigned char *)&ne->n_net, sizeof(ne->n_net), - af, dst); + if (addr == NULL) + { + return "does not look numeric and name lookup failed"; } + + return err; } /* diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 212b9547d..ee6996558 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -1,14 +1,6 @@ lib_LTLIBRARIES = libstrongswan.la -if USE_INTEGRITY_TEST - libstrongswan_la_SOURCES = \ - fips/fips_canister_start.c \ - fips/fips.c fips/fips.h -else - libstrongswan_la_SOURCES = -endif - -libstrongswan_la_SOURCES += \ +libstrongswan_la_SOURCES = \ library.c library.h \ chunk.c chunk.h \ debug.c debug.h \ @@ -58,7 +50,7 @@ utils/mutex.c utils/mutex.h \ utils/backtrace.c utils/backtrace.h \ plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h -libstrongswan_la_LIBADD = -lpthread $(DLLIB) +libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ @@ -76,8 +68,9 @@ if USE_LOCK_PROFILER endif if USE_INTEGRITY_TEST + AM_CFLAGS += -DINTEGRITY_TEST libstrongswan_la_SOURCES += \ - fips/fips_canister_end.c + integrity_checker.c integrity_checker.h endif if USE_VSTR @@ -204,7 +197,3 @@ endif if USE_TEST_VECTORS SUBDIRS += plugins/test_vectors endif - -if USE_INTEGRITY_TEST - SUBDIRS += fips -endif diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index dd25f0526..ae751c098 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -37,31 +37,34 @@ host_triplet = @host@ @USE_LEAK_DETECTIVE_TRUE@ utils/leak_detective.c utils/leak_detective.h @USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER -@USE_VSTR_TRUE@am__append_4 = -lvstr -@USE_AES_TRUE@am__append_5 = plugins/aes -@USE_DES_TRUE@am__append_6 = plugins/des -@USE_BLOWFISH_TRUE@am__append_7 = plugins/blowfish -@USE_MD4_TRUE@am__append_8 = plugins/md4 -@USE_MD5_TRUE@am__append_9 = plugins/md5 -@USE_SHA1_TRUE@am__append_10 = plugins/sha1 -@USE_SHA2_TRUE@am__append_11 = plugins/sha2 -@USE_FIPS_PRF_TRUE@am__append_12 = plugins/fips_prf -@USE_GMP_TRUE@am__append_13 = plugins/gmp -@USE_RANDOM_TRUE@am__append_14 = plugins/random -@USE_HMAC_TRUE@am__append_15 = plugins/hmac -@USE_XCBC_TRUE@am__append_16 = plugins/xcbc -@USE_X509_TRUE@am__append_17 = plugins/x509 -@USE_PUBKEY_TRUE@am__append_18 = plugins/pubkey -@USE_CURL_TRUE@am__append_19 = plugins/curl -@USE_LDAP_TRUE@am__append_20 = plugins/ldap -@USE_MYSQL_TRUE@am__append_21 = plugins/mysql -@USE_SQLITE_TRUE@am__append_22 = plugins/sqlite -@USE_PADLOCK_TRUE@am__append_23 = plugins/padlock -@USE_OPENSSL_TRUE@am__append_24 = plugins/openssl -@USE_GCRYPT_TRUE@am__append_25 = plugins/gcrypt -@USE_AGENT_TRUE@am__append_26 = plugins/agent -@USE_TEST_VECTORS_TRUE@am__append_27 = plugins/test_vectors -@USE_INTEGRITY_TEST_TRUE@am__append_28 = fips +@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST +@USE_INTEGRITY_TEST_TRUE@am__append_5 = \ +@USE_INTEGRITY_TEST_TRUE@ integrity_checker.c integrity_checker.h + +@USE_VSTR_TRUE@am__append_6 = -lvstr +@USE_AES_TRUE@am__append_7 = plugins/aes +@USE_DES_TRUE@am__append_8 = plugins/des +@USE_BLOWFISH_TRUE@am__append_9 = plugins/blowfish +@USE_MD4_TRUE@am__append_10 = plugins/md4 +@USE_MD5_TRUE@am__append_11 = plugins/md5 +@USE_SHA1_TRUE@am__append_12 = plugins/sha1 +@USE_SHA2_TRUE@am__append_13 = plugins/sha2 +@USE_FIPS_PRF_TRUE@am__append_14 = plugins/fips_prf +@USE_GMP_TRUE@am__append_15 = plugins/gmp +@USE_RANDOM_TRUE@am__append_16 = plugins/random +@USE_HMAC_TRUE@am__append_17 = plugins/hmac +@USE_XCBC_TRUE@am__append_18 = plugins/xcbc +@USE_X509_TRUE@am__append_19 = plugins/x509 +@USE_PUBKEY_TRUE@am__append_20 = plugins/pubkey +@USE_CURL_TRUE@am__append_21 = plugins/curl +@USE_LDAP_TRUE@am__append_22 = plugins/ldap +@USE_MYSQL_TRUE@am__append_23 = plugins/mysql +@USE_SQLITE_TRUE@am__append_24 = plugins/sqlite +@USE_PADLOCK_TRUE@am__append_25 = plugins/padlock +@USE_OPENSSL_TRUE@am__append_26 = plugins/openssl +@USE_GCRYPT_TRUE@am__append_27 = plugins/gcrypt +@USE_AGENT_TRUE@am__append_28 = plugins/agent +@USE_TEST_VECTORS_TRUE@am__append_29 = plugins/test_vectors subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -81,6 +84,7 @@ libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \ @@ -123,51 +127,20 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ utils/backtrace.h plugins/plugin_loader.c \ plugins/plugin_loader.h plugins/plugin.h \ utils/leak_detective.c utils/leak_detective.h \ - fips/fips_canister_start.c fips/fips.c fips/fips.h \ - fips/fips_canister_end.c + integrity_checker.c integrity_checker.h @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo -@USE_INTEGRITY_TEST_FALSE@am_libstrongswan_la_OBJECTS = library.lo \ -@USE_INTEGRITY_TEST_FALSE@ chunk.lo debug.lo enum.lo \ -@USE_INTEGRITY_TEST_FALSE@ settings.lo printf_hook.lo asn1.lo \ -@USE_INTEGRITY_TEST_FALSE@ asn1_parser.lo oid.lo pem.lo \ -@USE_INTEGRITY_TEST_FALSE@ crypter.lo hasher.lo pkcs9.lo \ -@USE_INTEGRITY_TEST_FALSE@ proposal_keywords.lo prf.lo rng.lo \ -@USE_INTEGRITY_TEST_FALSE@ prf_plus.lo signer.lo \ -@USE_INTEGRITY_TEST_FALSE@ crypto_factory.lo crypto_tester.lo \ -@USE_INTEGRITY_TEST_FALSE@ diffie_hellman.lo transform.lo \ -@USE_INTEGRITY_TEST_FALSE@ credential_factory.lo builder.lo \ -@USE_INTEGRITY_TEST_FALSE@ private_key.lo public_key.lo \ -@USE_INTEGRITY_TEST_FALSE@ shared_key.lo certificate.lo x509.lo \ -@USE_INTEGRITY_TEST_FALSE@ crl.lo ocsp_response.lo \ -@USE_INTEGRITY_TEST_FALSE@ database_factory.lo \ -@USE_INTEGRITY_TEST_FALSE@ fetcher_manager.lo pgp.lo utils.lo \ -@USE_INTEGRITY_TEST_FALSE@ host.lo identification.lo \ -@USE_INTEGRITY_TEST_FALSE@ lexparser.lo linked_list.lo \ -@USE_INTEGRITY_TEST_FALSE@ hashtable.lo enumerator.lo \ -@USE_INTEGRITY_TEST_FALSE@ optionsfrom.lo mutex.lo backtrace.lo \ -@USE_INTEGRITY_TEST_FALSE@ plugin_loader.lo $(am__objects_1) -@USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS = \ -@USE_INTEGRITY_TEST_TRUE@ fips_canister_start.lo fips.lo \ -@USE_INTEGRITY_TEST_TRUE@ library.lo chunk.lo debug.lo enum.lo \ -@USE_INTEGRITY_TEST_TRUE@ settings.lo printf_hook.lo asn1.lo \ -@USE_INTEGRITY_TEST_TRUE@ asn1_parser.lo oid.lo pem.lo \ -@USE_INTEGRITY_TEST_TRUE@ crypter.lo hasher.lo pkcs9.lo \ -@USE_INTEGRITY_TEST_TRUE@ proposal_keywords.lo prf.lo rng.lo \ -@USE_INTEGRITY_TEST_TRUE@ prf_plus.lo signer.lo \ -@USE_INTEGRITY_TEST_TRUE@ crypto_factory.lo crypto_tester.lo \ -@USE_INTEGRITY_TEST_TRUE@ diffie_hellman.lo transform.lo \ -@USE_INTEGRITY_TEST_TRUE@ credential_factory.lo builder.lo \ -@USE_INTEGRITY_TEST_TRUE@ private_key.lo public_key.lo \ -@USE_INTEGRITY_TEST_TRUE@ shared_key.lo certificate.lo x509.lo \ -@USE_INTEGRITY_TEST_TRUE@ crl.lo ocsp_response.lo \ -@USE_INTEGRITY_TEST_TRUE@ database_factory.lo \ -@USE_INTEGRITY_TEST_TRUE@ fetcher_manager.lo pgp.lo utils.lo \ -@USE_INTEGRITY_TEST_TRUE@ host.lo identification.lo \ -@USE_INTEGRITY_TEST_TRUE@ lexparser.lo linked_list.lo \ -@USE_INTEGRITY_TEST_TRUE@ hashtable.lo enumerator.lo \ -@USE_INTEGRITY_TEST_TRUE@ optionsfrom.lo mutex.lo backtrace.lo \ -@USE_INTEGRITY_TEST_TRUE@ plugin_loader.lo $(am__objects_1) \ -@USE_INTEGRITY_TEST_TRUE@ fips_canister_end.lo +@USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo +am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ + settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \ + pem.lo crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo \ + prf.lo rng.lo prf_plus.lo signer.lo crypto_factory.lo \ + crypto_tester.lo diffie_hellman.lo transform.lo \ + credential_factory.lo builder.lo private_key.lo public_key.lo \ + shared_key.lo certificate.lo x509.lo crl.lo ocsp_response.lo \ + database_factory.lo fetcher_manager.lo pgp.lo utils.lo host.lo \ + identification.lo lexparser.lo linked_list.lo hashtable.lo \ + enumerator.lo optionsfrom.lo mutex.lo backtrace.lo \ + plugin_loader.lo $(am__objects_1) $(am__objects_2) libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -199,15 +172,17 @@ DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \ plugins/gmp plugins/random plugins/hmac plugins/xcbc \ plugins/x509 plugins/pubkey plugins/curl plugins/ldap \ plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \ - plugins/gcrypt plugins/agent plugins/test_vectors fips + plugins/gcrypt plugins/agent plugins/test_vectors DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -272,6 +247,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -312,7 +288,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -347,154 +325,52 @@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ lib_LTLIBRARIES = libstrongswan.la -@USE_INTEGRITY_TEST_FALSE@libstrongswan_la_SOURCES = library.c \ -@USE_INTEGRITY_TEST_FALSE@ library.h chunk.c chunk.h debug.c \ -@USE_INTEGRITY_TEST_FALSE@ debug.h enum.c enum.h settings.h \ -@USE_INTEGRITY_TEST_FALSE@ settings.c printf_hook.c \ -@USE_INTEGRITY_TEST_FALSE@ printf_hook.h asn1/asn1.c \ -@USE_INTEGRITY_TEST_FALSE@ asn1/asn1.h asn1/asn1_parser.c \ -@USE_INTEGRITY_TEST_FALSE@ asn1/asn1_parser.h asn1/oid.c \ -@USE_INTEGRITY_TEST_FALSE@ asn1/oid.h asn1/pem.c asn1/pem.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/pkcs9.c crypto/pkcs9.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/proposal/proposal_keywords.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/proposal/proposal_keywords.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/prfs/prf.c crypto/prfs/prf.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/rngs/rng.c crypto/rngs/rng.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/prf_plus.h crypto/prf_plus.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_factory.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_factory.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_tester.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_tester.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/transform.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/transform.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/credential_factory.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/credential_factory.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/builder.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/builder.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/private_key.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/private_key.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/public_key.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/public_key.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/shared_key.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/shared_key.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/certificate.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/certificate.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/x509.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/x509.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ac.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/crl.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/crl.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_request.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_response.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_response.c \ -@USE_INTEGRITY_TEST_FALSE@ database/database.h \ -@USE_INTEGRITY_TEST_FALSE@ database/database_factory.h \ -@USE_INTEGRITY_TEST_FALSE@ database/database_factory.c \ -@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher.h \ -@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher_manager.h \ -@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher_manager.c pgp/pgp.c \ -@USE_INTEGRITY_TEST_FALSE@ pgp/pgp.h utils.h utils.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/host.c utils/host.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/identification.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/identification.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/iterator.h utils/lexparser.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/lexparser.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/hashtable.c utils/hashtable.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.h utils/mutex.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/mutex.h utils/backtrace.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/backtrace.h \ -@USE_INTEGRITY_TEST_FALSE@ plugins/plugin_loader.c \ -@USE_INTEGRITY_TEST_FALSE@ plugins/plugin_loader.h \ -@USE_INTEGRITY_TEST_FALSE@ plugins/plugin.h $(am__append_2) -@USE_INTEGRITY_TEST_TRUE@libstrongswan_la_SOURCES = \ -@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_start.c \ -@USE_INTEGRITY_TEST_TRUE@ fips/fips.c fips/fips.h library.c \ -@USE_INTEGRITY_TEST_TRUE@ library.h chunk.c chunk.h debug.c \ -@USE_INTEGRITY_TEST_TRUE@ debug.h enum.c enum.h settings.h \ -@USE_INTEGRITY_TEST_TRUE@ settings.c printf_hook.c \ -@USE_INTEGRITY_TEST_TRUE@ printf_hook.h asn1/asn1.c asn1/asn1.h \ -@USE_INTEGRITY_TEST_TRUE@ asn1/asn1_parser.c asn1/asn1_parser.h \ -@USE_INTEGRITY_TEST_TRUE@ asn1/oid.c asn1/oid.h asn1/pem.c \ -@USE_INTEGRITY_TEST_TRUE@ asn1/pem.h crypto/crypters/crypter.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/crypter.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/pkcs9.c crypto/pkcs9.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/proposal/proposal_keywords.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/proposal/proposal_keywords.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/prfs/prf.c crypto/prfs/prf.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/rngs/rng.c crypto/rngs/rng.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/prf_plus.h crypto/prf_plus.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_factory.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_factory.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_tester.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_tester.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/transform.c crypto/transform.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/credential_factory.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/credential_factory.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/builder.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/builder.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/private_key.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/private_key.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/public_key.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/public_key.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/shared_key.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/shared_key.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/certificate.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/certificate.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/x509.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/x509.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ac.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/crl.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/crl.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_request.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_response.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_response.c \ -@USE_INTEGRITY_TEST_TRUE@ database/database.h \ -@USE_INTEGRITY_TEST_TRUE@ database/database_factory.h \ -@USE_INTEGRITY_TEST_TRUE@ database/database_factory.c \ -@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher.h \ -@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher_manager.h \ -@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher_manager.c pgp/pgp.c \ -@USE_INTEGRITY_TEST_TRUE@ pgp/pgp.h utils.h utils.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/host.c utils/host.h \ -@USE_INTEGRITY_TEST_TRUE@ utils/identification.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/identification.h \ -@USE_INTEGRITY_TEST_TRUE@ utils/iterator.h utils/lexparser.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/lexparser.h utils/linked_list.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/linked_list.h utils/hashtable.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/hashtable.h utils/enumerator.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/enumerator.h \ -@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.h utils/mutex.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/mutex.h utils/backtrace.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/backtrace.h \ -@USE_INTEGRITY_TEST_TRUE@ plugins/plugin_loader.c \ -@USE_INTEGRITY_TEST_TRUE@ plugins/plugin_loader.h \ -@USE_INTEGRITY_TEST_TRUE@ plugins/plugin.h $(am__append_2) \ -@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_end.c -libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(am__append_4) +libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ + debug.h enum.c enum.h settings.h settings.c printf_hook.c \ + printf_hook.h asn1/asn1.c asn1/asn1.h asn1/asn1_parser.c \ + asn1/asn1_parser.h asn1/oid.c asn1/oid.h asn1/pem.c asn1/pem.h \ + crypto/crypters/crypter.c crypto/crypters/crypter.h \ + crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \ + crypto/pkcs9.h crypto/proposal/proposal_keywords.c \ + crypto/proposal/proposal_keywords.h crypto/prfs/prf.c \ + crypto/prfs/prf.h crypto/rngs/rng.c crypto/rngs/rng.h \ + crypto/prf_plus.h crypto/prf_plus.c crypto/signers/signer.c \ + crypto/signers/signer.h crypto/crypto_factory.c \ + crypto/crypto_factory.h crypto/crypto_tester.c \ + crypto/crypto_tester.h crypto/diffie_hellman.c \ + crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \ + credentials/credential_factory.c \ + credentials/credential_factory.h credentials/builder.c \ + credentials/builder.h credentials/keys/private_key.c \ + credentials/keys/private_key.h credentials/keys/public_key.c \ + credentials/keys/public_key.h credentials/keys/shared_key.c \ + credentials/keys/shared_key.h \ + credentials/certificates/certificate.c \ + credentials/certificates/certificate.h \ + credentials/certificates/x509.h \ + credentials/certificates/x509.c credentials/certificates/ac.h \ + credentials/certificates/crl.h credentials/certificates/crl.c \ + credentials/certificates/ocsp_request.h \ + credentials/certificates/ocsp_response.h \ + credentials/certificates/ocsp_response.c database/database.h \ + database/database_factory.h database/database_factory.c \ + fetcher/fetcher.h fetcher/fetcher_manager.h \ + fetcher/fetcher_manager.c pgp/pgp.c pgp/pgp.h utils.h utils.c \ + utils/host.c utils/host.h utils/identification.c \ + utils/identification.h utils/iterator.h utils/lexparser.c \ + utils/lexparser.h utils/linked_list.c utils/linked_list.h \ + utils/hashtable.c utils/hashtable.h utils/enumerator.c \ + utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \ + utils/mutex.c utils/mutex.h utils/backtrace.c \ + utils/backtrace.h plugins/plugin_loader.c \ + plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \ + $(am__append_5) +libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB) \ + $(am__append_6) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \ - $(am__append_3) + $(am__append_3) $(am__append_4) EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords.txt @@ -510,14 +386,14 @@ $(srcdir)/crypto/proposal/proposal_keywords.c # build plugins with their own Makefile ####################################### -SUBDIRS = . $(am__append_5) $(am__append_6) $(am__append_7) \ - $(am__append_8) $(am__append_9) $(am__append_10) \ - $(am__append_11) $(am__append_12) $(am__append_13) \ - $(am__append_14) $(am__append_15) $(am__append_16) \ - $(am__append_17) $(am__append_18) $(am__append_19) \ - $(am__append_20) $(am__append_21) $(am__append_22) \ - $(am__append_23) $(am__append_24) $(am__append_25) \ - $(am__append_26) $(am__append_27) $(am__append_28) +SUBDIRS = . $(am__append_7) $(am__append_8) $(am__append_9) \ + $(am__append_10) $(am__append_11) $(am__append_12) \ + $(am__append_13) $(am__append_14) $(am__append_15) \ + $(am__append_16) $(am__append_17) $(am__append_18) \ + $(am__append_19) $(am__append_20) $(am__append_21) \ + $(am__append_22) $(am__append_23) $(am__append_24) \ + $(am__append_25) $(am__append_26) $(am__append_27) \ + $(am__append_28) $(am__append_29) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -605,13 +481,11 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher_manager.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_end.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_start.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@ @@ -932,27 +806,6 @@ leak_detective.lo: utils/leak_detective.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c -fips_canister_start.lo: fips/fips_canister_start.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_start.lo -MD -MP -MF $(DEPDIR)/fips_canister_start.Tpo -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_start.Tpo $(DEPDIR)/fips_canister_start.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_start.c' object='fips_canister_start.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c - -fips.lo: fips/fips.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips.lo -MD -MP -MF $(DEPDIR)/fips.Tpo -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips.Tpo $(DEPDIR)/fips.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips.c' object='fips.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c - -fips_canister_end.lo: fips/fips_canister_end.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_end.lo -MD -MP -MF $(DEPDIR)/fips_canister_end.Tpo -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_end.Tpo $(DEPDIR)/fips_canister_end.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_end.c' object='fips_canister_end.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c - mostlyclean-libtool: -rm -f *.lo diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index d2078cbbc..ec46b165b 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -260,25 +260,32 @@ size_t asn1_length(chunk_t *blob) u_char n; size_t len; - /* advance from tag field on to length field */ - blob->ptr++; - blob->len--; + if (blob->len < 2) + { + DBG2("insufficient number of octets to parse ASN.1 length"); + return ASN1_INVALID_LENGTH; + } - /* read first octet of length field */ - n = *blob->ptr++; - blob->len--; + /* read length field, skip tag and length */ + n = blob->ptr[1]; + *blob = chunk_skip(*blob, 2); if ((n & 0x80) == 0) - {/* single length octet */ + { /* single length octet */ + if (n > blob->len) + { + DBG2("length is larger than remaining blob size"); + return ASN1_INVALID_LENGTH; + } return n; } /* composite length, determine number of length octets */ n &= 0x7f; - if (n > blob->len) + if (n == 0 || n > blob->len) { - DBG2("number of length octets is larger than ASN.1 object"); + DBG2("number of length octets invalid"); return ASN1_INVALID_LENGTH; } @@ -304,6 +311,53 @@ size_t asn1_length(chunk_t *blob) return len; } +/* + * See header. + */ +int asn1_unwrap(chunk_t *blob, chunk_t *inner) +{ + chunk_t res; + u_char len; + int type; + + if (blob->len < 2) + { + return ASN1_INVALID; + } + type = blob->ptr[0]; + len = blob->ptr[1]; + *blob = chunk_skip(*blob, 2); + + if ((len & 0x80) == 0) + { /* single length octet */ + res.len = len; + } + else + { /* composite length, determine number of length octets */ + len &= 0x7f; + if (len == 0 || len > sizeof(res.len)) + { + return ASN1_INVALID; + } + res.len = 0; + while (len-- > 0) + { + res.len = 256 * res.len + blob->ptr[0]; + *blob = chunk_skip(*blob, 1); + } + } + if (res.len > blob->len) + { + return ASN1_INVALID; + } + res.ptr = blob->ptr; + *blob = chunk_skip(*blob, res.len); + /* updating inner not before we are finished allows a caller to pass + * blob = inner */ + *inner = res; + return type; +} + #define TIME_MAX 0x7fffffff static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 }; diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index 6a2b594c0..8072d62d6 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -74,7 +74,9 @@ typedef enum { ASN1_CONTEXT_C_2 = 0xA2, ASN1_CONTEXT_C_3 = 0xA3, ASN1_CONTEXT_C_4 = 0xA4, - ASN1_CONTEXT_C_5 = 0xA5 + ASN1_CONTEXT_C_5 = 0xA5, + + ASN1_INVALID = 0x100, } asn1_t; #define ASN1_INVALID_LENGTH 0xffffffff @@ -123,6 +125,15 @@ chunk_t asn1_build_known_oid(int n); size_t asn1_length(chunk_t *blob); /** + * Unwrap the inner content of an ASN.1 type/length wrapped object. + * + * @param blob blob to parse header from, moved behind parsed content + * @param content inner content + * @return parsed type, ASN1_INVALID if length parsing failed + */ +int asn1_unwrap(chunk_t *blob, chunk_t *content); + +/** * Parses an ASN.1 algorithmIdentifier object * * @param blob ASN.1 coded blob diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 53657b514..391d65e89 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -62,7 +62,7 @@ const oid_t oid_names[] = { { 0x25, 50, 0, 2, "extendedKeyUsage" }, /* 49 */ { 0x37, 51, 0, 2, "targetInformation" }, /* 50 */ { 0x38, 0, 0, 2, "noRevAvail" }, /* 51 */ - {0x2A, 143, 1, 0, "" }, /* 52 */ + {0x2A, 149, 1, 0, "" }, /* 52 */ { 0x83, 65, 1, 1, "" }, /* 53 */ { 0x08, 0, 1, 2, "jp" }, /* 54 */ { 0x8C, 0, 1, 3, "" }, /* 55 */ @@ -77,7 +77,7 @@ const oid_t oid_names[] = { { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 64 */ { 0x86, 0, 1, 1, "" }, /* 65 */ { 0x48, 0, 1, 2, "us" }, /* 66 */ - { 0x86, 107, 1, 3, "" }, /* 67 */ + { 0x86, 108, 1, 3, "" }, /* 67 */ { 0xF6, 73, 1, 4, "" }, /* 68 */ { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 69 */ { 0x07, 0, 1, 6, "Entrust" }, /* 70 */ @@ -85,225 +85,231 @@ const oid_t oid_names[] = { { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 72 */ { 0xF7, 0, 1, 4, "" }, /* 73 */ { 0x0D, 0, 1, 5, "RSADSI" }, /* 74 */ - { 0x01, 102, 1, 6, "PKCS" }, /* 75 */ - { 0x01, 84, 1, 7, "PKCS-1" }, /* 76 */ + { 0x01, 103, 1, 6, "PKCS" }, /* 75 */ + { 0x01, 85, 1, 7, "PKCS-1" }, /* 76 */ { 0x01, 78, 0, 8, "rsaEncryption" }, /* 77 */ { 0x02, 79, 0, 8, "md2WithRSAEncryption" }, /* 78 */ { 0x04, 80, 0, 8, "md5WithRSAEncryption" }, /* 79 */ { 0x05, 81, 0, 8, "sha-1WithRSAEncryption" }, /* 80 */ { 0x0B, 82, 0, 8, "sha256WithRSAEncryption" }, /* 81 */ { 0x0C, 83, 0, 8, "sha384WithRSAEncryption" }, /* 82 */ - { 0x0D, 0, 0, 8, "sha512WithRSAEncryption" }, /* 83 */ - { 0x07, 91, 1, 7, "PKCS-7" }, /* 84 */ - { 0x01, 86, 0, 8, "data" }, /* 85 */ - { 0x02, 87, 0, 8, "signedData" }, /* 86 */ - { 0x03, 88, 0, 8, "envelopedData" }, /* 87 */ - { 0x04, 89, 0, 8, "signedAndEnvelopedData" }, /* 88 */ - { 0x05, 90, 0, 8, "digestedData" }, /* 89 */ - { 0x06, 0, 0, 8, "encryptedData" }, /* 90 */ - { 0x09, 0, 1, 7, "PKCS-9" }, /* 91 */ - { 0x01, 93, 0, 8, "E" }, /* 92 */ - { 0x02, 94, 0, 8, "unstructuredName" }, /* 93 */ - { 0x03, 95, 0, 8, "contentType" }, /* 94 */ - { 0x04, 96, 0, 8, "messageDigest" }, /* 95 */ - { 0x05, 97, 0, 8, "signingTime" }, /* 96 */ - { 0x06, 98, 0, 8, "counterSignature" }, /* 97 */ - { 0x07, 99, 0, 8, "challengePassword" }, /* 98 */ - { 0x08, 100, 0, 8, "unstructuredAddress" }, /* 99 */ - { 0x0E, 101, 0, 8, "extensionRequest" }, /* 100 */ - { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 101 */ - { 0x02, 105, 1, 6, "digestAlgorithm" }, /* 102 */ - { 0x02, 104, 0, 7, "md2" }, /* 103 */ - { 0x05, 0, 0, 7, "md5" }, /* 104 */ - { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 105 */ - { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 106 */ - { 0xCE, 0, 1, 3, "" }, /* 107 */ - { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 108 */ - { 0x02, 111, 1, 5, "id-publicKeyType" }, /* 109 */ - { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 110 */ - { 0x03, 141, 1, 5, "ellipticCurve" }, /* 111 */ - { 0x00, 133, 1, 6, "c-TwoCurve" }, /* 112 */ - { 0x01, 114, 0, 7, "c2pnb163v1" }, /* 113 */ - { 0x02, 115, 0, 7, "c2pnb163v2" }, /* 114 */ - { 0x03, 116, 0, 7, "c2pnb163v3" }, /* 115 */ - { 0x04, 117, 0, 7, "c2pnb176w1" }, /* 116 */ - { 0x05, 118, 0, 7, "c2tnb191v1" }, /* 117 */ - { 0x06, 119, 0, 7, "c2tnb191v2" }, /* 118 */ - { 0x07, 120, 0, 7, "c2tnb191v3" }, /* 119 */ - { 0x08, 121, 0, 7, "c2onb191v4" }, /* 120 */ - { 0x09, 122, 0, 7, "c2onb191v5" }, /* 121 */ - { 0x0A, 123, 0, 7, "c2pnb208w1" }, /* 122 */ - { 0x0B, 124, 0, 7, "c2tnb239v1" }, /* 123 */ - { 0x0C, 125, 0, 7, "c2tnb239v2" }, /* 124 */ - { 0x0D, 126, 0, 7, "c2tnb239v3" }, /* 125 */ - { 0x0E, 127, 0, 7, "c2onb239v4" }, /* 126 */ - { 0x0F, 128, 0, 7, "c2onb239v5" }, /* 127 */ - { 0x10, 129, 0, 7, "c2pnb272w1" }, /* 128 */ - { 0x11, 130, 0, 7, "c2pnb304w1" }, /* 129 */ - { 0x12, 131, 0, 7, "c2tnb359v1" }, /* 130 */ - { 0x13, 132, 0, 7, "c2pnb368w1" }, /* 131 */ - { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 132 */ - { 0x01, 0, 1, 6, "primeCurve" }, /* 133 */ - { 0x01, 135, 0, 7, "prime192v1" }, /* 134 */ - { 0x02, 136, 0, 7, "prime192v2" }, /* 135 */ - { 0x03, 137, 0, 7, "prime192v3" }, /* 136 */ - { 0x04, 138, 0, 7, "prime239v1" }, /* 137 */ - { 0x05, 139, 0, 7, "prime239v2" }, /* 138 */ - { 0x06, 140, 0, 7, "prime239v3" }, /* 139 */ - { 0x07, 0, 0, 7, "prime256v1" }, /* 140 */ - { 0x04, 0, 1, 5, "id-ecSigType" }, /* 141 */ - { 0x01, 0, 0, 6, "ecdsa-with-SHA1" }, /* 142 */ - {0x2B, 243, 1, 0, "" }, /* 143 */ - { 0x06, 196, 1, 1, "dod" }, /* 144 */ - { 0x01, 0, 1, 2, "internet" }, /* 145 */ - { 0x04, 164, 1, 3, "private" }, /* 146 */ - { 0x01, 0, 1, 4, "enterprise" }, /* 147 */ - { 0x82, 157, 1, 5, "" }, /* 148 */ - { 0x37, 0, 1, 6, "Microsoft" }, /* 149 */ - { 0x0A, 154, 1, 7, "" }, /* 150 */ - { 0x03, 0, 1, 8, "" }, /* 151 */ - { 0x03, 153, 0, 9, "msSGC" }, /* 152 */ - { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 153 */ - { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 154 */ - { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 155 */ - { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 156 */ - { 0x89, 0, 1, 5, "" }, /* 157 */ - { 0x31, 0, 1, 6, "" }, /* 158 */ - { 0x01, 0, 1, 7, "" }, /* 159 */ - { 0x01, 0, 1, 8, "" }, /* 160 */ - { 0x02, 0, 1, 9, "" }, /* 161 */ - { 0x02, 163, 0, 10, "" }, /* 162 */ - { 0x4B, 0, 0, 10, "TCGID" }, /* 163 */ - { 0x05, 0, 1, 3, "security" }, /* 164 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 165 */ - { 0x07, 0, 1, 5, "id-pkix" }, /* 166 */ - { 0x01, 169, 1, 6, "id-pe" }, /* 167 */ - { 0x01, 0, 0, 7, "authorityInfoAccess" }, /* 168 */ - { 0x03, 179, 1, 6, "id-kp" }, /* 169 */ - { 0x01, 171, 0, 7, "serverAuth" }, /* 170 */ - { 0x02, 172, 0, 7, "clientAuth" }, /* 171 */ - { 0x03, 173, 0, 7, "codeSigning" }, /* 172 */ - { 0x04, 174, 0, 7, "emailProtection" }, /* 173 */ - { 0x05, 175, 0, 7, "ipsecEndSystem" }, /* 174 */ - { 0x06, 176, 0, 7, "ipsecTunnel" }, /* 175 */ - { 0x07, 177, 0, 7, "ipsecUser" }, /* 176 */ - { 0x08, 178, 0, 7, "timeStamping" }, /* 177 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 178 */ - { 0x08, 181, 1, 6, "id-otherNames" }, /* 179 */ - { 0x05, 0, 0, 7, "xmppAddr" }, /* 180 */ - { 0x0A, 186, 1, 6, "id-aca" }, /* 181 */ - { 0x01, 183, 0, 7, "authenticationInfo" }, /* 182 */ - { 0x02, 184, 0, 7, "accessIdentity" }, /* 183 */ - { 0x03, 185, 0, 7, "chargingIdentity" }, /* 184 */ - { 0x04, 0, 0, 7, "group" }, /* 185 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 186 */ - { 0x01, 195, 1, 7, "ocsp" }, /* 187 */ - { 0x01, 189, 0, 8, "basic" }, /* 188 */ - { 0x02, 190, 0, 8, "nonce" }, /* 189 */ - { 0x03, 191, 0, 8, "crl" }, /* 190 */ - { 0x04, 192, 0, 8, "response" }, /* 191 */ - { 0x05, 193, 0, 8, "noCheck" }, /* 192 */ - { 0x06, 194, 0, 8, "archiveCutoff" }, /* 193 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 194 */ - { 0x02, 0, 0, 7, "caIssuers" }, /* 195 */ - { 0x0E, 202, 1, 1, "oiw" }, /* 196 */ - { 0x03, 0, 1, 2, "secsig" }, /* 197 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 198 */ - { 0x07, 200, 0, 4, "des-cbc" }, /* 199 */ - { 0x1A, 201, 0, 4, "sha-1" }, /* 200 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 201 */ - { 0x24, 209, 1, 1, "TeleTrusT" }, /* 202 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 203 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 204 */ - { 0x01, 0, 1, 4, "rsaSignature" }, /* 205 */ - { 0x02, 207, 0, 5, "rsaSigWithripemd160" }, /* 206 */ - { 0x03, 208, 0, 5, "rsaSigWithripemd128" }, /* 207 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 208 */ - { 0x81, 0, 1, 1, "" }, /* 209 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 210 */ - { 0x00, 0, 1, 3, "curve" }, /* 211 */ - { 0x01, 213, 0, 4, "sect163k1" }, /* 212 */ - { 0x02, 214, 0, 4, "sect163r1" }, /* 213 */ - { 0x03, 215, 0, 4, "sect239k1" }, /* 214 */ - { 0x04, 216, 0, 4, "sect113r1" }, /* 215 */ - { 0x05, 217, 0, 4, "sect113r2" }, /* 216 */ - { 0x06, 218, 0, 4, "secp112r1" }, /* 217 */ - { 0x07, 219, 0, 4, "secp112r2" }, /* 218 */ - { 0x08, 220, 0, 4, "secp160r1" }, /* 219 */ - { 0x09, 221, 0, 4, "secp160k1" }, /* 220 */ - { 0x0A, 222, 0, 4, "secp256k1" }, /* 221 */ - { 0x0F, 223, 0, 4, "sect163r2" }, /* 222 */ - { 0x10, 224, 0, 4, "sect283k1" }, /* 223 */ - { 0x11, 225, 0, 4, "sect283r1" }, /* 224 */ - { 0x16, 226, 0, 4, "sect131r1" }, /* 225 */ - { 0x17, 227, 0, 4, "sect131r2" }, /* 226 */ - { 0x18, 228, 0, 4, "sect193r1" }, /* 227 */ - { 0x19, 229, 0, 4, "sect193r2" }, /* 228 */ - { 0x1A, 230, 0, 4, "sect233k1" }, /* 229 */ - { 0x1B, 231, 0, 4, "sect233r1" }, /* 230 */ - { 0x1C, 232, 0, 4, "secp128r1" }, /* 231 */ - { 0x1D, 233, 0, 4, "secp128r2" }, /* 232 */ - { 0x1E, 234, 0, 4, "secp160r2" }, /* 233 */ - { 0x1F, 235, 0, 4, "secp192k1" }, /* 234 */ - { 0x20, 236, 0, 4, "secp224k1" }, /* 235 */ - { 0x21, 237, 0, 4, "secp224r1" }, /* 236 */ - { 0x22, 238, 0, 4, "secp384r1" }, /* 237 */ - { 0x23, 239, 0, 4, "secp521r1" }, /* 238 */ - { 0x24, 240, 0, 4, "sect409k1" }, /* 239 */ - { 0x25, 241, 0, 4, "sect409r1" }, /* 240 */ - { 0x26, 242, 0, 4, "sect571k1" }, /* 241 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 242 */ - {0x60, 0, 1, 0, "" }, /* 243 */ - { 0x86, 0, 1, 1, "" }, /* 244 */ - { 0x48, 0, 1, 2, "" }, /* 245 */ - { 0x01, 289, 1, 3, "organization" }, /* 246 */ - { 0x65, 265, 1, 4, "gov" }, /* 247 */ - { 0x03, 0, 1, 5, "csor" }, /* 248 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 249 */ - { 0x01, 260, 1, 7, "aes" }, /* 250 */ - { 0x02, 252, 0, 8, "id-aes128-CBC" }, /* 251 */ - { 0x06, 253, 0, 8, "id-aes128-GCM" }, /* 252 */ - { 0x07, 254, 0, 8, "id-aes128-CCM" }, /* 253 */ - { 0x16, 255, 0, 8, "id-aes192-CBC" }, /* 254 */ - { 0x1A, 256, 0, 8, "id-aes192-GCM" }, /* 255 */ - { 0x1B, 257, 0, 8, "id-aes192-CCM" }, /* 256 */ - { 0x2A, 258, 0, 8, "id-aes256-CBC" }, /* 257 */ - { 0x2E, 259, 0, 8, "id-aes256-GCM" }, /* 258 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 259 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 260 */ - { 0x01, 262, 0, 8, "id-SHA-256" }, /* 261 */ - { 0x02, 263, 0, 8, "id-SHA-384" }, /* 262 */ - { 0x03, 264, 0, 8, "id-SHA-512" }, /* 263 */ - { 0x04, 0, 0, 8, "id-SHA-224" }, /* 264 */ - { 0x86, 0, 1, 4, "" }, /* 265 */ - { 0xf8, 0, 1, 5, "" }, /* 266 */ - { 0x42, 279, 1, 6, "netscape" }, /* 267 */ - { 0x01, 274, 1, 7, "" }, /* 268 */ - { 0x01, 270, 0, 8, "nsCertType" }, /* 269 */ - { 0x03, 271, 0, 8, "nsRevocationUrl" }, /* 270 */ - { 0x04, 272, 0, 8, "nsCaRevocationUrl" }, /* 271 */ - { 0x08, 273, 0, 8, "nsCaPolicyUrl" }, /* 272 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 273 */ - { 0x03, 277, 1, 7, "directory" }, /* 274 */ - { 0x01, 0, 1, 8, "" }, /* 275 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 276 */ - { 0x04, 0, 1, 7, "policy" }, /* 277 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 278 */ - { 0x45, 0, 1, 6, "verisign" }, /* 279 */ - { 0x01, 0, 1, 7, "pki" }, /* 280 */ - { 0x09, 0, 1, 8, "attributes" }, /* 281 */ - { 0x02, 283, 0, 9, "messageType" }, /* 282 */ - { 0x03, 284, 0, 9, "pkiStatus" }, /* 283 */ - { 0x04, 285, 0, 9, "failInfo" }, /* 284 */ - { 0x05, 286, 0, 9, "senderNonce" }, /* 285 */ - { 0x06, 287, 0, 9, "recipientNonce" }, /* 286 */ - { 0x07, 288, 0, 9, "transID" }, /* 287 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 288 */ - { 0x86, 0, 1, 3, "old-netscape" }, /* 289 */ - { 0xF7, 0, 1, 4, "" }, /* 290 */ - { 0x0D, 0, 1, 5, "" }, /* 291 */ - { 0x01, 0, 1, 6, "" }, /* 292 */ - { 0x09, 0, 1, 7, "" }, /* 293 */ - { 0x01, 295, 0, 8, "emailAddress" }, /* 294 */ - { 0x02, 0, 0, 8, "unstructuredName" } /* 295 */ + { 0x0D, 84, 0, 8, "sha512WithRSAEncryption" }, /* 83 */ + { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 84 */ + { 0x07, 92, 1, 7, "PKCS-7" }, /* 85 */ + { 0x01, 87, 0, 8, "data" }, /* 86 */ + { 0x02, 88, 0, 8, "signedData" }, /* 87 */ + { 0x03, 89, 0, 8, "envelopedData" }, /* 88 */ + { 0x04, 90, 0, 8, "signedAndEnvelopedData" }, /* 89 */ + { 0x05, 91, 0, 8, "digestedData" }, /* 90 */ + { 0x06, 0, 0, 8, "encryptedData" }, /* 91 */ + { 0x09, 0, 1, 7, "PKCS-9" }, /* 92 */ + { 0x01, 94, 0, 8, "E" }, /* 93 */ + { 0x02, 95, 0, 8, "unstructuredName" }, /* 94 */ + { 0x03, 96, 0, 8, "contentType" }, /* 95 */ + { 0x04, 97, 0, 8, "messageDigest" }, /* 96 */ + { 0x05, 98, 0, 8, "signingTime" }, /* 97 */ + { 0x06, 99, 0, 8, "counterSignature" }, /* 98 */ + { 0x07, 100, 0, 8, "challengePassword" }, /* 99 */ + { 0x08, 101, 0, 8, "unstructuredAddress" }, /* 100 */ + { 0x0E, 102, 0, 8, "extensionRequest" }, /* 101 */ + { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 102 */ + { 0x02, 106, 1, 6, "digestAlgorithm" }, /* 103 */ + { 0x02, 105, 0, 7, "md2" }, /* 104 */ + { 0x05, 0, 0, 7, "md5" }, /* 105 */ + { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 106 */ + { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 107 */ + { 0xCE, 0, 1, 3, "" }, /* 108 */ + { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 109 */ + { 0x02, 112, 1, 5, "id-publicKeyType" }, /* 110 */ + { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 111 */ + { 0x03, 142, 1, 5, "ellipticCurve" }, /* 112 */ + { 0x00, 134, 1, 6, "c-TwoCurve" }, /* 113 */ + { 0x01, 115, 0, 7, "c2pnb163v1" }, /* 114 */ + { 0x02, 116, 0, 7, "c2pnb163v2" }, /* 115 */ + { 0x03, 117, 0, 7, "c2pnb163v3" }, /* 116 */ + { 0x04, 118, 0, 7, "c2pnb176w1" }, /* 117 */ + { 0x05, 119, 0, 7, "c2tnb191v1" }, /* 118 */ + { 0x06, 120, 0, 7, "c2tnb191v2" }, /* 119 */ + { 0x07, 121, 0, 7, "c2tnb191v3" }, /* 120 */ + { 0x08, 122, 0, 7, "c2onb191v4" }, /* 121 */ + { 0x09, 123, 0, 7, "c2onb191v5" }, /* 122 */ + { 0x0A, 124, 0, 7, "c2pnb208w1" }, /* 123 */ + { 0x0B, 125, 0, 7, "c2tnb239v1" }, /* 124 */ + { 0x0C, 126, 0, 7, "c2tnb239v2" }, /* 125 */ + { 0x0D, 127, 0, 7, "c2tnb239v3" }, /* 126 */ + { 0x0E, 128, 0, 7, "c2onb239v4" }, /* 127 */ + { 0x0F, 129, 0, 7, "c2onb239v5" }, /* 128 */ + { 0x10, 130, 0, 7, "c2pnb272w1" }, /* 129 */ + { 0x11, 131, 0, 7, "c2pnb304w1" }, /* 130 */ + { 0x12, 132, 0, 7, "c2tnb359v1" }, /* 131 */ + { 0x13, 133, 0, 7, "c2pnb368w1" }, /* 132 */ + { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 133 */ + { 0x01, 0, 1, 6, "primeCurve" }, /* 134 */ + { 0x01, 136, 0, 7, "prime192v1" }, /* 135 */ + { 0x02, 137, 0, 7, "prime192v2" }, /* 136 */ + { 0x03, 138, 0, 7, "prime192v3" }, /* 137 */ + { 0x04, 139, 0, 7, "prime239v1" }, /* 138 */ + { 0x05, 140, 0, 7, "prime239v2" }, /* 139 */ + { 0x06, 141, 0, 7, "prime239v3" }, /* 140 */ + { 0x07, 0, 0, 7, "prime256v1" }, /* 141 */ + { 0x04, 0, 1, 5, "id-ecSigType" }, /* 142 */ + { 0x01, 144, 0, 6, "ecdsa-with-SHA1" }, /* 143 */ + { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 144 */ + { 0x01, 146, 0, 7, "ecdsa-with-SHA224" }, /* 145 */ + { 0x02, 147, 0, 7, "ecdsa-with-SHA256" }, /* 146 */ + { 0x03, 148, 0, 7, "ecdsa-with-SHA384" }, /* 147 */ + { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 148 */ + {0x2B, 249, 1, 0, "" }, /* 149 */ + { 0x06, 202, 1, 1, "dod" }, /* 150 */ + { 0x01, 0, 1, 2, "internet" }, /* 151 */ + { 0x04, 170, 1, 3, "private" }, /* 152 */ + { 0x01, 0, 1, 4, "enterprise" }, /* 153 */ + { 0x82, 163, 1, 5, "" }, /* 154 */ + { 0x37, 0, 1, 6, "Microsoft" }, /* 155 */ + { 0x0A, 160, 1, 7, "" }, /* 156 */ + { 0x03, 0, 1, 8, "" }, /* 157 */ + { 0x03, 159, 0, 9, "msSGC" }, /* 158 */ + { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 159 */ + { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 160 */ + { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 161 */ + { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 162 */ + { 0x89, 0, 1, 5, "" }, /* 163 */ + { 0x31, 0, 1, 6, "" }, /* 164 */ + { 0x01, 0, 1, 7, "" }, /* 165 */ + { 0x01, 0, 1, 8, "" }, /* 166 */ + { 0x02, 0, 1, 9, "" }, /* 167 */ + { 0x02, 169, 0, 10, "" }, /* 168 */ + { 0x4B, 0, 0, 10, "TCGID" }, /* 169 */ + { 0x05, 0, 1, 3, "security" }, /* 170 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 171 */ + { 0x07, 0, 1, 5, "id-pkix" }, /* 172 */ + { 0x01, 175, 1, 6, "id-pe" }, /* 173 */ + { 0x01, 0, 0, 7, "authorityInfoAccess" }, /* 174 */ + { 0x03, 185, 1, 6, "id-kp" }, /* 175 */ + { 0x01, 177, 0, 7, "serverAuth" }, /* 176 */ + { 0x02, 178, 0, 7, "clientAuth" }, /* 177 */ + { 0x03, 179, 0, 7, "codeSigning" }, /* 178 */ + { 0x04, 180, 0, 7, "emailProtection" }, /* 179 */ + { 0x05, 181, 0, 7, "ipsecEndSystem" }, /* 180 */ + { 0x06, 182, 0, 7, "ipsecTunnel" }, /* 181 */ + { 0x07, 183, 0, 7, "ipsecUser" }, /* 182 */ + { 0x08, 184, 0, 7, "timeStamping" }, /* 183 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 184 */ + { 0x08, 187, 1, 6, "id-otherNames" }, /* 185 */ + { 0x05, 0, 0, 7, "xmppAddr" }, /* 186 */ + { 0x0A, 192, 1, 6, "id-aca" }, /* 187 */ + { 0x01, 189, 0, 7, "authenticationInfo" }, /* 188 */ + { 0x02, 190, 0, 7, "accessIdentity" }, /* 189 */ + { 0x03, 191, 0, 7, "chargingIdentity" }, /* 190 */ + { 0x04, 0, 0, 7, "group" }, /* 191 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 192 */ + { 0x01, 201, 1, 7, "ocsp" }, /* 193 */ + { 0x01, 195, 0, 8, "basic" }, /* 194 */ + { 0x02, 196, 0, 8, "nonce" }, /* 195 */ + { 0x03, 197, 0, 8, "crl" }, /* 196 */ + { 0x04, 198, 0, 8, "response" }, /* 197 */ + { 0x05, 199, 0, 8, "noCheck" }, /* 198 */ + { 0x06, 200, 0, 8, "archiveCutoff" }, /* 199 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 200 */ + { 0x02, 0, 0, 7, "caIssuers" }, /* 201 */ + { 0x0E, 208, 1, 1, "oiw" }, /* 202 */ + { 0x03, 0, 1, 2, "secsig" }, /* 203 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 204 */ + { 0x07, 206, 0, 4, "des-cbc" }, /* 205 */ + { 0x1A, 207, 0, 4, "sha-1" }, /* 206 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 207 */ + { 0x24, 215, 1, 1, "TeleTrusT" }, /* 208 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 209 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 210 */ + { 0x01, 0, 1, 4, "rsaSignature" }, /* 211 */ + { 0x02, 213, 0, 5, "rsaSigWithripemd160" }, /* 212 */ + { 0x03, 214, 0, 5, "rsaSigWithripemd128" }, /* 213 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 214 */ + { 0x81, 0, 1, 1, "" }, /* 215 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 216 */ + { 0x00, 0, 1, 3, "curve" }, /* 217 */ + { 0x01, 219, 0, 4, "sect163k1" }, /* 218 */ + { 0x02, 220, 0, 4, "sect163r1" }, /* 219 */ + { 0x03, 221, 0, 4, "sect239k1" }, /* 220 */ + { 0x04, 222, 0, 4, "sect113r1" }, /* 221 */ + { 0x05, 223, 0, 4, "sect113r2" }, /* 222 */ + { 0x06, 224, 0, 4, "secp112r1" }, /* 223 */ + { 0x07, 225, 0, 4, "secp112r2" }, /* 224 */ + { 0x08, 226, 0, 4, "secp160r1" }, /* 225 */ + { 0x09, 227, 0, 4, "secp160k1" }, /* 226 */ + { 0x0A, 228, 0, 4, "secp256k1" }, /* 227 */ + { 0x0F, 229, 0, 4, "sect163r2" }, /* 228 */ + { 0x10, 230, 0, 4, "sect283k1" }, /* 229 */ + { 0x11, 231, 0, 4, "sect283r1" }, /* 230 */ + { 0x16, 232, 0, 4, "sect131r1" }, /* 231 */ + { 0x17, 233, 0, 4, "sect131r2" }, /* 232 */ + { 0x18, 234, 0, 4, "sect193r1" }, /* 233 */ + { 0x19, 235, 0, 4, "sect193r2" }, /* 234 */ + { 0x1A, 236, 0, 4, "sect233k1" }, /* 235 */ + { 0x1B, 237, 0, 4, "sect233r1" }, /* 236 */ + { 0x1C, 238, 0, 4, "secp128r1" }, /* 237 */ + { 0x1D, 239, 0, 4, "secp128r2" }, /* 238 */ + { 0x1E, 240, 0, 4, "secp160r2" }, /* 239 */ + { 0x1F, 241, 0, 4, "secp192k1" }, /* 240 */ + { 0x20, 242, 0, 4, "secp224k1" }, /* 241 */ + { 0x21, 243, 0, 4, "secp224r1" }, /* 242 */ + { 0x22, 244, 0, 4, "secp384r1" }, /* 243 */ + { 0x23, 245, 0, 4, "secp521r1" }, /* 244 */ + { 0x24, 246, 0, 4, "sect409k1" }, /* 245 */ + { 0x25, 247, 0, 4, "sect409r1" }, /* 246 */ + { 0x26, 248, 0, 4, "sect571k1" }, /* 247 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 248 */ + {0x60, 0, 1, 0, "" }, /* 249 */ + { 0x86, 0, 1, 1, "" }, /* 250 */ + { 0x48, 0, 1, 2, "" }, /* 251 */ + { 0x01, 295, 1, 3, "organization" }, /* 252 */ + { 0x65, 271, 1, 4, "gov" }, /* 253 */ + { 0x03, 0, 1, 5, "csor" }, /* 254 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 255 */ + { 0x01, 266, 1, 7, "aes" }, /* 256 */ + { 0x02, 258, 0, 8, "id-aes128-CBC" }, /* 257 */ + { 0x06, 259, 0, 8, "id-aes128-GCM" }, /* 258 */ + { 0x07, 260, 0, 8, "id-aes128-CCM" }, /* 259 */ + { 0x16, 261, 0, 8, "id-aes192-CBC" }, /* 260 */ + { 0x1A, 262, 0, 8, "id-aes192-GCM" }, /* 261 */ + { 0x1B, 263, 0, 8, "id-aes192-CCM" }, /* 262 */ + { 0x2A, 264, 0, 8, "id-aes256-CBC" }, /* 263 */ + { 0x2E, 265, 0, 8, "id-aes256-GCM" }, /* 264 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 265 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 266 */ + { 0x01, 268, 0, 8, "id-SHA-256" }, /* 267 */ + { 0x02, 269, 0, 8, "id-SHA-384" }, /* 268 */ + { 0x03, 270, 0, 8, "id-SHA-512" }, /* 269 */ + { 0x04, 0, 0, 8, "id-SHA-224" }, /* 270 */ + { 0x86, 0, 1, 4, "" }, /* 271 */ + { 0xf8, 0, 1, 5, "" }, /* 272 */ + { 0x42, 285, 1, 6, "netscape" }, /* 273 */ + { 0x01, 280, 1, 7, "" }, /* 274 */ + { 0x01, 276, 0, 8, "nsCertType" }, /* 275 */ + { 0x03, 277, 0, 8, "nsRevocationUrl" }, /* 276 */ + { 0x04, 278, 0, 8, "nsCaRevocationUrl" }, /* 277 */ + { 0x08, 279, 0, 8, "nsCaPolicyUrl" }, /* 278 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 279 */ + { 0x03, 283, 1, 7, "directory" }, /* 280 */ + { 0x01, 0, 1, 8, "" }, /* 281 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 282 */ + { 0x04, 0, 1, 7, "policy" }, /* 283 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 284 */ + { 0x45, 0, 1, 6, "verisign" }, /* 285 */ + { 0x01, 0, 1, 7, "pki" }, /* 286 */ + { 0x09, 0, 1, 8, "attributes" }, /* 287 */ + { 0x02, 289, 0, 9, "messageType" }, /* 288 */ + { 0x03, 290, 0, 9, "pkiStatus" }, /* 289 */ + { 0x04, 291, 0, 9, "failInfo" }, /* 290 */ + { 0x05, 292, 0, 9, "senderNonce" }, /* 291 */ + { 0x06, 293, 0, 9, "recipientNonce" }, /* 292 */ + { 0x07, 294, 0, 9, "transID" }, /* 293 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 294 */ + { 0x86, 0, 1, 3, "old-netscape" }, /* 295 */ + { 0xF7, 0, 1, 4, "" }, /* 296 */ + { 0x0D, 0, 1, 5, "" }, /* 297 */ + { 0x01, 0, 1, 6, "" }, /* 298 */ + { 0x09, 0, 1, 7, "" }, /* 299 */ + { 0x01, 301, 0, 8, "emailAddress" }, /* 300 */ + { 0x02, 0, 0, 8, "unstructuredName" } /* 301 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 477789b62..b7241af8d 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -60,126 +60,131 @@ extern const oid_t oid_names[]; #define OID_SHA256_WITH_RSA 81 #define OID_SHA384_WITH_RSA 82 #define OID_SHA512_WITH_RSA 83 -#define OID_PKCS7_DATA 85 -#define OID_PKCS7_SIGNED_DATA 86 -#define OID_PKCS7_ENVELOPED_DATA 87 -#define OID_PKCS7_SIGNED_ENVELOPED_DATA 88 -#define OID_PKCS7_DIGESTED_DATA 89 -#define OID_PKCS7_ENCRYPTED_DATA 90 -#define OID_PKCS9_EMAIL 92 -#define OID_PKCS9_CONTENT_TYPE 94 -#define OID_PKCS9_MESSAGE_DIGEST 95 -#define OID_PKCS9_SIGNING_TIME 96 -#define OID_MD2 103 -#define OID_MD5 104 -#define OID_3DES_EDE_CBC 106 -#define OID_EC_PUBLICKEY 110 -#define OID_C2PNB163V1 113 -#define OID_C2PNB163V2 114 -#define OID_C2PNB163V3 115 -#define OID_C2PNB176W1 116 -#define OID_C2PNB191V1 117 -#define OID_C2PNB191V2 118 -#define OID_C2PNB191V3 119 -#define OID_C2PNB191V4 120 -#define OID_C2PNB191V5 121 -#define OID_C2PNB208W1 122 -#define OID_C2PNB239V1 123 -#define OID_C2PNB239V2 124 -#define OID_C2PNB239V3 125 -#define OID_C2PNB239V4 126 -#define OID_C2PNB239V5 127 -#define OID_C2PNB272W1 128 -#define OID_C2PNB304W1 129 -#define OID_C2PNB359V1 130 -#define OID_C2PNB368W1 131 -#define OID_C2PNB431R1 132 -#define OID_PRIME192V1 134 -#define OID_PRIME192V2 135 -#define OID_PRIME192V3 136 -#define OID_PRIME239V1 137 -#define OID_PRIME239V2 138 -#define OID_PRIME239V3 139 -#define OID_PRIME256V1 140 -#define OID_ECDSA_WITH_SHA1 142 -#define OID_TCGID 163 -#define OID_AUTHORITY_INFO_ACCESS 168 -#define OID_OCSP_SIGNING 178 -#define OID_XMPP_ADDR 180 -#define OID_AUTHENTICATION_INFO 182 -#define OID_ACCESS_IDENTITY 183 -#define OID_CHARGING_IDENTITY 184 -#define OID_GROUP 185 -#define OID_OCSP 187 -#define OID_BASIC 188 -#define OID_NONCE 189 -#define OID_CRL 190 -#define OID_RESPONSE 191 -#define OID_NO_CHECK 192 -#define OID_ARCHIVE_CUTOFF 193 -#define OID_SERVICE_LOCATOR 194 -#define OID_CA_ISSUERS 195 -#define OID_DES_CBC 199 -#define OID_SHA1 200 -#define OID_SHA1_WITH_RSA_OIW 201 -#define OID_SECT163K1 212 -#define OID_SECT163R1 213 -#define OID_SECT239K1 214 -#define OID_SECT113R1 215 -#define OID_SECT113R2 216 -#define OID_SECT112R1 217 -#define OID_SECT112R2 218 -#define OID_SECT160R1 219 -#define OID_SECT160K1 220 -#define OID_SECT256K1 221 -#define OID_SECT163R2 222 -#define OID_SECT283K1 223 -#define OID_SECT283R1 224 -#define OID_SECT131R1 225 -#define OID_SECT131R2 226 -#define OID_SECT193R1 227 -#define OID_SECT193R2 228 -#define OID_SECT233K1 229 -#define OID_SECT233R1 230 -#define OID_SECT128R1 231 -#define OID_SECT128R2 232 -#define OID_SECT160R2 233 -#define OID_SECT192K1 234 -#define OID_SECT224K1 235 -#define OID_SECT224R1 236 -#define OID_SECT384R1 237 -#define OID_SECT521R1 238 -#define OID_SECT409K1 239 -#define OID_SECT409R1 240 -#define OID_SECT571K1 241 -#define OID_SECT571R1 242 -#define OID_AES128_CBC 251 -#define OID_AES128_GCM 252 -#define OID_AES128_CCM 253 -#define OID_AES192_CBC 254 -#define OID_AES192_GCM 255 -#define OID_AES192_CCM 256 -#define OID_AES256_CBC 257 -#define OID_AES256_GCM 258 -#define OID_AES256_CCM 259 -#define OID_SHA256 261 -#define OID_SHA384 262 -#define OID_SHA512 263 -#define OID_SHA224 264 -#define OID_NS_REVOCATION_URL 270 -#define OID_NS_CA_REVOCATION_URL 271 -#define OID_NS_CA_POLICY_URL 272 -#define OID_NS_COMMENT 273 -#define OID_EMPLOYEE_NUMBER 276 -#define OID_PKI_MESSAGE_TYPE 282 -#define OID_PKI_STATUS 283 -#define OID_PKI_FAIL_INFO 284 -#define OID_PKI_SENDER_NONCE 285 -#define OID_PKI_RECIPIENT_NONCE 286 -#define OID_PKI_TRANS_ID 287 -#define OID_EMAIL_ADDRESS 294 -#define OID_UNSTRUCTURED_NAME 295 +#define OID_SHA224_WITH_RSA 84 +#define OID_PKCS7_DATA 86 +#define OID_PKCS7_SIGNED_DATA 87 +#define OID_PKCS7_ENVELOPED_DATA 88 +#define OID_PKCS7_SIGNED_ENVELOPED_DATA 89 +#define OID_PKCS7_DIGESTED_DATA 90 +#define OID_PKCS7_ENCRYPTED_DATA 91 +#define OID_PKCS9_EMAIL 93 +#define OID_PKCS9_CONTENT_TYPE 95 +#define OID_PKCS9_MESSAGE_DIGEST 96 +#define OID_PKCS9_SIGNING_TIME 97 +#define OID_MD2 104 +#define OID_MD5 105 +#define OID_3DES_EDE_CBC 107 +#define OID_EC_PUBLICKEY 111 +#define OID_C2PNB163V1 114 +#define OID_C2PNB163V2 115 +#define OID_C2PNB163V3 116 +#define OID_C2PNB176W1 117 +#define OID_C2PNB191V1 118 +#define OID_C2PNB191V2 119 +#define OID_C2PNB191V3 120 +#define OID_C2PNB191V4 121 +#define OID_C2PNB191V5 122 +#define OID_C2PNB208W1 123 +#define OID_C2PNB239V1 124 +#define OID_C2PNB239V2 125 +#define OID_C2PNB239V3 126 +#define OID_C2PNB239V4 127 +#define OID_C2PNB239V5 128 +#define OID_C2PNB272W1 129 +#define OID_C2PNB304W1 130 +#define OID_C2PNB359V1 131 +#define OID_C2PNB368W1 132 +#define OID_C2PNB431R1 133 +#define OID_PRIME192V1 135 +#define OID_PRIME192V2 136 +#define OID_PRIME192V3 137 +#define OID_PRIME239V1 138 +#define OID_PRIME239V2 139 +#define OID_PRIME239V3 140 +#define OID_PRIME256V1 141 +#define OID_ECDSA_WITH_SHA1 143 +#define OID_ECDSA_WITH_SHA224 145 +#define OID_ECDSA_WITH_SHA256 146 +#define OID_ECDSA_WITH_SHA384 147 +#define OID_ECDSA_WITH_SHA512 148 +#define OID_TCGID 169 +#define OID_AUTHORITY_INFO_ACCESS 174 +#define OID_OCSP_SIGNING 184 +#define OID_XMPP_ADDR 186 +#define OID_AUTHENTICATION_INFO 188 +#define OID_ACCESS_IDENTITY 189 +#define OID_CHARGING_IDENTITY 190 +#define OID_GROUP 191 +#define OID_OCSP 193 +#define OID_BASIC 194 +#define OID_NONCE 195 +#define OID_CRL 196 +#define OID_RESPONSE 197 +#define OID_NO_CHECK 198 +#define OID_ARCHIVE_CUTOFF 199 +#define OID_SERVICE_LOCATOR 200 +#define OID_CA_ISSUERS 201 +#define OID_DES_CBC 205 +#define OID_SHA1 206 +#define OID_SHA1_WITH_RSA_OIW 207 +#define OID_SECT163K1 218 +#define OID_SECT163R1 219 +#define OID_SECT239K1 220 +#define OID_SECT113R1 221 +#define OID_SECT113R2 222 +#define OID_SECT112R1 223 +#define OID_SECT112R2 224 +#define OID_SECT160R1 225 +#define OID_SECT160K1 226 +#define OID_SECT256K1 227 +#define OID_SECT163R2 228 +#define OID_SECT283K1 229 +#define OID_SECT283R1 230 +#define OID_SECT131R1 231 +#define OID_SECT131R2 232 +#define OID_SECT193R1 233 +#define OID_SECT193R2 234 +#define OID_SECT233K1 235 +#define OID_SECT233R1 236 +#define OID_SECT128R1 237 +#define OID_SECT128R2 238 +#define OID_SECT160R2 239 +#define OID_SECT192K1 240 +#define OID_SECT224K1 241 +#define OID_SECT224R1 242 +#define OID_SECT384R1 243 +#define OID_SECT521R1 244 +#define OID_SECT409K1 245 +#define OID_SECT409R1 246 +#define OID_SECT571K1 247 +#define OID_SECT571R1 248 +#define OID_AES128_CBC 257 +#define OID_AES128_GCM 258 +#define OID_AES128_CCM 259 +#define OID_AES192_CBC 260 +#define OID_AES192_GCM 261 +#define OID_AES192_CCM 262 +#define OID_AES256_CBC 263 +#define OID_AES256_GCM 264 +#define OID_AES256_CCM 265 +#define OID_SHA256 267 +#define OID_SHA384 268 +#define OID_SHA512 269 +#define OID_SHA224 270 +#define OID_NS_REVOCATION_URL 276 +#define OID_NS_CA_REVOCATION_URL 277 +#define OID_NS_CA_POLICY_URL 278 +#define OID_NS_COMMENT 279 +#define OID_EMPLOYEE_NUMBER 282 +#define OID_PKI_MESSAGE_TYPE 288 +#define OID_PKI_STATUS 289 +#define OID_PKI_FAIL_INFO 290 +#define OID_PKI_SENDER_NONCE 291 +#define OID_PKI_RECIPIENT_NONCE 292 +#define OID_PKI_TRANS_ID 293 +#define OID_EMAIL_ADDRESS 300 +#define OID_UNSTRUCTURED_NAME 301 -#define OID_MAX 296 +#define OID_MAX 302 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 1514f179f..5adca6289 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -82,6 +82,7 @@ 0x0B "sha256WithRSAEncryption" OID_SHA256_WITH_RSA 0x0C "sha384WithRSAEncryption" OID_SHA384_WITH_RSA 0x0D "sha512WithRSAEncryption" OID_SHA512_WITH_RSA + 0x0E "sha224WithRSAEncryption" OID_SHA224_WITH_RSA 0x07 "PKCS-7" 0x01 "data" OID_PKCS7_DATA 0x02 "signedData" OID_PKCS7_SIGNED_DATA @@ -141,6 +142,11 @@ 0x07 "prime256v1" OID_PRIME256V1 0x04 "id-ecSigType" 0x01 "ecdsa-with-SHA1" OID_ECDSA_WITH_SHA1 + 0x03 "ecdsa-with-Specified" + 0x01 "ecdsa-with-SHA224" OID_ECDSA_WITH_SHA224 + 0x02 "ecdsa-with-SHA256" OID_ECDSA_WITH_SHA256 + 0x03 "ecdsa-with-SHA384" OID_ECDSA_WITH_SHA384 + 0x04 "ecdsa-with-SHA512" OID_ECDSA_WITH_SHA512 0x2B "" 0x06 "dod" 0x01 "internet" diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c index c9c181f87..40a93e21a 100644 --- a/src/libstrongswan/chunk.c +++ b/src/libstrongswan/chunk.c @@ -19,6 +19,7 @@ #include <sys/stat.h> #include <unistd.h> #include <errno.h> +#include <ctype.h> #include "chunk.h" @@ -442,6 +443,32 @@ int chunk_compare(chunk_t a, chunk_t b) }; /** + * Remove non-printable characters from a chunk. + */ +bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace) +{ + bool printable = TRUE; + int i; + + if (sane) + { + *sane = chunk_clone(chunk); + } + for (i = 0; i < chunk.len; i++) + { + if (!isprint(chunk.ptr[i])) + { + if (sane) + { + sane->ptr[i] = replace; + } + printable = FALSE; + } + } + return printable; +} + +/** * Described in header. * * The implementation is based on Paul Hsieh's SuperFastHash: diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h index 3d8c360c5..66c3f26a2 100644 --- a/src/libstrongswan/chunk.h +++ b/src/libstrongswan/chunk.h @@ -26,6 +26,9 @@ #include <string.h> #include <stdarg.h> #include <sys/types.h> +#ifdef HAVE_ALLOCA_H +#include <alloca.h> +#endif typedef struct chunk_t chunk_t; @@ -83,8 +86,9 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...); void chunk_split(chunk_t chunk, const char *mode, ...); /** - * Write the binary contents of a chunk_t to a file - * + * Write the binary contents of a chunk_t to a file + * + * @param chunk contents to write to file * @param path path where file is written to * @param label label specifying file type * @param mask file mode creation mask @@ -99,6 +103,7 @@ bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force * The resulting string is '\\0' terminated, but the chunk does not include * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1). * + * @param chunk data to convert to hex encoding * @param buf buffer to write to, NULL to malloc * @param uppercase TRUE to use uppercase letters * @return chunk of encoded data @@ -232,6 +237,19 @@ static inline bool chunk_equals(chunk_t a, chunk_t b) } /** + * Check if a chunk has printable characters only. + * + * If sane is given, chunk is cloned into sane and all non printable characters + * get replaced by "replace". + * + * @param chunk chunk to check for printability + * @param sane pointer where sane version is allocated, or NULL + * @param replace character to use for replaceing unprintable characters + * @return TRUE if all characters in chunk are printable + */ +bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace); + +/** * Computes a 32 bit hash of the given chunk. * Note: This hash is only intended for hash tables not for cryptographic purposes. */ diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c index 2e9a541d4..e55df0398 100644 --- a/src/libstrongswan/credentials/credential_factory.c +++ b/src/libstrongswan/credentials/credential_factory.c @@ -234,7 +234,7 @@ credential_factory_t *credential_factory_create() this->constructors = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index c94c27f0a..a5f547038 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -28,6 +28,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521, "RSA_EMSA_PKCS1_NULL", "RSA_EMSA_PKCS1_MD5", "RSA_EMSA_PKCS1_SHA1", + "RSA_EMSA_PKCS1_SHA224", "RSA_EMSA_PKCS1_SHA256", "RSA_EMSA_PKCS1_SHA384", "RSA_EMSA_PKCS1_SHA512", @@ -51,6 +52,9 @@ signature_scheme_t signature_scheme_from_oid(int oid) case OID_SHA1_WITH_RSA: case OID_SHA1: return SIGN_RSA_EMSA_PKCS1_SHA1; + case OID_SHA224_WITH_RSA: + case OID_SHA224: + return SIGN_RSA_EMSA_PKCS1_SHA224; case OID_SHA256_WITH_RSA: case OID_SHA256: return SIGN_RSA_EMSA_PKCS1_SHA256; @@ -63,6 +67,12 @@ signature_scheme_t signature_scheme_from_oid(int oid) case OID_ECDSA_WITH_SHA1: case OID_EC_PUBLICKEY: return SIGN_ECDSA_WITH_SHA1; + case OID_ECDSA_WITH_SHA256: + return SIGN_ECDSA_256; + case OID_ECDSA_WITH_SHA384: + return SIGN_ECDSA_384; + case OID_ECDSA_WITH_SHA512: + return SIGN_ECDSA_521; default: return SIGN_UNKNOWN; } diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index c58531b73..be5f3bde6 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -66,6 +66,8 @@ enum signature_scheme_t { SIGN_RSA_EMSA_PKCS1_MD5, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-1 */ SIGN_RSA_EMSA_PKCS1_SHA1, + /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-224 */ + SIGN_RSA_EMSA_PKCS1_SHA224, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-256 */ SIGN_RSA_EMSA_PKCS1_SHA256, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-384 */ diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index fea8d0793..e928e8cdf 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -746,7 +746,7 @@ crypto_factory_t *crypto_factory_create() this->prfs = linked_list_create(); this->rngs = linked_list_create(); this->dhs = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->tester = crypto_tester_create(); this->test_on_add = lib->settings->get_bool(lib->settings, "libstrongswan.crypto_test.on_add", FALSE); diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index b0b5aa969..4d13474a1 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -136,7 +136,7 @@ static bool test_crypter(private_crypto_tester_t *this, crypter->destroy(crypter); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", encryption_algorithm_names, alg, tested); break; } @@ -151,7 +151,7 @@ static bool test_crypter(private_crypto_tester_t *this, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", encryption_algorithm_names, alg, tested); } return !failed; @@ -240,7 +240,7 @@ static bool test_signer(private_crypto_tester_t *this, signer->destroy(signer); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", integrity_algorithm_names, alg, tested); break; } @@ -255,7 +255,7 @@ static bool test_signer(private_crypto_tester_t *this, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", integrity_algorithm_names, alg, tested); } return !failed; @@ -330,8 +330,8 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg, hasher->destroy(hasher); if (failed) { - DBG1("disabled %N: test vector %d failed", - hash_algorithm_names, alg), tested; + DBG1("disabled %N: test vector %u failed", + hash_algorithm_names, alg, tested); break; } } @@ -345,7 +345,7 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", hash_algorithm_names, alg, tested); } return !failed; @@ -431,7 +431,7 @@ static bool test_prf(private_crypto_tester_t *this, prf->destroy(prf); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", pseudo_random_function_names, alg, tested); break; } @@ -446,7 +446,7 @@ static bool test_prf(private_crypto_tester_t *this, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", pseudo_random_function_names, alg, tested); } return !failed; @@ -515,7 +515,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality, rng->destroy(rng); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", rng_quality_names, quality, tested); break; } @@ -530,7 +530,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", rng_quality_names, quality, tested); } return !failed; diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index c58c2ad42..4d6904e47 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -26,6 +26,7 @@ ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512, "HASH_MD4", "HASH_MD5", "HASH_SHA1", + "HASH_SHA224", "HASH_SHA256", "HASH_SHA384", "HASH_SHA512" @@ -47,6 +48,9 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid) case OID_SHA1: case OID_SHA1_WITH_RSA: return HASH_SHA1; + case OID_SHA224: + case OID_SHA224_WITH_RSA: + return HASH_SHA224; case OID_SHA256: case OID_SHA256_WITH_RSA: return HASH_SHA256; @@ -79,6 +83,9 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg) case HASH_SHA1: oid = OID_SHA1; break; + case HASH_SHA224: + oid = OID_SHA224; + break; case HASH_SHA256: oid = OID_SHA256; break; @@ -112,6 +119,9 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg) case HASH_SHA1: oid = OID_SHA1_WITH_RSA; break; + case HASH_SHA224: + oid = OID_SHA224_WITH_RSA; + break; case HASH_SHA256: oid = OID_SHA256_WITH_RSA; break; diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index 098739fa3..6deed37ab 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -40,15 +40,17 @@ enum hash_algorithm_t { HASH_MD4 = 3, HASH_MD5 = 4, HASH_SHA1 = 5, - HASH_SHA256 = 6, - HASH_SHA384 = 7, - HASH_SHA512 = 8 + HASH_SHA224 = 6, + HASH_SHA256 = 7, + HASH_SHA384 = 8, + HASH_SHA512 = 9 }; #define HASH_SIZE_MD2 16 #define HASH_SIZE_MD4 16 #define HASH_SIZE_MD5 16 #define HASH_SIZE_SHA1 20 +#define HASH_SIZE_SHA224 28 #define HASH_SIZE_SHA256 32 #define HASH_SIZE_SHA384 48 #define HASH_SIZE_SHA512 64 diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c index 76e0a4e89..ef6927874 100644 --- a/src/libstrongswan/database/database_factory.c +++ b/src/libstrongswan/database/database_factory.c @@ -110,7 +110,7 @@ database_factory_t *database_factory_create() this->public.destroy = (void(*)(database_factory_t*))destroy; this->databases = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); return &this->public; } diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c index a30012bb1..1f87412c8 100644 --- a/src/libstrongswan/fetcher/fetcher_manager.c +++ b/src/libstrongswan/fetcher/fetcher_manager.c @@ -201,7 +201,7 @@ fetcher_manager_t *fetcher_manager_create() this->public.destroy = (void(*)(fetcher_manager_t*))destroy; this->fetchers = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/libstrongswan/fips/Makefile.am b/src/libstrongswan/fips/Makefile.am deleted file mode 100644 index 22a35701b..000000000 --- a/src/libstrongswan/fips/Makefile.am +++ /dev/null @@ -1,19 +0,0 @@ -noinst_PROGRAMS = fips_signer -fips_signer_SOURCES = fips_signer.c -fips_signer_LDADD = ../libstrongswan.la - -BUILT_SOURCES = fips_signature.h -CLEANFILES = fips_signature.h fips_signer -INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ - -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\" -if USE_SHA1 - AM_CFLAGS += -DUSE_SHA1 -endif - -if USE_OPENSSL - AM_CFLAGS += -DUSE_OPENSSL -endif - -fips_signature.h : fips_signer - ./fips_signer diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c deleted file mode 100644 index d2296e5e9..000000000 --- a/src/libstrongswan/fips/fips.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (C) 2007 Bruno Krieg, Daniel Wydler - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> - -#include <debug.h> -#include <crypto/signers/signer.h> -#include "fips.h" - -extern const u_char FIPS_rodata_start[]; -extern const u_char FIPS_rodata_end[]; -extern const void *FIPS_text_start(); -extern const void *FIPS_text_end(); - -/** - * Described in header - */ -bool fips_compute_hmac_signature(const char *key, char *signature) -{ - u_char *text_start = (u_char *)FIPS_text_start(); - u_char *text_end = (u_char *)FIPS_text_end(); - size_t text_len, rodata_len; - signer_t *signer; - - if (text_start > text_end) - { - DBG1(" TEXT start (%p) > TEXT end (%p", - text_start, text_end); - return FALSE; - } - text_len = text_end - text_start; - DBG1(" TEXT: %p + %6d = %p", - text_start, (int)text_len, text_end); - - if (FIPS_rodata_start > FIPS_rodata_end) - { - DBG1(" RODATA start (%p) > RODATA end (%p", - FIPS_rodata_start, FIPS_rodata_end); - return FALSE; - } - rodata_len = FIPS_rodata_end - FIPS_rodata_start; - DBG1(" RODATA: %p + %6d = %p", - FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end); - - signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128); - if (signer == NULL) - { - DBG1(" SHA-1 HMAC signer could not be created"); - return FALSE; - } - else - { - chunk_t hmac_key = { (u_char *)key, strlen(key) }; - chunk_t text_chunk = { text_start, text_len }; - chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len }; - chunk_t signature_chunk = chunk_empty; - - signer->set_key(signer, hmac_key); - signer->allocate_signature(signer, text_chunk, NULL); - signer->allocate_signature(signer, rodata_chunk, &signature_chunk); - signer->destroy(signer); - - sprintf(signature, "%#B", &signature_chunk); - DBG1(" SHA-1 HMAC key: %s", key); - DBG1(" SHA-1 HMAC sig: %s", signature); - free(signature_chunk.ptr); - return TRUE; - } -} - -/** - * Described in header - */ -bool fips_verify_hmac_signature(const char *key, - const char *signature) -{ - char current_signature[BUF_LEN]; - - if (!fips_compute_hmac_signature(key, current_signature)) - { - return FALSE; - } - return streq(signature, current_signature); -} diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h deleted file mode 100644 index aae18e3b2..000000000 --- a/src/libstrongswan/fips/fips.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (C) 2007 Bruno Krieg, Daniel Wydler - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup fips1 fips - * @{ @ingroup fips - */ - -#ifndef FIPS_H_ -#define FIPS_H_ - -#include <library.h> - -/** - * compute HMAC signature over RODATA and TEXT sections of libstrongswan - * - * @param key key used for HMAC signature in ASCII string format - * @param signature HMAC signature in HEX string format - * @return TRUE if HMAC signature computation was successful - */ -bool fips_compute_hmac_signature(const char *key, char *signature); - -/** - * verify HMAC signature over RODATA and TEXT sections of libstrongswan - * - * @param key key used for HMAC signature in ASCII string format - * @param signature signature value from fips_signature.h in HEX string format - * @return TRUE if signatures agree - */ -bool fips_verify_hmac_signature(const char *key, const char *signature); - -#endif /** FIPS_H_ @}*/ diff --git a/src/libstrongswan/fips/fips_canister_end.c b/src/libstrongswan/fips/fips_canister_end.c deleted file mode 100644 index 247d48927..000000000 --- a/src/libstrongswan/fips/fips_canister_end.c +++ /dev/null @@ -1,166 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution - * and usage in source and binary forms are granted according to the - * OpenSSL license. - */ - -#include <stdio.h> -#if defined(__DECC) -# include <c_asm.h> -# pragma __nostandard -#endif - -#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) -# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \ - (defined(__sgi) && (defined(__mips) || defined(mips))) || \ - (defined(__osf__) && defined(__alpha)) || \ - (defined(__linux) && (defined(__arm) || defined(__arm__))) || \ - (defined(__i386) || defined(__i386__)) || \ - (defined(__x86_64) || defined(__x86_64__)) || \ - (defined(vax) || defined(__vax__)) -# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION -# endif -#endif - -#define FIPS_ref_point FIPS_text_end -/* Some compilers put string literals into a separate segment. As we - * are mostly interested to hash AES tables in .rodata, we declare - * reference points accordingly. In case you wonder, the values are - * big-endian encoded variable names, just to prevent these arrays - * from being merged by linker. */ -const unsigned int FIPS_rodata_end[]= - { 0x46495053, 0x5f726f64, 0x6174615f, 0x656e645b }; - - -/* - * I declare reference function as static in order to avoid certain - * pitfalls in -dynamic linker behaviour... - */ -static void *instruction_pointer(void) -{ - void *ret = NULL; - -/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means - * that they are designed to work under any OS running on particular - * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in - * this function. */ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - INSTRUCTION_POINTER_IMPLEMENTED(ret); -#elif defined(__GNUC__) && __GNUC__>=2 -# if defined(__alpha) || defined(__alpha__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) ); -# elif defined(__i386) || defined(__i386__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# elif defined(__ia64) || defined(__ia64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "mov %0=ip" : "=r"(ret) ); -# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* mask privilege level */ -# elif defined(__mips) || defined(__mips__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "move %1,$31\n\t" /* save ra */ - "bal .+8; nop\n\t" - "move %0,$31\n\t" - "move $31,%1" /* restore ra */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \ - defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \ - defined(__PPC64__) || defined(__powerpc64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mfspr %1,8\n\t" /* save lr */ - "bl .+4\n\t" - "mfspr %0,8\n\t" /* mflr ret */ - "mtspr 8,%1" /* restore lr */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mov %%o7,%1\n\t" - "call .+8; nop\n\t" - "mov %%o7,%0\n\t" - "mov %1,%%o7" - : "=r"(ret),"=r"(scratch) ); -# elif defined(__x86_64) || defined(__x86_64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# endif -#elif defined(__DECC) && defined(__alpha) -# define INSTRUCTION_POINTER_IMPLEMENTED - ret = (void *)(size_t)asm("br %v0,1f\n1:"); -#elif defined(_MSC_VER) && defined(_M_IX86) -# undef INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - _asm { - call self - self: pop eax - mov scratch,eax - } - ret = (void *)((size_t)scratch&~3UL); -#endif - return ret; -} - -/* - * This function returns pointer to an instruction in the vicinity of - * its entry point, but not outside this object module. This guarantees - * that sequestered code is covered... - */ -void *FIPS_ref_point() -{ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - return instruction_pointer(); -/* Below we essentially cover vendor compilers which do not support - * inline assembler... */ -#elif defined(_AIX) - struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_HPUX_SOURCE) -# if defined(__hppa) || defined(__hppa__) - struct { void *i[4]; } *p = (void *)FIPS_ref_point; - - if (sizeof(p) == 8) /* 64-bit */ - return p->i[2]; - else if ((size_t)p & 2) - { p = (void *)((size_t)p&~3UL); - return p->i[0]; - } - else - return (void *)p; -# elif defined(__ia64) || defined(__ia64__) - struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -# endif -#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__)) - /* applies to both alpha and ia64 */ - struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -#elif defined(__VOS__) - /* applies to both pa-risc and ia32 */ - struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_WIN32) -# if defined(_WIN64) && defined(_M_IA64) - struct { void *ip,*gp; } *p = (void *)FIPS_ref_point; - return p->ip; -# else - return (void *)FIPS_ref_point; -# endif -/* - * In case you wonder why there is no #ifdef __linux. All Linux targets - * are GCC-based and therefore are covered by instruction_pointer above - * [well, some are covered by by the one below]... - */ -#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) - return (void *)instruction_pointer; -#else - return NULL; -#endif -} diff --git a/src/libstrongswan/fips/fips_canister_start.c b/src/libstrongswan/fips/fips_canister_start.c deleted file mode 100644 index 4a5528a94..000000000 --- a/src/libstrongswan/fips/fips_canister_start.c +++ /dev/null @@ -1,167 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution - * and usage in source and binary forms are granted according to the - * OpenSSL license. - */ - -#include <stdio.h> -#if defined(__DECC) -# include <c_asm.h> -# pragma __nostandard -#endif - -#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) -# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \ - (defined(__sgi) && (defined(__mips) || defined(mips))) || \ - (defined(__osf__) && defined(__alpha)) || \ - (defined(__linux) && (defined(__arm) || defined(__arm__))) || \ - (defined(__i386) || defined(__i386__)) || \ - (defined(__x86_64) || defined(__x86_64__)) || \ - (defined(vax) || defined(__vax__)) -# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION -# endif -#endif - - -#define FIPS_ref_point FIPS_text_start -/* Some compilers put string literals into a separate segment. As we - * are mostly interested to hash AES tables in .rodata, we declare - * reference points accordingly. In case you wonder, the values are - * big-endian encoded variable names, just to prevent these arrays - * from being merged by linker. */ -const unsigned int FIPS_rodata_start[]= - { 0x46495053, 0x5f726f64, 0x6174615f, 0x73746172 }; - - -/* - * I declare reference function as static in order to avoid certain - * pitfalls in -dynamic linker behaviour... - */ -static void *instruction_pointer(void) -{ - void *ret = NULL; - -/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means - * that they are designed to work under any OS running on particular - * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in - * this function. */ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - INSTRUCTION_POINTER_IMPLEMENTED(ret); -#elif defined(__GNUC__) && __GNUC__>=2 -# if defined(__alpha) || defined(__alpha__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) ); -# elif defined(__i386) || defined(__i386__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# elif defined(__ia64) || defined(__ia64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "mov %0=ip" : "=r"(ret) ); -# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* mask privilege level */ -# elif defined(__mips) || defined(__mips__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "move %1,$31\n\t" /* save ra */ - "bal .+8; nop\n\t" - "move %0,$31\n\t" - "move $31,%1" /* restore ra */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \ - defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \ - defined(__PPC64__) || defined(__powerpc64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mfspr %1,8\n\t" /* save lr */ - "bl .+4\n\t" - "mfspr %0,8\n\t" /* mflr ret */ - "mtspr 8,%1" /* restore lr */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mov %%o7,%1\n\t" - "call .+8; nop\n\t" - "mov %%o7,%0\n\t" - "mov %1,%%o7" - : "=r"(ret),"=r"(scratch) ); -# elif defined(__x86_64) || defined(__x86_64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# endif -#elif defined(__DECC) && defined(__alpha) -# define INSTRUCTION_POINTER_IMPLEMENTED - ret = (void *)(size_t)asm("br %v0,1f\n1:"); -#elif defined(_MSC_VER) && defined(_M_IX86) -# undef INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - _asm { - call self - self: pop eax - mov scratch,eax - } - ret = (void *)((size_t)scratch&~3UL); -#endif - return ret; -} - -/* - * This function returns pointer to an instruction in the vicinity of - * its entry point, but not outside this object module. This guarantees - * that sequestered code is covered... - */ -void *FIPS_ref_point() -{ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - return instruction_pointer(); -/* Below we essentially cover vendor compilers which do not support - * inline assembler... */ -#elif defined(_AIX) - struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_HPUX_SOURCE) -# if defined(__hppa) || defined(__hppa__) - struct { void *i[4]; } *p = (void *)FIPS_ref_point; - - if (sizeof(p) == 8) /* 64-bit */ - return p->i[2]; - else if ((size_t)p & 2) - { p = (void *)((size_t)p&~3UL); - return p->i[0]; - } - else - return (void *)p; -# elif defined(__ia64) || defined(__ia64__) - struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -# endif -#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__)) - /* applies to both alpha and ia64 */ - struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -#elif defined(__VOS__) - /* applies to both pa-risc and ia32 */ - struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_WIN32) -# if defined(_WIN64) && defined(_M_IA64) - struct { void *ip,*gp; } *p = (void *)FIPS_ref_point; - return p->ip; -# else - return (void *)FIPS_ref_point; -# endif -/* - * In case you wonder why there is no #ifdef __linux. All Linux targets - * are GCC-based and therefore are covered by instruction_pointer above - * [well, some are covered by by the one below]... - */ -#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) - return (void *)instruction_pointer; -#else - return NULL; -#endif -} diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c deleted file mode 100644 index 6f5fdcecf..000000000 --- a/src/libstrongswan/fips/fips_signer.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (C) 2007 Bruno Krieg, Daniel Wydler - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> - -#include <crypto/hashers/hasher.h> -#include "fips.h" - -int main(int argc, char* argv[]) -{ - FILE *f; - char *hmac_key = "strongSwan Version " VERSION; - char hmac_signature[BUF_LEN]; - - /* initialize library */ - library_init(STRONGSWAN_CONF); -#ifdef USE_SHA1 - lib->plugins->load(lib->plugins, PLUGINDIR "/sha1/.libs", "sha1"); -#endif -#ifdef USE_OPENSSL - lib->plugins->load(lib->plugins, PLUGINDIR "/openssl/.libs", "openssl"); -#endif - lib->plugins->load(lib->plugins, PLUGINDIR "/hmac/.libs", "hmac"); - - if (!fips_compute_hmac_signature(hmac_key, hmac_signature)) - { - exit(1); - } - - /** - * write computed HMAC signature to fips_signature.h - */ - f = fopen("fips_signature.h", "wt"); - - if (f == NULL) - { - exit(1); - } - fprintf(f, "/* SHA-1 HMAC signature computed over TEXT and RODATA of libstrongswan\n"); - fprintf(f, " *\n"); - fprintf(f, " * This file has been automatically generated by fips_signer\n"); - fprintf(f, " * Do not edit manually!\n"); - fprintf(f, " */\n"); - fprintf(f, "\n"); - fprintf(f, "#ifndef FIPS_SIGNATURE_H_\n"); - fprintf(f, "#define FIPS_SIGNATURE_H_\n"); - fprintf(f, "\n"); - fprintf(f, "const char *hmac_key = \"%s\";\n", hmac_key); - fprintf(f, "const char *hmac_signature = \"%s\";\n", hmac_signature); - fprintf(f, "\n"); - fprintf(f, "#endif /* FIPS_SIGNATURE_H_ @} */\n"); - fclose(f); - - library_deinit(); - exit(0); -} diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c new file mode 100644 index 000000000..32a296d79 --- /dev/null +++ b/src/libstrongswan/integrity_checker.c @@ -0,0 +1,332 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE + +#include "integrity_checker.h" + +#include <dlfcn.h> +#include <link.h> +#include <fcntl.h> +#include <errno.h> +#include <unistd.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <sys/types.h> + +#include <debug.h> +#include <library.h> + +typedef struct private_integrity_checker_t private_integrity_checker_t; + +/** + * Private data of an integrity_checker_t object. + */ +struct private_integrity_checker_t { + + /** + * Public integrity_checker_t interface. + */ + integrity_checker_t public; + + /** + * dlopen handle to checksum library + */ + void *handle; + + /** + * checksum array + */ + integrity_checksum_t *checksums; + + /** + * number of checksums in array + */ + int checksum_count; +}; + +/** + * Implementation of integrity_checker_t.build_file + */ +static u_int32_t build_file(private_integrity_checker_t *this, char *file, + size_t *len) +{ + u_int32_t checksum; + chunk_t contents; + struct stat sb; + void *addr; + int fd; + + fd = open(file, O_RDONLY); + if (fd == -1) + { + DBG1(" opening '%s' failed: %s", file, strerror(errno)); + return 0; + } + + if (fstat(fd, &sb) == -1) + { + DBG1(" getting file size of '%s' failed: %s", file, strerror(errno)); + close(fd); + return 0; + } + + addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + if (addr == MAP_FAILED) + { + DBG1(" mapping '%s' failed: %s", file, strerror(errno)); + close(fd); + return 0; + } + + *len = sb.st_size; + contents = chunk_create(addr, sb.st_size); + checksum = chunk_hash(contents); + + munmap(addr, sb.st_size); + close(fd); + + return checksum; +} + +/** + * dl_iterate_phdr callback function + */ +static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli) +{ + /* We are looking for the dlpi_addr matching the address of our dladdr(). + * dl_iterate_phdr() returns such an address for other (unknown) objects + * in very rare cases (e.g. in a chrooted gentoo, but only if + * the checksum_builder is invoked by 'make'). As a workaround, we filter + * objects by dlpi_name; valid objects have a library name. + */ + if (dli->dli_fbase == (void*)dlpi->dlpi_addr && + dlpi->dlpi_name && *dlpi->dlpi_name) + { + int i; + + for (i = 0; i < dlpi->dlpi_phnum; i++) + { + const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i]; + + /* we are interested in the executable LOAD segment */ + if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X)) + { + /* safe begin of segment in dli_fbase */ + dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr; + /* safe end of segment in dli_saddr */ + dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz; + return 1; + } + } + } + return 0; +} + +/** + * Implementation of integrity_checker_t.build_segment + */ +static u_int32_t build_segment(private_integrity_checker_t *this, void *sym, + size_t *len) +{ + chunk_t segment; + Dl_info dli; + + if (dladdr(sym, &dli) == 0) + { + DBG1(" unable to locate symbol: %s", dlerror()); + return 0; + } + /* we reuse the Dl_info struct as in/out parameter */ + if (!dl_iterate_phdr((void*)callback, &dli)) + { + DBG1(" executable section not found"); + return 0; + } + + segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase); + *len = segment.len; + return chunk_hash(segment); +} + +/** + * Find a checksum by its name + */ +static integrity_checksum_t *find_checksum(private_integrity_checker_t *this, + char *name) +{ + int i; + + for (i = 0; i < this->checksum_count; i++) + { + if (streq(this->checksums[i].name, name)) + { + return &this->checksums[i]; + } + } + return NULL; +} + +/** + * Implementation of integrity_checker_t.check_file + */ +static bool check_file(private_integrity_checker_t *this, + char *name, char *file) +{ + integrity_checksum_t *cs; + u_int32_t sum; + size_t len = 0; + + cs = find_checksum(this, name); + if (!cs) + { + DBG1(" '%s' file checksum not found", name); + return FALSE; + } + sum = build_file(this, file, &len); + if (!sum) + { + return FALSE; + } + if (cs->file_len != len) + { + DBG1(" invalid '%s' file size: %u bytes, expected %u bytes", + name, len, cs->file_len); + return FALSE; + } + if (cs->file != sum) + { + DBG1(" invalid '%s' file checksum: %08x, expected %08x", + name, sum, cs->file); + return FALSE; + } + DBG2(" valid '%s' file checksum: %08x", name, sum); + return TRUE; +} + +/** + * Implementation of integrity_checker_t.check_segment + */ +static bool check_segment(private_integrity_checker_t *this, + char *name, void *sym) +{ + integrity_checksum_t *cs; + u_int32_t sum; + size_t len = 0; + + cs = find_checksum(this, name); + if (!cs) + { + DBG1(" '%s' segment checksum not found", name); + return FALSE; + } + sum = build_segment(this, sym, &len); + if (!sum) + { + return FALSE; + } + if (cs->segment_len != len) + { + DBG1(" invalid '%s' segment size: %u bytes, expected %u bytes", + name, len, cs->segment_len); + return FALSE; + } + if (cs->segment != sum) + { + DBG1(" invalid '%s' segment checksum: %08x, expected %08x", + name, sum, cs->segment); + return FALSE; + } + DBG2(" valid '%s' segment checksum: %08x", name, sum); + return TRUE; +} + +/** + * Implementation of integrity_checker_t.check + */ +static bool check(private_integrity_checker_t *this, char *name, void *sym) +{ + Dl_info dli; + + if (dladdr(sym, &dli) == 0) + { + DBG1("unable to locate symbol: %s", dlerror()); + return FALSE; + } + if (!check_file(this, name, (char*)dli.dli_fname)) + { + return FALSE; + } + if (!check_segment(this, name, sym)) + { + return FALSE; + } + return TRUE; +} + +/** + * Implementation of integrity_checker_t.destroy. + */ +static void destroy(private_integrity_checker_t *this) +{ + if (this->handle) + { + dlclose(this->handle); + } + free(this); +} + +/** + * See header + */ +integrity_checker_t *integrity_checker_create(char *checksum_library) +{ + private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t); + + this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file; + this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file; + this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment; + this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment; + this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check; + this->public.destroy = (void(*)(integrity_checker_t*))destroy; + + this->checksum_count = 0; + this->handle = NULL; + if (checksum_library) + { + this->handle = dlopen(checksum_library, RTLD_LAZY); + if (this->handle) + { + int *checksum_count; + + this->checksums = dlsym(this->handle, "checksums"); + checksum_count = dlsym(this->handle, "checksum_count"); + if (this->checksums && checksum_count) + { + this->checksum_count = *checksum_count; + } + else + { + DBG1("checksum library '%s' invalid", checksum_library); + } + } + else + { + DBG1("loading checksum library '%s' failed", checksum_library); + } + } + return &this->public; +} + diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/integrity_checker.h new file mode 100644 index 000000000..d078dd6fb --- /dev/null +++ b/src/libstrongswan/integrity_checker.h @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup integrity_checker integrity_checker + * @{ @ingroup libstrongswan + */ + +#ifndef INTEGRITY_CHECKER_H_ +#define INTEGRITY_CHECKER_H_ + +#include <utils.h> +#include <plugins/plugin.h> + +typedef struct integrity_checker_t integrity_checker_t; +typedef struct integrity_checksum_t integrity_checksum_t; + +/** + * Struct to hold a precalculated checksum, implemented in the checksum library. + */ +struct integrity_checksum_t { + /* name of the checksum */ + char *name; + /* size in bytes of the file on disk */ + size_t file_len; + /* checksum of the file on disk */ + u_int32_t file; + /* size in bytes of executable segment in memory */ + size_t segment_len; + /* checksum of the executable segment in memory */ + u_int32_t segment; +}; + +/** + * Code integrity checker to detect non-malicious file manipulation. + * + * The integrity checker reads the checksums from a separate library + * libchecksum.so to compare the checksums. + */ +struct integrity_checker_t { + + /** + * Check the integrity of a file on disk. + * + * @param name name to lookup checksum + * @param file path to file + * @return TRUE if integrity tested successfully + */ + bool (*check_file)(integrity_checker_t *this, char *name, char *file); + + /** + * Build the integrity checksum of a file on disk. + * + * @param file path to file + * @param len return length in bytes of file + * @return checksum, 0 on error + */ + u_int32_t (*build_file)(integrity_checker_t *this, char *file, size_t *len); + + /** + * Check the integrity of the code segment in memory. + * + * @param name name to lookup checksum + * @param sym a symbol in the segment to check + * @return TRUE if integrity tested successfully + */ + bool (*check_segment)(integrity_checker_t *this, char *name, void *sym); + /** + * Build the integrity checksum of a code segment in memory. + * + * @param sym a symbol in the segment to check + * @param len return length in bytes of code segment in memory + * @return checksum, 0 on error + */ + u_int32_t (*build_segment)(integrity_checker_t *this, void *sym, size_t *len); + + /** + * Check both, on disk file integrity and loaded segment. + * + * @param name name to lookup checksum + * @param sym a symbol to look up library and segment + * @return TRUE if integrity tested successfully + */ + bool (*check)(integrity_checker_t *this, char *name, void *sym); + + /** + * Destroy a integrity_checker_t. + */ + void (*destroy)(integrity_checker_t *this); +}; + +/** + * Create a integrity_checker instance. + * + * @param checksum_library library containing checksums + */ +integrity_checker_t *integrity_checker_create(char *checksum_library); + +#endif /* INTEGRITY_CHECKER_H_ @}*/ diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index 8e5a8a611..832c8b607 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -20,12 +20,15 @@ #include <utils.h> #include <chunk.h> +#include <debug.h> #include <utils/identification.h> #include <utils/host.h> #ifdef LEAK_DETECTIVE #include <utils/leak_detective.h> #endif +#define CHECKSUM_LIBRARY IPSEC_DIR"/libchecksum.so" + typedef struct private_library_t private_library_t; /** @@ -65,6 +68,10 @@ void library_deinit() this->public.fetcher->destroy(this->public.fetcher); this->public.db->destroy(this->public.db); this->public.printf_hook->destroy(this->public.printf_hook); + if (this->public.integrity) + { + this->public.integrity->destroy(this->public.integrity); + } #ifdef LEAK_DETECTIVE if (this->detective) @@ -79,7 +86,7 @@ void library_deinit() /* * see header file */ -void library_init(char *settings) +bool library_init(char *settings) { printf_hook_t *pfh; private_library_t *this = malloc_thing(private_library_t); @@ -119,5 +126,23 @@ void library_init(char *settings) this->public.fetcher = fetcher_manager_create(); this->public.db = database_factory_create(); this->public.plugins = plugin_loader_create(); + this->public.integrity = NULL; + + if (lib->settings->get_bool(lib->settings, + "libstrongswan.integrity_test", FALSE)) + { +#ifdef INTEGRITY_TEST + this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY); + if (!lib->integrity->check(lib->integrity, "libstrongswan", library_init)) + { + DBG1("integrity check of libstrongswan failed"); + return FALSE; + } +#else /* !INTEGRITY_TEST */ + DBG1("integrity test enabled, but not supported"); + return FALSE; +#endif /* INTEGRITY_TEST */ + } + return TRUE; } diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index 35c6b686a..df4121803 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -19,6 +19,9 @@ * @defgroup asn1 asn1 * @ingroup libstrongswan * + * @defgroup pgp pgp + * @ingroup libstrongswan + * * @defgroup credentials credentials * @ingroup libstrongswan * @@ -30,19 +33,16 @@ * * @defgroup crypto crypto * @ingroup libstrongswan - + * * @defgroup database database * @ingroup libstrongswan - + * * @defgroup fetcher fetcher * @ingroup libstrongswan - - * @defgroup fips fips - * @ingroup libstrongswan - + * * @defgroup plugins plugins * @ingroup libstrongswan - + * * @defgroup utils utils * @ingroup libstrongswan */ @@ -59,6 +59,7 @@ #include <utils.h> #include <chunk.h> #include <settings.h> +#include <integrity_checker.h> #include <plugins/plugin_loader.h> #include <crypto/crypto_factory.h> #include <fetcher/fetcher_manager.h> @@ -108,6 +109,11 @@ struct library_t { settings_t *settings; /** + * integrity checker to verify code integrity + */ + integrity_checker_t *integrity; + + /** * is leak detective running? */ bool leak_detective; @@ -117,8 +123,9 @@ struct library_t { * Initialize library, creates "lib" instance. * * @param settings file to read settings from, may be NULL for none + * @return FALSE if integrity check failed */ -void library_init(char *settings); +bool library_init(char *settings); /** * Deinitialize library, destroys "lib" instance. diff --git a/src/libstrongswan/plugins/aes/Makefile.am b/src/libstrongswan/plugins/aes/Makefile.am index e73040f27..a3101172f 100644 --- a/src/libstrongswan/plugins/aes/Makefile.am +++ b/src/libstrongswan/plugins/aes/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-aes.la libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h -libstrongswan_aes_la_LDFLAGS = -module +libstrongswan_aes_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 19d3249b5..4414b2ede 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-aes.la libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h -libstrongswan_aes_la_LDFLAGS = -module +libstrongswan_aes_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am index bc022aa26..e1000e562 100644 --- a/src/libstrongswan/plugins/agent/Makefile.am +++ b/src/libstrongswan/plugins/agent/Makefile.am @@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-agent.la libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \ agent_private_key.c agent_private_key.h -libstrongswan_agent_la_LDFLAGS = -module +libstrongswan_agent_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index 5a5202262..a73edb362 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-agent.la libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \ agent_private_key.c agent_private_key.h -libstrongswan_agent_la_LDFLAGS = -module +libstrongswan_agent_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am index 6bb82169e..3fbc5893b 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.am +++ b/src/libstrongswan/plugins/blowfish/Makefile.am @@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-blowfish.la libstrongswan_blowfish_la_SOURCES = \ blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \ bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c -libstrongswan_blowfish_la_LDFLAGS = -module +libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index 25cea73df..e536b5fc6 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_blowfish_la_SOURCES = \ blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \ bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c -libstrongswan_blowfish_la_LDFLAGS = -module +libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/curl/Makefile.am b/src/libstrongswan/plugins/curl/Makefile.am index 1b44516b2..f0a41e4ad 100644 --- a/src/libstrongswan/plugins/curl/Makefile.am +++ b/src/libstrongswan/plugins/curl/Makefile.am @@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-curl.la libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h -libstrongswan_curl_la_LDFLAGS = -module +libstrongswan_curl_la_LDFLAGS = -module -avoid-version libstrongswan_curl_la_LIBADD = -lcurl diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index b413e035e..21d77ac8f 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-curl.la libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h -libstrongswan_curl_la_LDFLAGS = -module +libstrongswan_curl_la_LDFLAGS = -module -avoid-version libstrongswan_curl_la_LIBADD = -lcurl all: all-am diff --git a/src/libstrongswan/plugins/des/Makefile.am b/src/libstrongswan/plugins/des/Makefile.am index ea94eda8a..76cfbc419 100644 --- a/src/libstrongswan/plugins/des/Makefile.am +++ b/src/libstrongswan/plugins/des/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-des.la libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h -libstrongswan_des_la_LDFLAGS = -module +libstrongswan_des_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index bbca6a032..19da339fe 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-des.la libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h -libstrongswan_des_la_LDFLAGS = -module +libstrongswan_des_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.am b/src/libstrongswan/plugins/fips_prf/Makefile.am index 73f28825a..d9431947e 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.am +++ b/src/libstrongswan/plugins/fips_prf/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-fips-prf.la libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h -libstrongswan_fips_prf_la_LDFLAGS = -module +libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 881d7a36e..5dcae7f27 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -223,7 +228,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-fips-prf.la libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h -libstrongswan_fips_prf_la_LDFLAGS = -module +libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am index 72cc409fc..7394676e2 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.am +++ b/src/libstrongswan/plugins/gcrypt/Makefile.am @@ -13,5 +13,5 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \ gcrypt_crypter.h gcrypt_crypter.c \ gcrypt_hasher.h gcrypt_hasher.c -libstrongswan_gcrypt_la_LDFLAGS = -module +libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS) diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 49994c593..e3d27f7f8 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -77,12 +77,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -187,7 +190,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -232,7 +237,7 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \ gcrypt_crypter.h gcrypt_crypter.c \ gcrypt_hasher.h gcrypt_hasher.c -libstrongswan_gcrypt_la_LDFLAGS = -module +libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS) all: all-am diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c index 785ebda90..41e17c897 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c @@ -116,6 +116,9 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo) case HASH_SHA1: gcrypt_alg = GCRY_MD_SHA1; break; + case HASH_SHA224: + gcrypt_alg = GCRY_MD_SHA224; + break; case HASH_SHA256: gcrypt_alg = GCRY_MD_SHA256; break; diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 547329dde..939e0886c 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -47,7 +47,7 @@ struct private_gcrypt_plugin_t { */ static int mutex_init(void **lock) { - *lock = mutex_create(MUTEX_DEFAULT); + *lock = mutex_create(MUTEX_TYPE_DEFAULT); return 0; } @@ -148,6 +148,8 @@ plugin_t *plugin_create() (hasher_constructor_t)gcrypt_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_MD5, (hasher_constructor_t)gcrypt_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)gcrypt_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA256, (hasher_constructor_t)gcrypt_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA384, diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c index 611ab2467..e0e8015db 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c @@ -61,12 +61,14 @@ struct private_gcrypt_rsa_private_key_t { public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key); /** - * find a token in a S-expression + * find a token in a S-expression. If a key is given, its length is used to + * pad the output to a given length. */ -chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name) +chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key) { gcry_sexp_t token; - chunk_t data = chunk_empty; + chunk_t data = chunk_empty, tmp; + size_t len = 0; token = gcry_sexp_find_token(sexp, name, 1); if (token) @@ -76,7 +78,36 @@ chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name) { data.len = 0; } - data = chunk_clone(data); + else + { + if (key) + { + /* gcrypt might return more bytes than necessary. Truncate + * to key lenght if key given, or prepend zeros if needed */ + len = gcry_pk_get_nbits(key); + len = len / 8 + (len % 8 ? 1 : 0); + if (len > data.len) + { + tmp = chunk_alloc(len); + len -= data.len; + memset(tmp.ptr, 0, tmp.len - len); + memcpy(tmp.ptr + len, data.ptr, data.len); + data = tmp; + } + else if (len < data.len) + { + data = chunk_clone(chunk_skip(data, data.len - len)); + } + else + { + data = chunk_clone(data); + } + } + else + { + data = chunk_clone(data); + } + } gcry_sexp_release(token); } return data; @@ -124,7 +155,7 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this, DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err)); return FALSE; } - *signature = gcrypt_rsa_find_token(out, "s"); + *signature = gcrypt_rsa_find_token(out, "s", this->key); gcry_sexp_release(out); return !!signature->len; } @@ -170,7 +201,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this, DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err)); return FALSE; } - *signature = gcrypt_rsa_find_token(out, "s"); + *signature = gcrypt_rsa_find_token(out, "s", this->key); gcry_sexp_release(out); return !!signature->len; } @@ -195,6 +226,8 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche return sign_raw(this, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA1: return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return sign_pkcs1(this, HASH_SHA224, "sha224", data, sig); case SIGN_RSA_EMSA_PKCS1_SHA256: return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig); case SIGN_RSA_EMSA_PKCS1_SHA384: @@ -353,9 +386,9 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this) gcry_error_t err; /* p and q are swapped, gcrypt expects p < q */ - cp = gcrypt_rsa_find_token(this->key, "q"); - cq = gcrypt_rsa_find_token(this->key, "p"); - cd = gcrypt_rsa_find_token(this->key, "d"); + cp = gcrypt_rsa_find_token(this->key, "q", NULL); + cq = gcrypt_rsa_find_token(this->key, "p", NULL); + cd = gcrypt_rsa_find_token(this->key, "d", NULL); err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL) | gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL) @@ -401,14 +434,14 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this) } return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", ASN1_INTEGER_0, - asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")), - asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")), + asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)), + asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)), asn1_integer("m", cd), asn1_integer("m", cp), asn1_integer("m", cq), asn1_integer("m", cexp1), asn1_integer("m", cexp2), - asn1_integer("m", gcrypt_rsa_find_token(this->key, "u"))); + asn1_integer("m", gcrypt_rsa_find_token(this->key, "u", NULL))); } /** @@ -477,8 +510,8 @@ bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid, return FALSE; } publicKey = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_integer("m", gcrypt_rsa_find_token(key, "n")), - asn1_integer("m", gcrypt_rsa_find_token(key, "e"))); + asn1_integer("m", gcrypt_rsa_find_token(key, "n", NULL)), + asn1_integer("m", gcrypt_rsa_find_token(key, "e", NULL))); hasher->allocate_hash(hasher, publicKey, &hash); *keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash); chunk_free(&hash); diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c index 8024f58a7..4d9c88c6d 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c @@ -60,7 +60,7 @@ struct private_gcrypt_rsa_public_key_t { /** * Implemented in gcrypt_rsa_private_key.c */ -chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name); +chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key); bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid, identification_t **keyid_info); @@ -188,6 +188,8 @@ static bool verify(private_gcrypt_rsa_public_key_t *this, return verify_pkcs1(this, HASH_MD5, "md5", data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return verify_pkcs1(this, HASH_SHA224, "sha224", data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: @@ -226,7 +228,7 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain, DBG1("encrypting data using pkcs1 failed: %s", gpg_strerror(err)); return FALSE; } - *encrypted = gcrypt_rsa_find_token(out, "a"); + *encrypted = gcrypt_rsa_find_token(out, "a", this->key); gcry_sexp_release(out); return !!encrypted->len; } @@ -290,8 +292,8 @@ static identification_t *get_id(private_gcrypt_rsa_public_key_t *this, static chunk_t get_encoding(private_gcrypt_rsa_public_key_t *this) { return asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")), - asn1_integer("m", gcrypt_rsa_find_token(this->key, "e"))); + asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)), + asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL))); } /** @@ -352,8 +354,8 @@ public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key) chunk_t n, e; this = gcrypt_rsa_public_key_create_empty(); - n = gcrypt_rsa_find_token(key, "n"); - e = gcrypt_rsa_find_token(key, "e"); + n = gcrypt_rsa_find_token(key, "n", NULL); + e = gcrypt_rsa_find_token(key, "e", NULL); err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))", n.len, n.ptr, e.len, e.ptr); diff --git a/src/libstrongswan/plugins/gmp/Makefile.am b/src/libstrongswan/plugins/gmp/Makefile.am index f073b5d48..1ab358328 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.am +++ b/src/libstrongswan/plugins/gmp/Makefile.am @@ -10,6 +10,6 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \ gmp_rsa_private_key.c gmp_rsa_private_key.h \ gmp_rsa_public_key.c gmp_rsa_public_key.h -libstrongswan_gmp_la_LDFLAGS = -module +libstrongswan_gmp_la_LDFLAGS = -module -avoid-version libstrongswan_gmp_la_LIBADD = -lgmp diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index a60cd998c..8d5dff34b 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \ gmp_rsa_private_key.c gmp_rsa_private_key.h \ gmp_rsa_public_key.c gmp_rsa_public_key.h -libstrongswan_gmp_la_LDFLAGS = -module +libstrongswan_gmp_la_LDFLAGS = -module -avoid-version libstrongswan_gmp_la_LIBADD = -lgmp all: all-am diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index cbc112762..259c8e9ad 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -301,6 +301,8 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index 1f3e3072f..c26187c64 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -301,6 +301,8 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return verify_emsa_pkcs1_signature(this, HASH_SHA224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return verify_emsa_pkcs1_signature(this, HASH_SHA256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: @@ -417,7 +419,7 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this) /** * Build the PGP version 3 RSA key identifier from n and e using - * MD5 hashed modulus and exponent. Also used in rsa_private_key.c. + * MD5 hashed modulus and exponent. */ static identification_t* gmp_rsa_build_pgp_v3_keyid(mpz_t n, mpz_t e) { diff --git a/src/libstrongswan/plugins/hmac/Makefile.am b/src/libstrongswan/plugins/hmac/Makefile.am index 89e0638f3..1856cad2d 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.am +++ b/src/libstrongswan/plugins/hmac/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \ hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c -libstrongswan_hmac_la_LDFLAGS = -module +libstrongswan_hmac_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index fc36bd9fa..389bde8f9 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \ hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c -libstrongswan_hmac_la_LDFLAGS = -module +libstrongswan_hmac_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/ldap/Makefile.am b/src/libstrongswan/plugins/ldap/Makefile.am index ac6b4be00..6ad073d97 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.am +++ b/src/libstrongswan/plugins/ldap/Makefile.am @@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-ldap.la libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c -libstrongswan_ldap_la_LDFLAGS = -module +libstrongswan_ldap_la_LDFLAGS = -module -avoid-version libstrongswan_ldap_la_LIBADD = -lldap -llber diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 6eefc8546..93fc9a0c1 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-ldap.la libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c -libstrongswan_ldap_la_LDFLAGS = -module +libstrongswan_ldap_la_LDFLAGS = -module -avoid-version libstrongswan_ldap_la_LIBADD = -lldap -llber all: all-am diff --git a/src/libstrongswan/plugins/md4/Makefile.am b/src/libstrongswan/plugins/md4/Makefile.am index f984322a6..a47da2e8e 100644 --- a/src/libstrongswan/plugins/md4/Makefile.am +++ b/src/libstrongswan/plugins/md4/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md4.la libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h -libstrongswan_md4_la_LDFLAGS = -module +libstrongswan_md4_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index efdb64e90..7ca6a20cc 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md4.la libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h -libstrongswan_md4_la_LDFLAGS = -module +libstrongswan_md4_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/md5/Makefile.am b/src/libstrongswan/plugins/md5/Makefile.am index 0a9c5cbf4..ce0611c13 100644 --- a/src/libstrongswan/plugins/md5/Makefile.am +++ b/src/libstrongswan/plugins/md5/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md5.la libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h -libstrongswan_md5_la_LDFLAGS = -module +libstrongswan_md5_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index 15c98aba4..fb9bc4b4d 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md5.la libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h -libstrongswan_md5_la_LDFLAGS = -module +libstrongswan_md5_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am index ec94b8fda..0daf7655b 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.am +++ b/src/libstrongswan/plugins/mysql/Makefile.am @@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \ mysql_database.h mysql_database.c -libstrongswan_mysql_la_LDFLAGS = -module +libstrongswan_mysql_la_LDFLAGS = -module -avoid-version libstrongswan_mysql_la_LIBADD = -lmysqlclient_r diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index 26b514ad6..21fe61923 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \ mysql_database.h mysql_database.c -libstrongswan_mysql_la_LDFLAGS = -module +libstrongswan_mysql_la_LDFLAGS = -module -avoid-version libstrongswan_mysql_la_LIBADD = -lmysqlclient_r all: all-am diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c index d0d5a3d15..341217dd4 100644 --- a/src/libstrongswan/plugins/mysql/mysql_database.c +++ b/src/libstrongswan/plugins/mysql/mysql_database.c @@ -686,7 +686,7 @@ mysql_database_t *mysql_database_create(char *uri) free(this); return NULL; } - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->pool = linked_list_create(); /* check connectivity */ diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am index f331a78eb..25cc5aa1d 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.am +++ b/src/libstrongswan/plugins/openssl/Makefile.am @@ -16,6 +16,6 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \ openssl_ec_private_key.c openssl_ec_private_key.h \ openssl_ec_public_key.c openssl_ec_public_key.h -libstrongswan_openssl_la_LDFLAGS = -module +libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index 0ebb5acf0..e6d7b479b 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -78,12 +78,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -188,7 +191,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -236,7 +241,7 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \ openssl_ec_private_key.c openssl_ec_private_key.h \ openssl_ec_public_key.c openssl_ec_public_key.h -libstrongswan_openssl_la_LDFLAGS = -module +libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto all: all-am diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c index 7f48f1009..424fec60a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crypter.c +++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c @@ -83,6 +83,7 @@ static openssl_algorithm_t encryption_algs[] = { /* {ENCR_DES_IV32, "***", 0, 0}, */ /* {ENCR_NULL, "***", 0, 0}, */ /* handled separately */ /* {ENCR_AES_CBC, "***", 0, 0}, */ /* handled separately */ +/* {ENCR_CAMELLIA_CBC, "***", 0, 0}, */ /* handled separately */ /* {ENCR_AES_CTR, "***", 0, 0}, */ /* disabled in evp.h */ {END_OF_LIST, NULL, 0, 0}, }; @@ -224,6 +225,23 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo, return NULL; } break; + case ENCR_CAMELLIA_CBC: + switch (key_size) + { + case 16: /* CAMELLIA 128 */ + this->cipher = EVP_get_cipherbyname("camellia128"); + break; + case 24: /* CAMELLIA 192 */ + this->cipher = EVP_get_cipherbyname("camellia192"); + break; + case 32: /* CAMELLIA 256 */ + this->cipher = EVP_get_cipherbyname("camellia256"); + break; + default: + free(this); + return NULL; + } + break; case ENCR_DES_ECB: this->cipher = EVP_des_ecb(); break; diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index c93acb75c..082aed9ca 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -108,7 +108,8 @@ error: * Convert an EC_POINT to a chunk by concatenating the x and y coordinates of * the point. This function allocates memory for the chunk. */ -static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chunk) +static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, + chunk_t *chunk, bool x_coordinate_only) { BN_CTX *ctx; BIGNUM *x, *y; @@ -133,6 +134,10 @@ static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chu goto error; } + if (x_coordinate_only) + { + y = NULL; + } if (!openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), x, y, chunk)) { goto error; @@ -160,7 +165,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_ { const BIGNUM *priv_key; EC_POINT *secret = NULL; - bool ret = FALSE; + bool x_coordinate_only, ret = FALSE; priv_key = EC_KEY_get0_private_key(this->key); if (!priv_key) @@ -179,7 +184,14 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_ goto error; } - if (!ecp2chunk(this->ec_group, secret, shared_secret)) + /* + * The default setting ecp_x_coordinate_only = TRUE + * applies the following errata for RFC 4753: + * http://www.rfc-editor.org/errata_search.php?eid=9 + */ + x_coordinate_only = lib->settings->get_bool(lib->settings, + "libstrongswan.ecp_x_coordinate_only", TRUE); + if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only)) { goto error; } @@ -219,7 +231,7 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch */ static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value) { - ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value); + ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE); } /** diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c index ed3e57957..90a5229d5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hasher.c +++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c @@ -65,6 +65,7 @@ static openssl_algorithm_t integrity_algs[] = { {HASH_MD2, "md2"}, {HASH_MD5, "md5"}, {HASH_SHA1, "sha1"}, + {HASH_SHA224, "sha224"}, {HASH_SHA256, "sha256"}, {HASH_SHA384, "sha384"}, {HASH_SHA512, "sha512"}, diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index a90dff7f1..ce6716f5a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -84,7 +84,7 @@ static struct CRYPTO_dynlock_value *create_function(const char *file, int line) struct CRYPTO_dynlock_value *lock; lock = malloc_thing(struct CRYPTO_dynlock_value); - lock->mutex = mutex_create(MUTEX_DEFAULT); + lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT); return lock; } @@ -140,7 +140,7 @@ static void threading_init() mutex = malloc(sizeof(mutex_t*) * num_locks); for (i = 0; i < num_locks; i++) { - mutex[i] = mutex_create(MUTEX_DEFAULT); + mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT); } } @@ -212,6 +212,8 @@ plugin_t *plugin_create() /* crypter */ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, + (crypter_constructor_t)openssl_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_3DES, (crypter_constructor_t)openssl_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_RC5, @@ -238,6 +240,8 @@ plugin_t *plugin_create() (hasher_constructor_t)openssl_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_MD5, (hasher_constructor_t)openssl_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)openssl_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA256, (hasher_constructor_t)openssl_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA384, diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index c5d4142da..95c0ffdc8 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -165,6 +165,8 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch return build_emsa_pkcs1_signature(this, NID_undef, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return build_emsa_pkcs1_signature(this, NID_sha1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return build_emsa_pkcs1_signature(this, NID_sha224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return build_emsa_pkcs1_signature(this, NID_sha256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index 89912f24c..bc1ba35b6 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -143,6 +143,8 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc return verify_emsa_pkcs1_signature(this, NID_undef, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return verify_emsa_pkcs1_signature(this, NID_sha224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return verify_emsa_pkcs1_signature(this, NID_sha256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c index bb0c296e1..c8c453f64 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.c +++ b/src/libstrongswan/plugins/openssl/openssl_util.c @@ -71,21 +71,26 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk) { int offset; - chunk->len = len * 2; + chunk->len = len + (b ? len : 0); chunk->ptr = malloc(chunk->len); memset(chunk->ptr, 0, chunk->len); + /* convert a */ offset = len - BN_num_bytes(a); if (!BN_bn2bin(a, chunk->ptr + offset)) { goto error; } - offset = len - BN_num_bytes(b); - if (!BN_bn2bin(b, chunk->ptr + len + offset)) + /* optionally convert and concatenate b */ + if (b) { - goto error; - } + offset = len - BN_num_bytes(b); + if (!BN_bn2bin(b, chunk->ptr + len + offset)) + { + goto error; + } + } return TRUE; error: diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am index e7c3ba486..b2b1f9d85 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.am +++ b/src/libstrongswan/plugins/padlock/Makefile.am @@ -9,5 +9,5 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \ padlock_aes_crypter.c padlock_aes_crypter.h \ padlock_sha1_hasher.c padlock_sha1_hasher.h \ padlock_rng.c padlock_rng.h -libstrongswan_padlock_la_LDFLAGS = -module +libstrongswan_padlock_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 7fe0cc198..44f533744 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \ padlock_sha1_hasher.c padlock_sha1_hasher.h \ padlock_rng.c padlock_rng.h -libstrongswan_padlock_la_LDFLAGS = -module +libstrongswan_padlock_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c index dddb73551..e241b59be 100644 --- a/src/libstrongswan/plugins/padlock/padlock_plugin.c +++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c @@ -97,7 +97,7 @@ static padlock_feature_t get_padlock_features() return d; } } - DBG1("Padlock not found, CPU is %s\n", vendor); + DBG1("Padlock not found, CPU is %s", vendor); return 0; } diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index ad5a9e240..459ba9ba9 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -22,6 +22,7 @@ #include <stdio.h> #include <debug.h> +#include <integrity_checker.h> #include <utils/linked_list.h> #include <plugins/plugin.h> @@ -61,27 +62,45 @@ static plugin_t* load_plugin(private_plugin_loader_t *this, snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name); + if (lib->integrity) + { + if (!lib->integrity->check_file(lib->integrity, name, file)) + { + DBG1("plugin '%s': failed file integrity test of '%s'", name, file); + return NULL; + } + } handle = dlopen(file, RTLD_LAZY); if (handle == NULL) { - DBG1("loading plugin '%s' failed: %s", name, dlerror()); + DBG1("plugin '%s': failed to load '%s' - %s", name, file, dlerror()); return NULL; } constructor = dlsym(handle, "plugin_create"); if (constructor == NULL) { - DBG1("loading plugin '%s' failed: no plugin_create() function", name); + DBG1("plugin '%s': failed to load - no plugin_create() function", name); dlclose(handle); return NULL; } + if (lib->integrity) + { + if (!lib->integrity->check_segment(lib->integrity, name, constructor)) + { + DBG1("plugin '%s': failed segment integrity test", name); + dlclose(handle); + return NULL; + } + DBG1("plugin '%s': passed file and segment integrity tests", name); + } plugin = constructor(); if (plugin == NULL) { - DBG1("loading plugin '%s' failed: plugin_create() returned NULL", name); + DBG1("plugin '%s': failed to load - plugin_create() returned NULL", name); dlclose(handle); return NULL; } - DBG2("plugin '%s' loaded successfully", name); + DBG2("plugin '%s': loaded successfully", name); /* we do not store or free dlopen() handles, leak_detective requires * the modules to keep loaded until leak report */ diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am index 3b512614f..9423e6689 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.am +++ b/src/libstrongswan/plugins/pubkey/Makefile.am @@ -9,5 +9,5 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \ pubkey_cert.h pubkey_cert.c\ pubkey_public_key.h pubkey_public_key.c -libstrongswan_pubkey_la_LDFLAGS = -module +libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 4514424f2..a672e2ea8 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \ pubkey_cert.h pubkey_cert.c\ pubkey_public_key.h pubkey_public_key.c -libstrongswan_pubkey_la_LDFLAGS = -module +libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am index 8b61d7094..9a11b8567 100644 --- a/src/libstrongswan/plugins/random/Makefile.am +++ b/src/libstrongswan/plugins/random/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-random.la libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \ random_rng.c random_rng.h -libstrongswan_random_la_LDFLAGS = -module +libstrongswan_random_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 0bed27468..a2869fb51 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-random.la libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \ random_rng.c random_rng.h -libstrongswan_random_la_LDFLAGS = -module +libstrongswan_random_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am index 5de45e4e8..ead51a45a 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.am +++ b/src/libstrongswan/plugins/sha1/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \ sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h -libstrongswan_sha1_la_LDFLAGS = -module +libstrongswan_sha1_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index c8b8905bb..f1f5807ab 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \ sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h -libstrongswan_sha1_la_LDFLAGS = -module +libstrongswan_sha1_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/sha2/Makefile.am b/src/libstrongswan/plugins/sha2/Makefile.am index 066e49476..5422e1d4e 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.am +++ b/src/libstrongswan/plugins/sha2/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-sha2.la libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h -libstrongswan_sha2_la_LDFLAGS = -module +libstrongswan_sha2_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index f37c93502..b34286813 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-sha2.la libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h -libstrongswan_sha2_la_LDFLAGS = -module +libstrongswan_sha2_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.c b/src/libstrongswan/plugins/sha2/sha2_hasher.c index 0e8811cca..645f4d786 100644 --- a/src/libstrongswan/plugins/sha2/sha2_hasher.c +++ b/src/libstrongswan/plugins/sha2/sha2_hasher.c @@ -58,6 +58,11 @@ struct private_sha256_hasher_t { }; +static const u_int32_t sha224_hashInit[8] = { + 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511, + 0x64f98fa7, 0xbefa4fa4 +}; + static const u_int32_t sha256_hashInit[8] = { 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 @@ -422,6 +427,21 @@ static void sha512_final(private_sha512_hasher_t *ctx) } /** + * Implementation of hasher_t.get_hash for SHA224. + */ +static void get_hash224(private_sha256_hasher_t *this, + chunk_t chunk, u_int8_t *buffer) +{ + sha256_write(this, chunk.ptr, chunk.len); + if (buffer != NULL) + { + sha256_final(this); + memcpy(buffer, this->sha_out, HASH_SIZE_SHA224); + this->public.hasher_interface.reset(&(this->public.hasher_interface)); + } +} + +/** * Implementation of hasher_t.get_hash for SHA256. */ static void get_hash256(private_sha256_hasher_t *this, @@ -467,6 +487,25 @@ static void get_hash512(private_sha512_hasher_t *this, } /** + * Implementation of hasher_t.allocate_hash for SHA224. + */ +static void allocate_hash224(private_sha256_hasher_t *this, + chunk_t chunk, chunk_t *hash) +{ + chunk_t allocated_hash; + + sha256_write(this, chunk.ptr, chunk.len); + if (hash != NULL) + { + sha256_final(this); + allocated_hash = chunk_alloc(HASH_SIZE_SHA224); + memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA224); + this->public.hasher_interface.reset(&(this->public.hasher_interface)); + *hash = allocated_hash; + } +} + +/** * Implementation of hasher_t.allocate_hash for SHA256. */ static void allocate_hash256(private_sha256_hasher_t *this, @@ -524,6 +563,14 @@ static void allocate_hash512(private_sha512_hasher_t *this, } /** + * Implementation of hasher_t.get_hash_size for SHA224. + */ +static size_t get_hash_size224(private_sha256_hasher_t *this) +{ + return HASH_SIZE_SHA224; +} + +/** * Implementation of hasher_t.get_hash_size for SHA256. */ static size_t get_hash_size256(private_sha256_hasher_t *this) @@ -548,6 +595,16 @@ static size_t get_hash_size512(private_sha512_hasher_t *this) } /** + * Implementation of hasher_t.reset for SHA224 + */ +static void reset224(private_sha256_hasher_t *ctx) +{ + memcpy(&ctx->sha_H[0], &sha224_hashInit[0], sizeof(ctx->sha_H)); + ctx->sha_blocks = 0; + ctx->sha_bufCnt = 0; +} + +/** * Implementation of hasher_t.reset for SHA256 */ static void reset256(private_sha256_hasher_t *ctx) @@ -596,6 +653,13 @@ sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm) switch (algorithm) { + case HASH_SHA224: + this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t); + this->hasher_interface.reset = (void(*)(hasher_t*))reset224; + this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size224; + this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash224; + this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash224; + break; case HASH_SHA256: this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t); this->hasher_interface.reset = (void(*)(hasher_t*))reset256; diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c index 21bc592dc..0743f7b1a 100644 --- a/src/libstrongswan/plugins/sha2/sha2_plugin.c +++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c @@ -50,6 +50,8 @@ plugin_t *plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)sha2_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA256, (hasher_constructor_t)sha2_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA384, diff --git a/src/libstrongswan/plugins/sqlite/Makefile.am b/src/libstrongswan/plugins/sqlite/Makefile.am index 7c3017abf..f26e31294 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.am +++ b/src/libstrongswan/plugins/sqlite/Makefile.am @@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \ sqlite_database.h sqlite_database.c -libstrongswan_sqlite_la_LDFLAGS = -module +libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version libstrongswan_sqlite_la_LIBADD = -lsqlite3 diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index 547548bd7..b59a1c343 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -225,7 +230,7 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \ sqlite_database.h sqlite_database.c -libstrongswan_sqlite_la_LDFLAGS = -module +libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version libstrongswan_sqlite_la_LIBADD = -lsqlite3 all: all-am diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c index ce873b714..6e4951f2d 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_database.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c @@ -333,7 +333,7 @@ sqlite_database_t *sqlite_database_create(char *uri) this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver; this->public.db.destroy = (void(*)(database_t*))destroy; - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); if (sqlite3_open(file, &this->db) != SQLITE_OK) { diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am index 27d17c084..6028805c4 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.am +++ b/src/libstrongswan/plugins/test_vectors/Makefile.am @@ -29,5 +29,5 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/sha2_hmac.c \ test_vectors/fips_prf.c \ test_vectors/rng.c -libstrongswan_test_vectors_la_LDFLAGS = -module +libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index bb877620c..0e408ba7e 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -79,12 +79,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -189,7 +192,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -251,7 +256,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/fips_prf.c \ test_vectors/rng.c -libstrongswan_test_vectors_la_LDFLAGS = -module +libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h index df5a9c9a8..b182dd829 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors.h +++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h @@ -98,6 +98,9 @@ TEST_VECTOR_HASHER(md5_7) TEST_VECTOR_HASHER(sha1_1) TEST_VECTOR_HASHER(sha1_2) TEST_VECTOR_HASHER(sha1_3) +TEST_VECTOR_HASHER(sha224_1) +TEST_VECTOR_HASHER(sha224_2) +TEST_VECTOR_HASHER(sha224_3) TEST_VECTOR_HASHER(sha256_1) TEST_VECTOR_HASHER(sha256_2) TEST_VECTOR_HASHER(sha256_3) diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c index e2bd42240..4679c26b3 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c @@ -16,6 +16,41 @@ #include <crypto/crypto_tester.h> /** + * SHA-224 vectors from "The Secure Hash Algorithm Validation System (SHAVS)" + */ +hasher_test_vector_t sha224_1 = { + .alg = HASH_SHA224, .len = 1, + .data = "\x07", + .hash = "\x00\xec\xd5\xf1\x38\x42\x2b\x8a\xd7\x4c\x97\x99\xfd\x82\x6c\x53" + "\x1b\xad\x2f\xca\xbc\x74\x50\xbe\xe2\xaa\x8c\x2a" + +}; + +hasher_test_vector_t sha224_2 = { + .alg = HASH_SHA224, .len = 16, + .data = "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62", + .hash = "\xdf\x90\xd7\x8a\xa7\x88\x21\xc9\x9b\x40\xba\x4c\x96\x69\x21\xac" + "\xcd\x8f\xfb\x1e\x98\xac\x38\x8e\x56\x19\x1d\xb1" +}; + +hasher_test_vector_t sha224_3 = { + .alg = HASH_SHA224, .len = 163, + .data = "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" + "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" + "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" + "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" + "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" + "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" + "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" + "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" + "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" + "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" + "\x87\x82\x73", + .hash = "\x0b\x31\x89\x4e\xc8\x93\x7a\xd9\xb9\x1b\xdf\xbc\xba\x29\x4d\x9a" + "\xde\xfa\xa1\x8e\x09\x30\x5e\x9f\x20\xd5\xc3\xa4" +}; + +/** * SHA-256 vectors from "The Secure Hash Algorithm Validation System (SHAVS)" */ hasher_test_vector_t sha256_1 = { diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am index 3f9f85c36..e9668b4e4 100644 --- a/src/libstrongswan/plugins/x509/Makefile.am +++ b/src/libstrongswan/plugins/x509/Makefile.am @@ -12,5 +12,5 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \ x509_ocsp_request.h x509_ocsp_request.c \ x509_ocsp_response.h x509_ocsp_response.c \ ietf_attr_list.h ietf_attr_list.c -libstrongswan_x509_la_LDFLAGS = -module +libstrongswan_x509_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 0c62ad3b3..56cb04769 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -230,7 +235,7 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \ x509_ocsp_response.h x509_ocsp_response.c \ ietf_attr_list.h ietf_attr_list.c -libstrongswan_x509_la_LDFLAGS = -module +libstrongswan_x509_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/xcbc/Makefile.am b/src/libstrongswan/plugins/xcbc/Makefile.am index 1b10d21f8..515b75031 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.am +++ b/src/libstrongswan/plugins/xcbc/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \ xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c -libstrongswan_xcbc_la_LDFLAGS = -module +libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index 82ef55bd5..1d4e39586 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \ xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c -libstrongswan_xcbc_la_LDFLAGS = -module +libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c index 4a0eff45f..305841172 100644 --- a/src/libstrongswan/utils.c +++ b/src/libstrongswan/utils.c @@ -20,6 +20,7 @@ #include <string.h> #include <stdio.h> #include <unistd.h> +#include <stdint.h> #include <limits.h> #include <dirent.h> #include <time.h> @@ -58,20 +59,43 @@ void *clalloc(void * pointer, size_t size) /** * Described in header. */ -void memxor(u_int8_t dest[], u_int8_t src[], size_t n) +void memxor(u_int8_t dst[], u_int8_t src[], size_t n) { - int i = 0, m; + int m, i; - m = n - sizeof(long); - while (i < m) + /* byte wise XOR until dst aligned */ + for (i = 0; (uintptr_t)&dst[i] % sizeof(long); i++) { - *(long*)(dest + i) ^= *(long*)(src + i); - i += sizeof(long); + dst[i] ^= src[i]; } - while (i < n) + /* try to use words if src shares an aligment with dst */ + switch (((uintptr_t)&src[i] % sizeof(long))) { - dest[i] ^= src[i]; - i++; + case 0: + for (m = n - sizeof(long); i <= m; i += sizeof(long)) + { + *(long*)&dst[i] ^= *(long*)&src[i]; + } + break; + case sizeof(int): + for (m = n - sizeof(int); i <= m; i += sizeof(int)) + { + *(int*)&dst[i] ^= *(int*)&src[i]; + } + break; + case sizeof(short): + for (m = n - sizeof(short); i <= m; i += sizeof(short)) + { + *(short*)&dst[i] ^= *(short*)&src[i]; + } + break; + default: + break; + } + /* byte wise XOR of the rest */ + for (; i < n; i++) + { + dst[i] ^= src[i]; } } diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h index debd0145b..5d273d272 100644 --- a/src/libstrongswan/utils.h +++ b/src/libstrongswan/utils.h @@ -29,6 +29,16 @@ #include <enum.h> /** + * strongSwan program return codes + */ +#define SS_RC_LIBSTRONGSWAN_INTEGRITY 64 +#define SS_RC_DAEMON_INTEGRITY 65 +#define SS_RC_INITIALIZATION_FAILED 66 + +#define SS_RC_FIRST SS_RC_LIBSTRONGSWAN_INTEGRITY +#define SS_RC_LAST SS_RC_INITIALIZATION_FAILED + +/** * Number of bits in a byte */ #define BITS_PER_BYTE 8 @@ -134,6 +144,19 @@ # define TRUE true #endif /* TRUE */ +/** + * define some missing fixed width int types on OpenSolaris. + * TODO: since the uintXX_t types are defined by the C99 standard we should + * probably use those anyway + */ +#ifdef __sun + #include <stdint.h> + typedef uint8_t u_int8_t; + typedef uint16_t u_int16_t; + typedef uint32_t u_int32_t; + typedef uint64_t u_int64_t; +#endif + typedef enum status_t status_t; /** diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c index 24bafe66a..08522b8d5 100644 --- a/src/libstrongswan/utils/enumerator.c +++ b/src/libstrongswan/utils/enumerator.c @@ -408,7 +408,7 @@ typedef struct { /** * Implementation of enumerator_create_filter().destroy */ -void destroy_filter(filter_enumerator_t *this) +static void destroy_filter(filter_enumerator_t *this) { if (this->destructor) { @@ -421,8 +421,8 @@ void destroy_filter(filter_enumerator_t *this) /** * Implementation of enumerator_create_filter().enumerate */ -bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2, - void *o3, void *o4, void *o5) +static bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2, + void *o3, void *o4, void *o5) { void *i1, *i2, *i3, *i4, *i5; diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c index 484de5e54..661bec315 100644 --- a/src/libstrongswan/utils/host.c +++ b/src/libstrongswan/utils/host.c @@ -17,6 +17,7 @@ */ #define _GNU_SOURCE +#include <sys/socket.h> #include <netdb.h> #include <string.h> @@ -433,16 +434,40 @@ host_t *host_create_from_string(char *string, u_int16_t port) /* * Described in header. */ +host_t *host_create_from_sockaddr(sockaddr_t *sockaddr) +{ + private_host_t *this = host_create_empty(); + + switch (sockaddr->sa_family) + { + case AF_INET: + { + memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in)); + this->socklen = sizeof(struct sockaddr_in); + return &this->public; + } + case AF_INET6: + { + memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6)); + this->socklen = sizeof(struct sockaddr_in6); + return &this->public; + } + default: + break; + } + free(this); + return NULL; +} + +/* + * Described in header. + */ host_t *host_create_from_dns(char *string, int af, u_int16_t port) { private_host_t *this; - struct hostent *ptr; - int ret = 0, err; -#ifdef HAVE_GETHOSTBYNAME_R - struct hostent host; - char buf[512]; -#endif - + struct addrinfo hints, *result; + int error; + if (streq(string, "%any")) { return host_create_any_port(af ? af : AF_INET, port); @@ -451,62 +476,32 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port) { return host_create_any_port(af ? af : AF_INET6, port); } - else if (strchr(string, ':')) - { - /* gethostbyname does not like IPv6 addresses - fallback */ - return host_create_from_string(string, port); - } - -#ifdef HAVE_GETHOSTBYNAME_R - if (af) - { - ret = gethostbyname2_r(string, af, &host, buf, sizeof(buf), &ptr, &err); - } - else - { - ret = gethostbyname_r(string, &host, buf, sizeof(buf), &ptr, &err); - } -#else - /* Some systems (e.g. Mac OS X) do not support gethostbyname_r */ - if (af) - { - ptr = gethostbyname2(string, af); - } - else - { - ptr = gethostbyname(string); - } - if (ptr == NULL) - { - err = h_errno; - } -#endif - if (ret != 0 || ptr == NULL) + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = af; + error = getaddrinfo(string, NULL, &hints, &result); + if (error != 0) { - DBG1("resolving '%s' failed: %s", string, hstrerror(err)); + DBG1("resolving '%s' failed: %s", string, gai_strerror(error)); return NULL; } - this = host_create_empty(); - this->address.sa_family = ptr->h_addrtype; - switch (this->address.sa_family) + /* result is a linked list, but we use only the first address */ + this = (private_host_t*)host_create_from_sockaddr(result->ai_addr); + freeaddrinfo(result); + if (this) { - case AF_INET: - memcpy(&this->address4.sin_addr.s_addr, - ptr->h_addr_list[0], ptr->h_length); - this->address4.sin_port = htons(port); - this->socklen = sizeof(struct sockaddr_in); - break; - case AF_INET6: - memcpy(&this->address6.sin6_addr.s6_addr, - ptr->h_addr_list[0], ptr->h_length); - this->address6.sin6_port = htons(port); - this->socklen = sizeof(struct sockaddr_in6); - break; - default: - free(this); - return NULL; + switch (this->address.sa_family) + { + case AF_INET: + this->address4.sin_port = htons(port); + break; + case AF_INET6: + this->address6.sin6_port = htons(port); + break; + } + return &this->public; } - return &this->public; + return NULL; } /* @@ -569,34 +564,6 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port) /* * Described in header. */ -host_t *host_create_from_sockaddr(sockaddr_t *sockaddr) -{ - private_host_t *this = host_create_empty(); - - switch (sockaddr->sa_family) - { - case AF_INET: - { - memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in)); - this->socklen = sizeof(struct sockaddr_in); - return &this->public; - } - case AF_INET6: - { - memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6)); - this->socklen = sizeof(struct sockaddr_in6); - return &this->public; - } - default: - break; - } - free(this); - return NULL; -} - -/* - * Described in header. - */ host_t *host_create_any(int family) { private_host_t *this = host_create_empty(); diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 1c04c97ef..10daf4679 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -21,7 +21,6 @@ #include <arpa/inet.h> #include <string.h> #include <stdio.h> -#include <ctype.h> #include "identification.h" @@ -122,365 +121,216 @@ struct private_identification_t { id_type_t type; }; -static private_identification_t *identification_create(void); - /** - * updates a chunk (!????) - * TODO: We should reconsider this stuff, its not really clear + * Enumerator over RDNs */ -static void update_chunk(chunk_t *ch, int n) -{ - n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1; - ch->ptr += n; ch->len -= n; -} +typedef struct { + /* implements enumerator interface */ + enumerator_t public; + /* next set to parse, if any */ + chunk_t sets; + /* next sequence in set, if any */ + chunk_t seqs; +} rdn_enumerator_t; /** - * Remove any malicious characters from a chunk. We are very restrictive, but - * whe use these strings only to present it to the user. + * Implementation of rdn_enumerator_t.enumerate */ -static bool sanitize_chunk(chunk_t chunk, chunk_t *clone) +static bool rdn_enumerate(rdn_enumerator_t *this, chunk_t *oid, + u_char *type, chunk_t *data) { - char *pos; - bool all_printable = TRUE; - - *clone = chunk_clone(chunk); + chunk_t rdn; - for (pos = clone->ptr; pos < (char*)(clone->ptr + clone->len); pos++) + /* a DN contains one or more SET, each containing one or more SEQUENCES, + * each containing a OID/value RDN */ + if (!this->seqs.len) { - if (!isprint(*pos)) + /* no SEQUENCEs in current SET, parse next SET */ + if (asn1_unwrap(&this->sets, &this->seqs) != ASN1_SET) { - *pos = '?'; - all_printable = FALSE; + return FALSE; + } + } + if (asn1_unwrap(&this->seqs, &rdn) == ASN1_SEQUENCE && + asn1_unwrap(&rdn, oid) == ASN1_OID) + { + int t = asn1_unwrap(&rdn, data); + + if (t != ASN1_INVALID) + { + *type = t; + return TRUE; } } - return all_printable; + return FALSE; } /** - * Pointer is set to the first RDN in a DN + * Create an enumerator over all RDNs (oid, string type, data) of a DN */ -static bool init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next) +static enumerator_t* create_rdn_enumerator(chunk_t dn) { - *rdn = chunk_empty; - *attribute = chunk_empty; + rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t); - /* a DN is a SEQUENCE OF RDNs */ - if (*dn.ptr != ASN1_SEQUENCE) - { - /* DN is not a SEQUENCE */ - return FALSE; - } + e->public.enumerate = (void*)rdn_enumerate; + e->public.destroy = (void*)free; - rdn->len = asn1_length(&dn); - - if (rdn->len == ASN1_INVALID_LENGTH) + /* a DN is a SEQUENCE, get the first SET of it */ + if (asn1_unwrap(&dn, &e->sets) == ASN1_SEQUENCE) { - /* Invalid RDN length */ - return FALSE; + e->seqs = chunk_empty; + return &e->public; } - - rdn->ptr = dn.ptr; - - /* are there any RDNs ? */ - *next = rdn->len > 0; - - return TRUE; + free(e); + return enumerator_create_empty(); } /** - * Fetches the next RDN in a DN + * Part enumerator over RDNs + */ +typedef struct { + /* implements enumerator interface */ + enumerator_t public; + /* inner RDN enumerator */ + enumerator_t *inner; +} rdn_part_enumerator_t; + +/** + * Implementation of rdn_part_enumerator_t.enumerate(). */ -static bool get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, - chunk_t *value, asn1_t *type, bool *next) +static bool rdn_part_enumerate(rdn_part_enumerator_t *this, + id_part_t *type, chunk_t *data) { - chunk_t body; + int i, known_oid, strtype; + chunk_t oid, inner_data; + static const struct { + int oid; + id_part_t type; + } oid2part[] = { + {OID_COMMON_NAME, ID_PART_RDN_CN}, + {OID_SURNAME, ID_PART_RDN_S}, + {OID_SERIAL_NUMBER, ID_PART_RDN_SN}, + {OID_COUNTRY, ID_PART_RDN_C}, + {OID_LOCALITY, ID_PART_RDN_L}, + {OID_STATE_OR_PROVINCE, ID_PART_RDN_ST}, + {OID_ORGANIZATION, ID_PART_RDN_O}, + {OID_ORGANIZATION_UNIT, ID_PART_RDN_OU}, + {OID_TITLE, ID_PART_RDN_T}, + {OID_DESCRIPTION, ID_PART_RDN_D}, + {OID_NAME, ID_PART_RDN_N}, + {OID_GIVEN_NAME, ID_PART_RDN_G}, + {OID_INITIALS, ID_PART_RDN_I}, + {OID_UNIQUE_IDENTIFIER, ID_PART_RDN_ID}, + {OID_EMAIL_ADDRESS, ID_PART_RDN_E}, + {OID_EMPLOYEE_NUMBER, ID_PART_RDN_EN}, + }; - /* initialize return values */ - *oid = chunk_empty; - *value = chunk_empty; - - /* if all attributes have been parsed, get next rdn */ - if (attribute->len <= 0) + while (this->inner->enumerate(this->inner, &oid, &strtype, &inner_data)) { - /* an RDN is a SET OF attributeTypeAndValue */ - if (*rdn->ptr != ASN1_SET) + known_oid = asn1_known_oid(oid); + for (i = 0; i < countof(oid2part); i++) { - /* RDN is not a SET */ - return FALSE; - } - attribute->len = asn1_length(rdn); - if (attribute->len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute length */ - return FALSE; + if (oid2part[i].oid == known_oid) + { + *type = oid2part[i].type; + *data = inner_data; + return TRUE; + } } - attribute->ptr = rdn->ptr; - /* advance to start of next RDN */ - rdn->ptr += attribute->len; - rdn->len -= attribute->len; - } - - /* an attributeTypeAndValue is a SEQUENCE */ - if (*attribute->ptr != ASN1_SEQUENCE) - { - /* attributeTypeAndValue is not a SEQUENCE */ - return FALSE; } - - /* extract the attribute body */ - body.len = asn1_length(attribute); - - if (body.len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute body length */ - return FALSE; - } - - body.ptr = attribute->ptr; - - /* advance to start of next attribute */ - attribute->ptr += body.len; - attribute->len -= body.len; - - /* attribute type is an OID */ - if (*body.ptr != ASN1_OID) - { - /* attributeType is not an OID */ - return FALSE; - } - /* extract OID */ - oid->len = asn1_length(&body); - - if (oid->len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute OID length */ - return FALSE; - } - oid->ptr = body.ptr; - - /* advance to the attribute value */ - body.ptr += oid->len; - body.len -= oid->len; - - /* extract string type */ - *type = *body.ptr; - - /* extract string value */ - value->len = asn1_length(&body); - - if (value->len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute string length */ - return FALSE; - } - value->ptr = body.ptr; - - /* are there any RDNs left? */ - *next = rdn->len > 0 || attribute->len > 0; - return TRUE; + return FALSE; } /** - * Parses an ASN.1 distinguished name int its OID/value pairs + * Implementation of rdn_part_enumerator_t.destroy(). */ -static bool dntoa(chunk_t dn, chunk_t *str) +static void rdn_part_enumerator_destroy(rdn_part_enumerator_t *this) { - chunk_t rdn, oid, attribute, value, proper; - asn1_t type; - int oid_code; - bool next; - bool first = TRUE; - - if (!init_rdn(dn, &rdn, &attribute, &next)) - { - return FALSE; - } - - while (next) - { - if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next)) - { - return FALSE; - } - - if (first) - { /* first OID/value pair */ - first = FALSE; - } - else - { /* separate OID/value pair by a comma */ - update_chunk(str, snprintf(str->ptr,str->len,", ")); - } - - /* print OID */ - oid_code = asn1_known_oid(oid); - if (oid_code == OID_UNKNOWN) - { - update_chunk(str, snprintf(str->ptr,str->len,"0x#B", &oid)); - } - else - { - update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name)); - } - /* print value */ - sanitize_chunk(value, &proper); - update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr)); - chunk_free(&proper); - } - return TRUE; + this->inner->destroy(this->inner); + free(this); } /** - * compare two distinguished names by - * comparing the individual RDNs + * Implementation of identification_t.create_part_enumerator */ -static bool same_dn(chunk_t a, chunk_t b) +static enumerator_t* create_part_enumerator(private_identification_t *this) { - chunk_t rdn_a, rdn_b, attribute_a, attribute_b; - chunk_t oid_a, oid_b, value_a, value_b; - asn1_t type_a, type_b; - bool next_a, next_b; - - /* same lengths for the DNs */ - if (a.len != b.len) - { - return FALSE; - } - /* try a binary comparison first */ - if (memeq(a.ptr, b.ptr, b.len)) - { - return TRUE; - } - /* initialize DN parsing */ - if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) || - !init_rdn(b, &rdn_b, &attribute_b, &next_b)) - { - return FALSE; - } - - /* fetch next RDN pair */ - while (next_a && next_b) + switch (this->type) { - /* parse next RDNs and check for errors */ - if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) || - !get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b)) - { - return FALSE; - } - - /* OIDs must agree */ - if (oid_a.len != oid_b.len || !memeq(oid_a.ptr, oid_b.ptr, oid_b.len)) - { - return FALSE; - } - - /* same lengths for values */ - if (value_a.len != value_b.len) - { - return FALSE; - } - - /* printableStrings and email RDNs require uppercase comparison */ - if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING || - (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL))) - { - if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0) - { - return FALSE; - } - } - else + case ID_DER_ASN1_DN: { - if (!strneq(value_a.ptr, value_b.ptr, value_b.len)) - { - return FALSE; - } + rdn_part_enumerator_t *e = malloc_thing(rdn_part_enumerator_t); + + e->inner = create_rdn_enumerator(this->encoded); + e->public.enumerate = (void*)rdn_part_enumerate; + e->public.destroy = (void*)rdn_part_enumerator_destroy; + + return &e->public; } + case ID_RFC822_ADDR: + /* TODO */ + case ID_FQDN: + /* TODO */ + default: + return enumerator_create_empty(); } - /* both DNs must have same number of RDNs */ - if (next_a || next_b) - { - return FALSE; - } - /* the two DNs are equal! */ - return TRUE; } - /** - * compare two distinguished names by comparing the individual RDNs. - * A single'*' character designates a wildcard RDN in DN b. - * TODO: Add support for different RDN order in DN !! + * Print a DN with all its RDN in a buffer to present it to the user */ -bool match_dn(chunk_t a, chunk_t b, int *wildcards) +static void dntoa(chunk_t dn, char *buf, size_t len) { - chunk_t rdn_a, rdn_b, attribute_a, attribute_b; - chunk_t oid_a, oid_b, value_a, value_b; - asn1_t type_a, type_b; - bool next_a, next_b; - - /* initialize wildcard counter */ - *wildcards = 0; - - /* initialize DN parsing */ - if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) || - !init_rdn(b, &rdn_b, &attribute_b, &next_b)) - { - return FALSE; - } + enumerator_t *e; + chunk_t oid_data, data; + u_char type; + int oid, written; + bool finished = FALSE; - /* fetch next RDN pair */ - while (next_a && next_b) + e = create_rdn_enumerator(dn); + while (e->enumerate(e, &oid_data, &type, &data)) { - /* parse next RDNs and check for errors */ - if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) || - !get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b)) + oid = asn1_known_oid(oid_data); + + if (oid == OID_UNKNOWN) { - return FALSE; + written = snprintf(buf, len, "%#B=", &oid_data); } - /* OIDs must agree */ - if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0) + else { - return FALSE; + written = snprintf(buf, len,"%s=", oid_names[oid].name); } + buf += written; + len -= written; - /* does rdn_b contain a wildcard? */ - if (value_b.len == 1 && *value_b.ptr == '*') + if (chunk_printable(data, NULL, '?')) { - (*wildcards)++; - continue; + written = snprintf(buf, len, "%.*s", data.len, data.ptr); } - /* same lengths for values */ - if (value_a.len != value_b.len) + else { - return FALSE; + written = snprintf(buf, len, "%#B", &data); } + buf += written; + len -= written; - /* printableStrings and email RDNs require uppercase comparison */ - if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING || - (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL))) + if (data.ptr + data.len != dn.ptr + dn.len) { - if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0) - { - return FALSE; - } + written = snprintf(buf, len, ", "); + buf += written; + len -= written; } else { - if (!strneq(value_a.ptr, value_b.ptr, value_b.len)) - { - return FALSE; - } + finished = TRUE; + break; } } - /* both DNs must have same number of RDNs */ - if (next_a || next_b) + if (!finished) { - return FALSE; + snprintf(buf, len, "(invalid ID_DER_ASN1_DN)"); } - /* the two DNs match! */ - *wildcards = min(*wildcards, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS); - return TRUE; + e->destroy(e); } /** @@ -648,53 +498,34 @@ static id_type_t get_type(private_identification_t *this) } /** - * Implementation of identification_t.contains_wildcards fro ID_DER_ASN1_DN. + * Implementation of identification_t.contains_wildcards for ID_DER_ASN1_DN. */ static bool contains_wildcards_dn(private_identification_t *this) { - chunk_t rdn, attribute; - chunk_t oid, value; - asn1_t type; - bool next; + enumerator_t *enumerator; + bool contains = FALSE; + id_part_t type; + chunk_t data; - if (!init_rdn(this->encoded, &rdn, &attribute, &next)) - { - return FALSE; - } - /* fetch next RDN */ - while (next) + enumerator = create_part_enumerator(this); + while (enumerator->enumerate(enumerator, &type, &data)) { - /* parse next RDN and check for errors */ - if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next)) - { - return FALSE; - } - /* check if RDN is a wildcard */ - if (value.len == 1 && *value.ptr == '*') + if (data.len == 1 && data.ptr[0] == '*') { - return TRUE; + contains = TRUE; + break; } } - return FALSE; + enumerator->destroy(enumerator); + return contains; } /** - * Implementation of identification_t.contains_wildcards. + * Implementation of identification_t.contains_wildcards using memchr(*). */ -static bool contains_wildcards(private_identification_t *this) +static bool contains_wildcards_memchr(private_identification_t *this) { - switch (this->type) - { - case ID_ANY: - return TRUE; - case ID_FQDN: - case ID_RFC822_ADDR: - return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL; - case ID_DER_ASN1_DN: - return contains_wildcards_dn(this); - default: - return FALSE; - } + return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL; } /** @@ -711,7 +542,96 @@ static bool equals_binary(private_identification_t *this, private_identification } return chunk_equals(this->encoded, other->encoded); } - return FALSE; + return FALSE; +} + +/** + * Compare to DNs, for equality if wc == NULL, for match otherwise + */ +static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc) +{ + enumerator_t *t, *o; + chunk_t t_oid, o_oid, t_data, o_data; + u_char t_type, o_type; + bool t_next, o_next, finished = FALSE; + + if (wc) + { + *wc = 0; + } + else + { + if (t_dn.len != o_dn.len) + { + return FALSE; + } + } + /* try a binary compare */ + if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len)) + { + return TRUE; + } + + t = create_rdn_enumerator(t_dn); + o = create_rdn_enumerator(o_dn); + while (TRUE) + { + t_next = t->enumerate(t, &t_oid, &t_type, &t_data); + o_next = o->enumerate(o, &o_oid, &o_type, &o_data); + + if (!o_next && !t_next) + { + break; + } + finished = FALSE; + if (o_next != t_next) + { + break; + } + if (!chunk_equals(t_oid, o_oid)) + { + break; + } + if (wc && o_data.len == 1 && o_data.ptr[0] == '*') + { + (*wc)++; + } + else + { + if (t_data.len != o_data.len) + { + break; + } + if (t_type == o_type && + (t_type == ASN1_PRINTABLESTRING || + (t_type == ASN1_IA5STRING && + (asn1_known_oid(t_oid) == OID_PKCS9_EMAIL || + asn1_known_oid(t_oid) == OID_EMAIL_ADDRESS)))) + { /* ignore case for printableStrings and email RDNs */ + if (strncasecmp(t_data.ptr, o_data.ptr, t_data.len) != 0) + { + break; + } + } + else + { /* respect case and length for everything else */ + if (!memeq(t_data.ptr, o_data.ptr, t_data.len)) + { + break; + } + } + } + /* the enumerator returns FALSE on parse error, we are finished + * if we have reached the end of the DN only */ + if ((t_data.ptr + t_data.len == t_dn.ptr + t_dn.len) && + (o_data.ptr + o_data.len == o_dn.ptr + o_dn.len)) + { + finished = TRUE; + } + } + t->destroy(t); + o->destroy(o); + return finished; } /** @@ -720,7 +640,7 @@ static bool equals_binary(private_identification_t *this, private_identification static bool equals_dn(private_identification_t *this, private_identification_t *other) { - return same_dn(this->encoded, other->encoded); + return compare_dn(this->encoded, other->encoded, NULL); } /** @@ -764,7 +684,7 @@ static id_match_t matches_binary(private_identification_t *this, * Checks for a wildcard in other-string, and compares it against this-string. */ static id_match_t matches_string(private_identification_t *this, - private_identification_t *other) + private_identification_t *other) { u_int len = other->encoded.len; @@ -824,7 +744,7 @@ static id_match_t matches_dn(private_identification_t *this, private_identification_t *other) { int wc; - + if (other->type == ID_ANY) { return ID_MATCH_ANY; @@ -832,8 +752,9 @@ static id_match_t matches_dn(private_identification_t *this, if (this->type == other->type) { - if (match_dn(this->encoded, other->encoded, &wc)) + if (compare_dn(this->encoded, other->encoded, &wc)) { + wc = min(wc, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS); return ID_MATCH_PERFECT - wc; } } @@ -847,8 +768,8 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, const void *const *args) { private_identification_t *this = *((private_identification_t**)(args[0])); - char buf[BUF_LEN]; - chunk_t proper, buf_chunk = chunk_from_buf(buf); + chunk_t proper; + char buf[512]; if (this == NULL) { @@ -878,29 +799,26 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: case ID_IETF_ATTR_STRING: - sanitize_chunk(this->encoded, &proper); + chunk_printable(this->encoded, &proper, '?'); snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr); chunk_free(&proper); break; case ID_DER_ASN1_DN: - if (!dntoa(this->encoded, &buf_chunk)) - { - snprintf(buf, sizeof(buf), "(invalid ID_DER_ASN1_DN)"); - } + dntoa(this->encoded, buf, sizeof(buf)); break; case ID_DER_ASN1_GN: snprintf(buf, sizeof(buf), "(ASN.1 general Name"); break; case ID_KEY_ID: - if (sanitize_chunk(this->encoded, &proper)) + if (chunk_printable(this->encoded, NULL, '?')) { /* fully printable, use ascii version */ - snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr); + snprintf(buf, sizeof(buf), "%.*s", + this->encoded.len, this->encoded.ptr); } else { /* not printable, hex dump */ snprintf(buf, sizeof(buf), "%#B", &this->encoded); } - chunk_free(&proper); break; case ID_PUBKEY_INFO_SHA1: case ID_PUBKEY_SHA1: @@ -917,140 +835,18 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, } return print_in_hook(dst, len, "%*s", spec->width, buf); } - -/** - * Enumerator over RDNs - */ -typedef struct { - /* implements enumerator interface */ - enumerator_t public; - /* current RDN */ - chunk_t rdn; - /* current attribute */ - chunk_t attr; - /** have another RDN? */ - bool next; -} rdn_enumerator_t; - -/** - * Implementation of rdn_enumerator_t.enumerate - */ -static bool rdn_enumerate(rdn_enumerator_t *this, - id_part_t *type, chunk_t *data) -{ - chunk_t oid, value; - asn1_t asn1_type; - - while (this->next) - { - if (!get_next_rdn(&this->rdn, &this->attr, &oid, - &value, &asn1_type, &this->next)) - { - return FALSE; - } - switch (asn1_known_oid(oid)) - { - case OID_COMMON_NAME: - *type = ID_PART_RDN_CN; - break; - case OID_SURNAME: - *type = ID_PART_RDN_S; - break; - case OID_SERIAL_NUMBER: - *type = ID_PART_RDN_SN; - break; - case OID_COUNTRY: - *type = ID_PART_RDN_C; - break; - case OID_LOCALITY: - *type = ID_PART_RDN_L; - break; - case OID_STATE_OR_PROVINCE: - *type = ID_PART_RDN_ST; - break; - case OID_ORGANIZATION: - *type = ID_PART_RDN_O; - break; - case OID_ORGANIZATION_UNIT: - *type = ID_PART_RDN_OU; - break; - case OID_TITLE: - *type = ID_PART_RDN_T; - break; - case OID_DESCRIPTION: - *type = ID_PART_RDN_D; - break; - case OID_NAME: - *type = ID_PART_RDN_N; - break; - case OID_GIVEN_NAME: - *type = ID_PART_RDN_G; - break; - case OID_INITIALS: - *type = ID_PART_RDN_I; - break; - case OID_UNIQUE_IDENTIFIER: - *type = ID_PART_RDN_ID; - break; - case OID_EMAIL_ADDRESS: - *type = ID_PART_RDN_E; - break; - case OID_EMPLOYEE_NUMBER: - *type = ID_PART_RDN_EN; - break; - default: - continue; - } - *data = value; - return TRUE; - } - return FALSE; -} - -/** - * Implementation of identification_t.create_part_enumerator - */ -static enumerator_t* create_part_enumerator(private_identification_t *this) -{ - switch (this->type) - { - case ID_DER_ASN1_DN: - { - rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t); - - e->public.enumerate = (void*)rdn_enumerate; - e->public.destroy = (void*)free; - if (init_rdn(this->encoded, &e->rdn, &e->attr, &e->next)) - { - return &e->public; - } - free(e); - /* FALL */ - } - case ID_RFC822_ADDR: - /* TODO */ - case ID_FQDN: - /* TODO */ - default: - return enumerator_create_empty(); - } -} - /** * Implementation of identification_t.clone. */ static identification_t *clone_(private_identification_t *this) { - private_identification_t *clone = identification_create(); + private_identification_t *clone = malloc_thing(private_identification_t); - clone->type = this->type; + memcpy(clone, this, sizeof(private_identification_t)); if (this->encoded.len) { clone->encoded = chunk_clone(this->encoded); } - clone->public.equals = this->public.equals; - clone->public.matches = this->public.matches; - return &clone->public; } @@ -1066,20 +862,42 @@ static void destroy(private_identification_t *this) /** * Generic constructor used for the other constructors. */ -static private_identification_t *identification_create(void) +static private_identification_t *identification_create(id_type_t type) { private_identification_t *this = malloc_thing(private_identification_t); this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding; this->public.get_type = (id_type_t (*) (identification_t*))get_type; - this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards; this->public.create_part_enumerator = (enumerator_t*(*)(identification_t*))create_part_enumerator; this->public.clone = (identification_t* (*) (identification_t*))clone_; this->public.destroy = (void (*) (identification_t*))destroy; - /* we use these as defaults, the may be overloaded for special ID types */ - this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary; - this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary; + switch (type) + { + case ID_ANY: + this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_any; + this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary; + this->public.contains_wildcards = (bool (*) (identification_t *this))return_true; + break; + case ID_FQDN: + case ID_RFC822_ADDR: + this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_string; + this->public.equals = (bool (*)(identification_t*,identification_t*))equals_strcasecmp; + this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_memchr; + break; + case ID_DER_ASN1_DN: + this->public.equals = (bool (*)(identification_t*,identification_t*))equals_dn; + this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_dn; + this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_dn; + break; + default: + this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary; + this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary; + this->public.contains_wildcards = (bool (*) (identification_t *this))return_false; + break; + } + + this->type = type; this->encoded = chunk_empty; return this; @@ -1090,8 +908,9 @@ static private_identification_t *identification_create(void) */ identification_t *identification_create_from_string(char *string) { - private_identification_t *this = identification_create(); - + private_identification_t *this; + chunk_t encoded; + if (string == NULL) { string = "%any"; @@ -1101,15 +920,16 @@ identification_t *identification_create_from_string(char *string) /* we interpret this as an ASCII X.501 ID_DER_ASN1_DN. * convert from LDAP style or openssl x509 -subject style to ASN.1 DN */ - if (atodn(string, &this->encoded) != SUCCESS) + if (atodn(string, &encoded) == SUCCESS) + { + this = identification_create(ID_DER_ASN1_DN); + this->encoded = encoded; + } + else { - this->type = ID_KEY_ID; + this = identification_create(ID_KEY_ID); this->encoded = chunk_clone(chunk_create(string, strlen(string))); - return &this->public; } - this->type = ID_DER_ASN1_DN; - this->public.equals = (bool (*) (identification_t*,identification_t*))equals_dn; - this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_dn; return &this->public; } else if (strchr(string, '@') == NULL) @@ -1122,50 +942,43 @@ identification_t *identification_create_from_string(char *string) || streq(string, "0::0")) { /* any ID will be accepted */ - this->type = ID_ANY; - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_any; + this = identification_create(ID_ANY); return &this->public; } else { if (strchr(string, ':') == NULL) { - /* try IPv4 */ struct in_addr address; chunk_t chunk = {(void*)&address, sizeof(address)}; - if (inet_pton(AF_INET, string, &address) <= 0) - { - /* not IPv4, mostly FQDN */ - this->type = ID_FQDN; - this->encoded.ptr = strdup(string); - this->encoded.len = strlen(string); - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; - return &this->public; + if (inet_pton(AF_INET, string, &address) > 0) + { /* is IPv4 */ + this = identification_create(ID_IPV4_ADDR); + this->encoded = chunk_clone(chunk); + } + else + { /* not IPv4, mostly FQDN */ + this = identification_create(ID_FQDN); + this->encoded = chunk_create(strdup(string), strlen(string)); } - this->encoded = chunk_clone(chunk); - this->type = ID_IPV4_ADDR; return &this->public; } else { - /* try IPv6 */ struct in6_addr address; chunk_t chunk = {(void*)&address, sizeof(address)}; - if (inet_pton(AF_INET6, string, &address) <= 0) - { - this->type = ID_KEY_ID; - this->encoded = chunk_clone(chunk_create(string, - strlen(string))); - return &this->public; + if (inet_pton(AF_INET6, string, &address) > 0) + { /* is IPv6 */ + this = identification_create(ID_IPV6_ADDR); + this->encoded = chunk_clone(chunk); + } + else + { /* not IPv4/6 fallback to KEY_ID */ + this = identification_create(ID_KEY_ID); + this->encoded = chunk_create(strdup(string), strlen(string)); } - this->encoded = chunk_clone(chunk); - this->type = ID_IPV6_ADDR; return &this->public; } } @@ -1176,33 +989,24 @@ identification_t *identification_create_from_string(char *string) { if (*(string + 1) == '#') { + this = identification_create(ID_KEY_ID); string += 2; - this->type = ID_KEY_ID; this->encoded = chunk_from_hex( chunk_create(string, strlen(string)), NULL); return &this->public; } else { - this->type = ID_FQDN; - this->encoded.ptr = strdup(string + 1); - this->encoded.len = strlen(string + 1); - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; + this = identification_create(ID_FQDN); + string += 1; + this->encoded = chunk_create(strdup(string), strlen(string)); return &this->public; } } else { - this->type = ID_RFC822_ADDR; - this->encoded.ptr = strdup(string); - this->encoded.len = strlen(string); - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; + this = identification_create(ID_RFC822_ADDR); + this->encoded = chunk_create(strdup(string), strlen(string)); return &this->public; } } @@ -1211,42 +1015,10 @@ identification_t *identification_create_from_string(char *string) /* * Described in header. */ -identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded) +identification_t *identification_create_from_encoding(id_type_t type, + chunk_t encoded) { - private_identification_t *this = identification_create(); - - this->type = type; - switch (type) - { - case ID_ANY: - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_any; - break; - case ID_FQDN: - case ID_RFC822_ADDR: - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; - break; - case ID_DER_ASN1_DN: - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_dn; - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_dn; - break; - case ID_IPV4_ADDR: - case ID_IPV6_ADDR: - case ID_DER_ASN1_GN: - case ID_KEY_ID: - case ID_DER_ASN1_GN_URI: - case ID_PUBKEY_INFO_SHA1: - case ID_PUBKEY_SHA1: - case ID_CERT_DER_SHA1: - case ID_IETF_ATTR_STRING: - default: - break; - } + private_identification_t *this = identification_create(type); /* apply encoded chunk */ if (type != ID_ANY) diff --git a/src/libstrongswan/utils/mutex.c b/src/libstrongswan/utils/mutex.c index 8b3a25201..a6c39e94c 100644 --- a/src/libstrongswan/utils/mutex.c +++ b/src/libstrongswan/utils/mutex.c @@ -276,7 +276,7 @@ mutex_t *mutex_create(mutex_type_t type) { switch (type) { - case MUTEX_RECURSIVE: + case MUTEX_TYPE_RECURSIVE: { private_r_mutex_t *this = malloc_thing(private_r_mutex_t); @@ -292,7 +292,7 @@ mutex_t *mutex_create(mutex_type_t type) return &this->generic.public; } - case MUTEX_DEFAULT: + case MUTEX_TYPE_DEFAULT: default: { private_mutex_t *this = malloc_thing(private_mutex_t); @@ -416,7 +416,7 @@ condvar_t *condvar_create(condvar_type_t type) { switch (type) { - case CONDVAR_DEFAULT: + case CONDVAR_TYPE_DEFAULT: default: { private_condvar_t *this = malloc_thing(private_condvar_t); @@ -488,7 +488,7 @@ rwlock_t *rwlock_create(rwlock_type_t type) { switch (type) { - case RWLOCK_DEFAULT: + case RWLOCK_TYPE_DEFAULT: default: { private_rwlock_t *this = malloc_thing(private_rwlock_t); diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h index c5c667992..273f56b47 100644 --- a/src/libstrongswan/utils/mutex.h +++ b/src/libstrongswan/utils/mutex.h @@ -31,14 +31,41 @@ typedef enum rwlock_type_t rwlock_type_t; #include <library.h> +#ifdef __APPLE__ +/* on Mac OS X 10.5 several system calls we use are no cancellation points. + * fortunately, select isn't one of them, so we wrap some of the others with + * calls to select(2). + */ +#include <sys/socket.h> +#include <sys/select.h> + +#define WRAP_WITH_SELECT(func, socket, ...)\ + fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\ + if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\ + return func(socket, __VA_ARGS__) + +static inline int cancellable_accept(int socket, struct sockaddr *address, + socklen_t *address_len) +{ + WRAP_WITH_SELECT(accept, socket, address, address_len); +} +#define accept cancellable_accept +static inline int cancellable_recvfrom(int socket, void *buffer, size_t length, + int flags, struct sockaddr *address, socklen_t *address_len) +{ + WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len); +} +#define recvfrom cancellable_recvfrom +#endif /* __APPLE__ */ + /** * Type of mutex. */ enum mutex_type_t { /** default mutex */ - MUTEX_DEFAULT = 0, + MUTEX_TYPE_DEFAULT = 0, /** allow recursive locking of the mutex */ - MUTEX_RECURSIVE = 1, + MUTEX_TYPE_RECURSIVE = 1, }; /** @@ -46,7 +73,7 @@ enum mutex_type_t { */ enum condvar_type_t { /** default condvar */ - CONDVAR_DEFAULT = 0, + CONDVAR_TYPE_DEFAULT = 0, }; /** @@ -54,7 +81,7 @@ enum condvar_type_t { */ enum rwlock_type_t { /** default condvar */ - RWLOCK_DEFAULT = 0, + RWLOCK_TYPE_DEFAULT = 0, }; /** diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 49376379e..2252f57ec 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -98,12 +98,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -168,6 +170,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -208,7 +211,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index a9ef57922..239923c40 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -84,12 +84,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -154,6 +156,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -194,7 +197,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c index 0dec27698..01ba0c8cc 100755 --- a/src/medsrv/controller/peer_controller.c +++ b/src/medsrv/controller/peer_controller.c @@ -23,6 +23,8 @@ #include <debug.h> #include <asn1/asn1.h> #include <asn1/oid.h> +#include <utils/identification.h> +#include <credentials/keys/public_key.h> typedef struct private_peer_controller_t private_peer_controller_t; diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index 7bf71b08f..d8d590eb2 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -70,12 +70,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -140,6 +142,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -180,7 +183,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/openac/openac.c b/src/openac/openac.c index 3686c07ac..a8f75e093 100755 --- a/src/openac/openac.c +++ b/src/openac/openac.c @@ -40,11 +40,6 @@ #include <credentials/keys/private_key.h> #include <utils/optionsfrom.h> -#ifdef INTEGRITY_TEST -#include <fips/fips.h> -#include <fips_signature.h> -#endif /* INTEGRITY_TEST */ - #define OPENAC_PATH IPSEC_CONFDIR "/openac" #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial" @@ -223,15 +218,16 @@ static void openac_dbg(int level, char *fmt, ...) if (level <= debug_level) { - va_start(args, fmt); - if (!stderr_quiet) { + va_start(args, fmt); vfprintf(stderr, fmt, args); fprintf(stderr, "\n"); + va_end(args); } /* write in memory buffer first */ + va_start(args, fmt); vsnprintf(buffer, sizeof(buffer), fmt, args); va_end(args); @@ -287,7 +283,18 @@ int main(int argc, char **argv) openlog("openac", 0, LOG_AUTHPRIV); /* initialize library */ - library_init(STRONGSWAN_CONF); + if (!library_init(STRONGSWAN_CONF)) + { + library_deinit(); + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "openac", argv[0])) + { + fprintf(stderr, "integrity check of openac failed\n"); + library_deinit(); + exit(SS_RC_DAEMON_INTEGRITY); + } lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, lib->settings->get_str(lib->settings, "openac.load", PLUGINS)); @@ -482,20 +489,6 @@ int main(int argc, char **argv) DBG1("starting openac (strongSwan Version %s)", VERSION); -#ifdef INTEGRITY_TEST - DBG1("integrity test of libstrongswan code"); - if (fips_verify_hmac_signature(hmac_key, hmac_signature)) - { - DBG1(" integrity test passed"); - } - else - { - DBG1(" integrity test failed"); - status = 3; - goto end; - } -#endif /* INTEGRITY_TEST */ - /* load the signer's RSA private key */ if (keyfile != NULL) { diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index 01237305b..c9cb6651f 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -110,11 +110,6 @@ if USE_SMARTCARD AM_CFLAGS += -DSMARTCARD endif -# This compile option activates the integrity test of libstrongswan -if USE_INTEGRITY_TEST - AM_CFLAGS += -DINTEGRITY_TEST -endif - if USE_CAPABILITIES pluto_LDADD += -lcap endif diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 01bda8540..871f0c905 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -52,11 +52,8 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT) # This compile option activates smartcard support @USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD - -# This compile option activates the integrity test of libstrongswan -@USE_INTEGRITY_TEST_TRUE@am__append_6 = -DINTEGRITY_TEST -@USE_CAPABILITIES_TRUE@am__append_7 = -lcap -@USE_THREADS_TRUE@am__append_8 = -DTHREADS +@USE_CAPABILITIES_TRUE@am__append_6 = -lcap +@USE_THREADS_TRUE@am__append_7 = -DTHREADS subdir = src/pluto DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -116,12 +113,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -186,6 +185,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -226,7 +226,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -325,11 +327,10 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DKERNEL26_SUPPORT \ -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \ $(am__append_1) $(am__append_2) $(am__append_3) \ - $(am__append_4) $(am__append_5) $(am__append_6) \ - $(am__append_8) + $(am__append_4) $(am__append_5) $(am__append_7) pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \ $(LIBFREESWANDIR)/libfreeswan.a -lresolv -lpthread $(DLLIB) \ - $(am__append_7) + $(am__append_6) _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c index a85a18905..c25418fc1 100644 --- a/src/pluto/alg_info.c +++ b/src/pluto/alg_info.c @@ -139,6 +139,24 @@ static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id, ) } +/** + * Returns true if the given alg is an authenticated encryption algorithm + */ +static bool is_authenticated_encryption(int ealg_id) +{ + switch (ealg_id) + { + case ESP_AES_CCM_8: + case ESP_AES_CCM_12: + case ESP_AES_CCM_16: + case ESP_AES_GCM_8: + case ESP_AES_GCM_12: + case ESP_AES_GCM_16: + return TRUE; + } + return FALSE; +} + /* * Add ESP alg info _with_ logic (policy): */ @@ -152,7 +170,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id, } if (ealg_id > 0) { - if (aalg_id > 0) + if (is_authenticated_encryption(ealg_id)) + { + __alg_info_esp_add((struct alg_info_esp *)alg_info, + ealg_id, ek_bits, + AUTH_ALGORITHM_NONE, 0); + } + else if (aalg_id > 0) { __alg_info_esp_add((struct alg_info_esp *)alg_info, ealg_id, ek_bits, @@ -160,13 +184,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id, } else { - /* Policy: default to MD5 and SHA1 */ + /* Policy: default to SHA-1 and MD5 */ __alg_info_esp_add((struct alg_info_esp *)alg_info, ealg_id, ek_bits, - AUTH_ALGORITHM_HMAC_MD5, ak_bits); + AUTH_ALGORITHM_HMAC_SHA1, ak_bits); __alg_info_esp_add((struct alg_info_esp *)alg_info, ealg_id, ek_bits, - AUTH_ALGORITHM_HMAC_SHA1, ak_bits); + AUTH_ALGORITHM_HMAC_MD5, ak_bits); } } } diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 4deb722f7..b800b1665 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -1,5 +1,6 @@ /* information about connections between hosts and clients * Copyright (C) 1998-2002 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pluto/constants.c b/src/pluto/constants.c index adcd77131..e46728d84 100644 --- a/src/pluto/constants.c +++ b/src/pluto/constants.c @@ -663,6 +663,7 @@ enum_names enc_mode_names = /* Auth Algorithm attribute */ static const char *const auth_alg_name[] = { + "AUTH_NONE", "HMAC_MD5", "HMAC_SHA1", "DES_MAC", @@ -683,7 +684,7 @@ enum_names extended_auth_alg_names = { AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL }; enum_names auth_alg_names = - { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_SIG_RSA, auth_alg_name + { AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_SIG_RSA, auth_alg_name , &extended_auth_alg_names }; /* From draft-beaulieu-ike-xauth */ diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c index 1adccc74e..f47ad1eeb 100644 --- a/src/pluto/crypto.c +++ b/src/pluto/crypto.c @@ -235,7 +235,7 @@ static struct dh_desc dh_desc_ecp_224 = { ke_size: 2*224 / BITS_PER_BYTE }; -void init_crypto(void) +bool init_crypto(void) { enumerator_t *enumerator; encryption_algorithm_t encryption_alg; @@ -275,13 +275,13 @@ void init_crypto(void) } enumerator->destroy(enumerator); - if (no_sha1) + if (no_sha1 || no_md5) { - exit_log("pluto cannot run without a SHA-1 hasher"); - } - if (no_md5) - { - exit_log("pluto cannot run without an MD5 hasher"); + plog("pluto cannot run without a %s%s%s hasher", + (no_sha1) ? "SHA-1" : "", + (no_sha1 && no_md5) ? " and " : "", + (no_md5) ? "MD5" : ""); + return FALSE; } enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); @@ -363,6 +363,7 @@ void init_crypto(void) ike_alg_add((struct ike_alg *)desc); } enumerator->destroy(enumerator); + return TRUE; } void free_crypto(void) diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h index 06c4e1d1a..019ba5764 100644 --- a/src/pluto/crypto.h +++ b/src/pluto/crypto.h @@ -20,7 +20,7 @@ #include "ike_alg.h" -extern void init_crypto(void); +extern bool init_crypto(void); extern void free_crypto(void); extern const struct dh_desc unset_group; /* magic signifier */ diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 929768ee9..57f4fb54b 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -2639,77 +2639,78 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid, */ switch (protoid) { - case PROTO_IPSEC_ESP: + case PROTO_IPSEC_ESP: + { + needed_len = kernel_alg_esp_enc_keylen(pi->attrs.transid); + + if (needed_len && pi->attrs.key_len) + { + needed_len = pi->attrs.key_len / BITS_PER_BYTE; + } + switch (pi->attrs.transid) { - case ESP_NULL: - needed_len = 0; - break; - case ESP_DES: - needed_len = DES_CBC_BLOCK_SIZE; - break; - case ESP_3DES: - needed_len = DES_CBC_BLOCK_SIZE * 3; - break; - default: -#ifndef NO_KERNEL_ALG - if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) { - /* XXX: check key_len "coupling with kernel.c's */ - if (pi->attrs.key_len) { - needed_len=pi->attrs.key_len/8; - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "key_len=%d from peer", - (int)needed_len)); - } - break; - } -#endif - bad_case(pi->attrs.transid); + case ESP_NULL: + needed_len = 0; + break; + case ESP_AES_CCM_8: + case ESP_AES_CCM_12: + case ESP_AES_CCM_16: + needed_len += 3; + break; + case ESP_AES_GCM_8: + case ESP_AES_GCM_12: + case ESP_AES_GCM_16: + case ESP_AES_CTR: + needed_len += 4; + break; + default: + if (needed_len == 0) + { + bad_case(pi->attrs.transid); + } } -#ifndef NO_KERNEL_ALG - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "needed_len (after ESP enc)=%d", - (int)needed_len)); - if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) { + if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) + { needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth); - } else -#endif - switch (pi->attrs.auth) + } + else { - case AUTH_ALGORITHM_NONE: - break; - case AUTH_ALGORITHM_HMAC_MD5: - needed_len += HMAC_MD5_KEY_LEN; - break; - case AUTH_ALGORITHM_HMAC_SHA1: - needed_len += HMAC_SHA1_KEY_LEN; - break; - case AUTH_ALGORITHM_DES_MAC: - default: - bad_case(pi->attrs.auth); + switch (pi->attrs.auth) + { + case AUTH_ALGORITHM_NONE: + break; + case AUTH_ALGORITHM_HMAC_MD5: + needed_len += HMAC_MD5_KEY_LEN; + break; + case AUTH_ALGORITHM_HMAC_SHA1: + needed_len += HMAC_SHA1_KEY_LEN; + break; + case AUTH_ALGORITHM_DES_MAC: + default: + bad_case(pi->attrs.auth); + } } - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "needed_len (after ESP auth)=%d", - (int)needed_len)); break; - - case PROTO_IPSEC_AH: + } + case PROTO_IPSEC_AH: + { switch (pi->attrs.transid) { - case AH_MD5: - needed_len = HMAC_MD5_KEY_LEN; - break; - case AH_SHA: - needed_len = HMAC_SHA1_KEY_LEN; - break; - default: - bad_case(pi->attrs.transid); + case AH_MD5: + needed_len = HMAC_MD5_KEY_LEN; + break; + case AH_SHA: + needed_len = HMAC_SHA1_KEY_LEN; + break; + default: + bad_case(pi->attrs.transid); } break; - - default: - bad_case(protoid); + } + default: + bad_case(protoid); } pi->keymat_len = needed_len; @@ -5444,7 +5445,8 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n, if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno) { loglog(RC_LOG_SERIOUS - , "DPD: R_U_THERE_ACK has unexpected sequence number"); + , "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)" + , seqno, st->st_dpd_expectseqno); return STF_FAIL + PAYLOAD_MALFORMED; } diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index f698de2c8..46edac1cd 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -1,6 +1,7 @@ /* routines that interface with the kernel's IPsec mechanism * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2002 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -1849,7 +1850,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (st->nat_traversal & NAT_T_DETECTED) { natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ? - ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE; + ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE; natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port; natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port; natt_oa = st->nat_oa; @@ -1860,12 +1861,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (ei == &esp_info[countof(esp_info)]) { /* Check for additional kernel alg */ -#ifndef NO_KERNEL_ALG if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid, - st->st_esp.attrs.auth))!=NULL) { - break; + st->st_esp.attrs.auth))!=NULL) + { + break; } -#endif /* note: enum_show may use a static buffer, so two * calls in one printf would be a mistake. @@ -1878,9 +1878,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) goto fail; } - if (st->st_esp.attrs.transid == ei->transid - && st->st_esp.attrs.auth == ei->auth) + if (st->st_esp.attrs.transid == ei->transid && + st->st_esp.attrs.auth == ei->auth) + { break; + } } key_len = st->st_esp.attrs.key_len/8; @@ -1899,40 +1901,52 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) { key_len = ei->enckeylen; } - /* Grrrrr.... f*cking 7 bits jurassic algos */ - - /* 168 bits in kernel, need 192 bits for keymat_len */ - if (ei->transid == ESP_3DES && key_len == 21) - key_len = 24; - /* 56 bits in kernel, need 64 bits for keymat_len */ - if (ei->transid == ESP_DES && key_len == 7) - key_len = 8; + switch (ei->transid) + { + case ESP_3DES: + /* 168 bits in kernel, need 192 bits for keymat_len */ + if (key_len == 21) + { + key_len = 24; + } + break; + case ESP_DES: + /* 56 bits in kernel, need 64 bits for keymat_len */ + if (key_len == 7) + { + key_len = 8; + } + break; + case ESP_AES_CCM_8: + case ESP_AES_CCM_12: + case ESP_AES_CCM_16: + key_len += 3; + break; + case ESP_AES_GCM_8: + case ESP_AES_GCM_12: + case ESP_AES_GCM_16: + case ESP_AES_CTR: + key_len += 4; + break; + default: + break; + } /* divide up keying material */ - /* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */ - DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING, - if(st->st_esp.keymat_len != key_len + ei->authkeylen) - DBG_log("keymat_len=%d key_len=%d authkeylen=%d", - st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen); - ) - passert(st->st_esp.keymat_len == key_len + ei->authkeylen); - set_text_said(text_said, &dst.addr, esp_spi, SA_ESP); - said_next->src = &src.addr; said_next->dst = &dst.addr; said_next->src_client = &src_client; said_next->dst_client = &dst_client; said_next->spi = esp_spi; said_next->satype = SADB_SATYPE_ESP; - said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM; + said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? + REPLAY_WINDOW : REPLAY_WINDOW_XFRM; said_next->authalg = ei->authalg; said_next->authkeylen = ei->authkeylen; - /* said_next->authkey = esp_dst_keymat + ei->enckeylen; */ said_next->authkey = esp_dst_keymat + key_len; said_next->encalg = ei->encryptalg; - /* said_next->enckeylen = ei->enckeylen; */ said_next->enckeylen = key_len; said_next->enckey = esp_dst_keymat; said_next->encapsulation = encapsulation; @@ -1945,10 +1959,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) said_next->text_said = text_said; if (!kernel_ops->add_sa(said_next, replace)) + { goto fail; - + } said_next++; - encapsulation = ENCAPSULATION_MODE_TRANSPORT; } @@ -1963,29 +1977,27 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) switch (st->st_ah.attrs.auth) { - case AUTH_ALGORITHM_HMAC_MD5: - authalg = SADB_AALG_MD5HMAC; - break; - - case AUTH_ALGORITHM_HMAC_SHA1: - authalg = SADB_AALG_SHA1HMAC; - break; - - default: - loglog(RC_LOG_SERIOUS, "%s not implemented yet" - , enum_show(&auth_alg_names, st->st_ah.attrs.auth)); + case AUTH_ALGORITHM_HMAC_MD5: + authalg = SADB_AALG_MD5HMAC; + break; + case AUTH_ALGORITHM_HMAC_SHA1: + authalg = SADB_AALG_SHA1HMAC; + break; + default: + loglog(RC_LOG_SERIOUS, "%s not implemented yet", + enum_show(&auth_alg_names, st->st_ah.attrs.auth)); goto fail; } set_text_said(text_said, &dst.addr, ah_spi, SA_AH); - said_next->src = &src.addr; said_next->dst = &dst.addr; said_next->src_client = &src_client; said_next->dst_client = &dst_client; said_next->spi = ah_spi; said_next->satype = SADB_SATYPE_AH; - said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM; + said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? + REPLAY_WINDOW : REPLAY_WINDOW_XFRM; said_next->authalg = authalg; said_next->authkeylen = st->st_ah.keymat_len; said_next->authkey = ah_dst_keymat; @@ -1994,10 +2006,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) said_next->text_said = text_said; if (!kernel_ops->add_sa(said_next, replace)) + { goto fail; - + } said_next++; - encapsulation = ENCAPSULATION_MODE_TRANSPORT; } @@ -2093,7 +2105,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) s[1].text_said = text_said1; if (!kernel_ops->grp_sa(s + 1, s)) + { goto fail; + } } /* could update said, but it will not be used */ } @@ -2104,8 +2118,10 @@ fail: { /* undo the done SPIs */ while (said_next-- != said) - (void) del_spi(said_next->spi, said_next->proto - , &src.addr, said_next->dst); + { + (void) del_spi(said_next->spi, said_next->proto, &src.addr, + said_next->dst); + } return FALSE; } } @@ -2216,8 +2232,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) *use_time = UNDEFINED_TIME; if (kernel_ops->get_sa == NULL || !st->st_esp.present) + { return FALSE; - + } memset(&sa, 0, sizeof(sa)); sa.proto = SA_ESP; @@ -2241,7 +2258,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) DBG_log("get %s", text_said) ) if (!kernel_ops->get_sa(&sa, bytes)) + { return FALSE; + } DBG(DBG_KLIPS, DBG_log(" current: %d bytes", *bytes) ) @@ -2266,7 +2285,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) sa.dst_client = &c->spd.that.client; } if (!kernel_ops->get_policy(&sa, inbound, use_time)) + { return FALSE; + } DBG(DBG_KLIPS, DBG_log(" use_time: %T", use_time, FALSE) ) @@ -2349,15 +2370,21 @@ bool install_inbound_ipsec_sa(struct state *st) struct connection *o = route_owner(c, &esr, NULL, NULL); if (o == NULL) + { break; /* nobody has a route */ + } /* note: we ignore the client addresses at this end */ - if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) - && o->interface == c->interface) + if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) && + o->interface == c->interface) + { break; /* existing route is compatible */ + } if (o->kind == CK_TEMPLATE && streq(o->name, c->name)) + { break; /* ??? is this good enough?? */ + } loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route" , o->name, ip_str(&o->spd.that.host_addr)); @@ -2369,12 +2396,11 @@ bool install_inbound_ipsec_sa(struct state *st) /* check that we will be able to route and eroute */ switch (could_route(c)) { - case route_easy: - case route_nearconflict: - break; - - default: - return FALSE; + case route_easy: + case route_nearconflict: + break; + default: + return FALSE; } #ifdef KLIPS @@ -2471,10 +2497,14 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS, /* if no state provided, then install a shunt for later */ if (st == NULL) + { eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE , ERO_ADD, "add"); + } else + { eroute_installed = sag_eroute(st, sr, ERO_ADD, "add"); + } } /* notify the firewall of a new tunnel */ @@ -2507,8 +2537,7 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS, (void) do_command(c, sr, "prepare"); /* just in case; ignore failure */ route_installed = do_command(c, sr, "route"); } - else if (routed(sr->routing) - || routes_agree(ro, c)) + else if (routed(sr->routing) || routes_agree(ro, c)) { route_installed = TRUE; /* nothing to be done */ } @@ -2658,11 +2687,13 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS, { /* there was no previous eroute: delete whatever we installed */ if (st == NULL) - (void) shunt_eroute(c, sr - , sr->routing, ERO_DELETE, "delete"); + { + (void) shunt_eroute(c, sr, sr->routing, ERO_DELETE, "delete"); + } else - (void) sag_eroute(st, sr - , ERO_DELETE, "delete"); + { + (void) sag_eroute(st, sr, ERO_DELETE, "delete"); + } } } @@ -2685,18 +2716,19 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) switch (could_route(st->st_connection)) { - case route_easy: - case route_nearconflict: - break; - - default: - return FALSE; + case route_easy: + case route_nearconflict: + break; + default: + return FALSE; } /* (attempt to) actually set up the SA group */ - if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) - || !setup_half_ipsec_sa(st, FALSE)) + if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) || + !setup_half_ipsec_sa(st, FALSE)) + { return FALSE; + } for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next) { @@ -2730,12 +2762,11 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) switch (could_route(st->st_connection)) { - case route_easy: - case route_nearconflict: - break; - - default: - return FALSE; + case route_easy: + case route_nearconflict: + break; + default: + return FALSE; } @@ -2778,8 +2809,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS, ? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE; (void) do_command(c, sr, "down"); - if ((c->policy & POLICY_DONT_REKEY) - && c->kind == CK_INSTANCE) + if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE) { /* in this special case, even if the connection * is still alive (due to an ISAKMP SA), @@ -2888,8 +2918,7 @@ bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time) /* Can't open the file, perhaps were are on 26sec? */ time_t use_time; - if (get_sa_info(st, TRUE, &bytes, &use_time) - && use_time != UNDEFINED_TIME) + if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME) { *idle_time = time(NULL) - use_time; ret = *idle_time >= idle_max; diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c index 1590bdf02..7e7d25872 100644 --- a/src/pluto/kernel_alg.c +++ b/src/pluto/kernel_alg.c @@ -341,7 +341,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) sadb.msg++; - while(msglen) + while (msglen) { int supp_exttype = sadb.supported->sadb_supported_exttype; int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN; @@ -361,14 +361,14 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) supp_len; supp_len -= sizeof(struct sadb_alg), sadb.alg++,i++) { - int ret = kernel_alg_add(satype, supp_exttype, sadb.alg); + kernel_alg_add(satype, supp_exttype, sadb.alg); DBG(DBG_KLIPS, DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: " "alg[%d], exttype=%d, satype=%d, alg_id=%d, " "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, " - "res=%d, ret=%d" - , satype==SADB_SATYPE_ESP? "ESP" : "AH" + "res=%d" + , satype == SADB_SATYPE_ESP? "ESP" : "AH" , i , supp_exttype , satype @@ -376,9 +376,25 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) , sadb.alg->sadb_alg_ivlen , sadb.alg->sadb_alg_minbits , sadb.alg->sadb_alg_maxbits - , sadb.alg->sadb_alg_reserved - , ret) + , sadb.alg->sadb_alg_reserved) ) + /* if AES_CBC is registered then also register AES_CCM and AES_GCM */ + if (satype == SADB_SATYPE_ESP && + sadb.alg->sadb_alg_id == SADB_X_EALG_AESCBC) + { + struct sadb_alg alg = *sadb.alg; + int alg_id; + + for (alg_id = SADB_X_EALG_AES_CCM_ICV8; + alg_id <= SADB_X_EALG_AES_GCM_ICV16; alg_id++) + { + if (alg_id != ESP_UNASSIGNED_17) + { + alg.sadb_alg_id = alg_id; + kernel_alg_add(satype, supp_exttype, &alg); + } + } + } } } } @@ -388,8 +404,9 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id) u_int keylen = 0; if (!ESP_EALG_PRESENT(alg_id)) + { goto none; - + } keylen = esp_ealg[alg_id].sadb_alg_maxbits/BITS_PER_BYTE; switch (alg_id) @@ -407,8 +424,7 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id) none: DBG(DBG_KLIPS, - DBG_log("kernel_alg_esp_enc_keylen():" - "alg_id=%d, keylen=%d", + DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d", alg_id, keylen) ) return keylen; @@ -515,7 +531,7 @@ void kernel_alg_show_connection(struct connection *c, const char *instance) } bool kernel_alg_esp_auth_ok(u_int auth, - struct alg_info_esp *alg_info __attribute__((unused))) + struct alg_info_esp *alg_info __attribute__((unused))) { return ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth)); } @@ -619,14 +635,15 @@ static bool kernel_alg_db_add(struct db_context *db_ctx, return FALSE; } - if (!(policy & POLICY_AUTHENTICATE)) /* skip ESP auth attrs for AH */ + if (!(policy & POLICY_AUTHENTICATE) && /* skip ESP auth attrs for AH */ + esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE) { aalg_id = alg_info_esp_aa2sadb(esp_info->esp_aalg_id); if (!ESP_AALG_PRESENT(aalg_id)) { - DBG_log("kernel_alg_db_add() kernel auth " - "aalg_id=%d not present", aalg_id); + DBG_log("kernel_alg_db_add() kernel auth aalg_id=%d not present", + aalg_id); return FALSE; } } @@ -637,13 +654,18 @@ static bool kernel_alg_db_add(struct db_context *db_ctx, /* open new transformation */ db_trans_add(db_ctx, ealg_id); - /* add ESP auth attr */ - if (!(policy & POLICY_AUTHENTICATE)) + /* add ESP auth attr if not AH or AEAD */ + if (!(policy & POLICY_AUTHENTICATE) && + esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE) + { db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id); + } - /* add keylegth if specified in esp= string */ + /* add keylength if specified in esp= string */ if (esp_info->esp_ealg_keylen) + { db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen); + } return TRUE; } diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c index b4b4774c7..0376e817b 100644 --- a/src/pluto/kernel_netlink.c +++ b/src/pluto/kernel_netlink.c @@ -49,69 +49,76 @@ static int netlink_bcast_fd = NULL_FD; #define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */ static sparse_names xfrm_type_names = { - NE(NLMSG_NOOP), - NE(NLMSG_ERROR), - NE(NLMSG_DONE), - NE(NLMSG_OVERRUN), + NE(NLMSG_NOOP), + NE(NLMSG_ERROR), + NE(NLMSG_DONE), + NE(NLMSG_OVERRUN), - NE(XFRM_MSG_NEWSA), - NE(XFRM_MSG_DELSA), - NE(XFRM_MSG_GETSA), + NE(XFRM_MSG_NEWSA), + NE(XFRM_MSG_DELSA), + NE(XFRM_MSG_GETSA), - NE(XFRM_MSG_NEWPOLICY), - NE(XFRM_MSG_DELPOLICY), - NE(XFRM_MSG_GETPOLICY), + NE(XFRM_MSG_NEWPOLICY), + NE(XFRM_MSG_DELPOLICY), + NE(XFRM_MSG_GETPOLICY), - NE(XFRM_MSG_ALLOCSPI), - NE(XFRM_MSG_ACQUIRE), - NE(XFRM_MSG_EXPIRE), + NE(XFRM_MSG_ALLOCSPI), + NE(XFRM_MSG_ACQUIRE), + NE(XFRM_MSG_EXPIRE), - NE(XFRM_MSG_UPDPOLICY), - NE(XFRM_MSG_UPDSA), + NE(XFRM_MSG_UPDPOLICY), + NE(XFRM_MSG_UPDSA), - NE(XFRM_MSG_POLEXPIRE), + NE(XFRM_MSG_POLEXPIRE), - NE(XFRM_MSG_MAX), + NE(XFRM_MSG_MAX), - { 0, sparse_end } + { 0, sparse_end } }; #undef NE /* Authentication algorithms */ static sparse_names aalg_list = { - { SADB_X_AALG_NULL, "digest_null" }, - { SADB_AALG_MD5HMAC, "md5" }, - { SADB_AALG_SHA1HMAC, "sha1" }, - { SADB_X_AALG_SHA2_256HMAC, "sha256" }, - { SADB_X_AALG_SHA2_384HMAC, "sha384" }, - { SADB_X_AALG_SHA2_512HMAC, "sha512" }, - { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" }, - { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"}, - { SADB_X_AALG_NULL, "null" }, - { 0, sparse_end } + { SADB_X_AALG_NULL, "digest_null" }, + { SADB_AALG_MD5HMAC, "md5" }, + { SADB_AALG_SHA1HMAC, "sha1" }, + { SADB_X_AALG_SHA2_256HMAC, "sha256" }, + { SADB_X_AALG_SHA2_384HMAC, "sha384" }, + { SADB_X_AALG_SHA2_512HMAC, "sha512" }, + { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" }, + { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"}, + { SADB_X_AALG_NULL, "null" }, + { 0, sparse_end } }; /* Encryption algorithms */ static sparse_names ealg_list = { - { SADB_EALG_NULL, "cipher_null" }, - { SADB_EALG_DESCBC, "des" }, - { SADB_EALG_3DESCBC, "des3_ede" }, - { SADB_X_EALG_CASTCBC, "cast128" }, - { SADB_X_EALG_BLOWFISHCBC, "blowfish" }, - { SADB_X_EALG_AESCBC, "aes" }, - { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" }, - { SADB_X_EALG_SERPENTCBC, "serpent" }, - { SADB_X_EALG_TWOFISHCBC, "twofish" }, - { 0, sparse_end } + { SADB_EALG_NULL, "cipher_null" }, + { SADB_EALG_DESCBC, "des" }, + { SADB_EALG_3DESCBC, "des3_ede" }, + { SADB_X_EALG_CASTCBC, "cast128" }, + { SADB_X_EALG_BLOWFISHCBC, "blowfish" }, + { SADB_X_EALG_AESCBC, "aes" }, + { SADB_X_EALG_AESCTR, "rfc3686(ctr(aes))" }, + { SADB_X_EALG_AES_CCM_ICV8, "rfc4309(ccm(aes))" }, + { SADB_X_EALG_AES_CCM_ICV12, "rfc4309(ccm(aes))" }, + { SADB_X_EALG_AES_CCM_ICV16, "rfc4309(ccm(aes))" }, + { SADB_X_EALG_AES_GCM_ICV8, "rfc4106(gcm(aes))" }, + { SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" }, + { SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" }, + { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" }, + { SADB_X_EALG_SERPENTCBC, "serpent" }, + { SADB_X_EALG_TWOFISHCBC, "twofish" }, + { 0, sparse_end } }; /* Compression algorithms */ static sparse_names calg_list = { - { SADB_X_CALG_DEFLATE, "deflate" }, - { SADB_X_CALG_LZS, "lzs" }, - { SADB_X_CALG_LZJH, "lzjh" }, - { 0, sparse_end } + { SADB_X_CALG_DEFLATE, "deflate" }, + { SADB_X_CALG_LZS, "lzs" }, + { SADB_X_CALG_LZJH, "lzjh" }, + { 0, sparse_end } }; /** ip2xfrm - Take an IP address and convert to an xfrm. @@ -119,8 +126,7 @@ static sparse_names calg_list = { * @param addr ip_address * @param xaddr xfrm_address_t - IPv[46] Address from addr is copied here. */ -static void -ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr) +static void ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr) { if (addr->u.v4.sin_family == AF_INET) { @@ -135,35 +141,41 @@ ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr) /** init_netlink - Initialize the netlink inferface. Opens the sockets and * then binds to the broadcast socket. */ -static void -init_netlink(void) +static void init_netlink(void) { struct sockaddr_nl addr; netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); if (netlinkfd < 0) + { exit_log_errno((e, "socket() in init_netlink()")); - + } if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0) + { exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()")); - + } netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); if (netlink_bcast_fd < 0) + { exit_log_errno((e, "socket() for bcast in init_netlink()")); - + } if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0) + { exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()")); - + } if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0) + { exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()")); - + } addr.nl_family = AF_NETLINK; addr.nl_pid = getpid(); addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE; if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) + { exit_log_errno((e, "Failed to bind bcast socket in init_netlink()")); + } } /** send_netlink_msg @@ -176,9 +188,9 @@ init_netlink(void) * @param text_said - String * @return bool True if the message was succesfully sent. */ -static bool -send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len -, const char *description, const char *text_said) +static bool send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, + size_t rbuf_len, const char *description, + const char *text_said) { struct { struct nlmsghdr n; @@ -200,7 +212,9 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len len = hdr->nlmsg_len; do { r = write(netlinkfd, hdr, len); - } while (r < 0 && errno == EINTR); + } + while (r < 0 && errno == EINTR); + if (r < 0) { log_errno((e @@ -221,7 +235,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len return FALSE; } - for (;;) { + for (;;) + { socklen_t alen; alen = sizeof(addr); @@ -322,8 +337,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len * @param text_said - String * @return boolean */ -static bool -netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said) +static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, + const char *text_said) { struct { struct nlmsghdr n; @@ -372,18 +387,17 @@ netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said) * @param ip int * @return boolean True if successful */ -static bool -netlink_raw_eroute(const ip_address *this_host - , const ip_subnet *this_client - , const ip_address *that_host - , const ip_subnet *that_client - , ipsec_spi_t spi - , unsigned int satype - , unsigned int transport_proto - , const struct pfkey_proto_info *proto_info - , time_t use_lifetime UNUSED - , unsigned int op - , const char *text_said) +static bool netlink_raw_eroute(const ip_address *this_host + , const ip_subnet *this_client + , const ip_address *that_host + , const ip_subnet *that_client + , ipsec_spi_t spi + , unsigned int satype + , unsigned int transport_proto + , const struct pfkey_proto_info *proto_info + , time_t use_lifetime UNUSED + , unsigned int op + , const char *text_said) { struct { struct nlmsghdr n; @@ -568,8 +582,7 @@ netlink_raw_eroute(const ip_address *this_host * @param replace boolean - true if this replaces an existing SA * @return bool True if successfull */ -static bool -netlink_add_sa(const struct kernel_sa *sa, bool replace) +static bool netlink_add_sa(const struct kernel_sa *sa, bool replace) { struct { struct nlmsghdr n; @@ -577,6 +590,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) char data[1024]; } req; struct rtattr *attr; + u_int16_t icv_size = 64; memset(&req, 0, sizeof(req)); req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; @@ -606,11 +620,17 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) const char *name; name = sparse_name(aalg_list, sa->authalg); - if (!name) { + if (!name) + { loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u" , sa->authalg); return FALSE; } + DBG(DBG_CRYPT, + DBG_log("configured authentication algorithm %s with key size %d", + enum_show(&auth_alg_names, sa->authalg), + sa->authkeylen * BITS_PER_BYTE) + ) strcpy(algo.alg_name, name); algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE; @@ -626,30 +646,78 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) attr = (struct rtattr *)((char *)attr + attr->rta_len); } - if (sa->encalg) + switch (sa->encalg) { - struct xfrm_algo algo; - const char *name; + case SADB_EALG_NONE: + /* no encryption */ + break; + case SADB_X_EALG_AES_CCM_ICV16: + case SADB_X_EALG_AES_GCM_ICV16: + icv_size += 32; + /* FALL */ + case SADB_X_EALG_AES_CCM_ICV12: + case SADB_X_EALG_AES_GCM_ICV12: + icv_size += 32; + /* FALL */ + case SADB_X_EALG_AES_CCM_ICV8: + case SADB_X_EALG_AES_GCM_ICV8: + { + struct xfrm_algo_aead *algo; + const char *name; - name = sparse_name(ealg_list, sa->encalg); - if (!name) { - loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u" - , sa->encalg); - return FALSE; + name = sparse_name(ealg_list, sa->encalg); + if (!name) + { + loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u", + sa->encalg); + return FALSE; + } + DBG(DBG_CRYPT, + DBG_log("configured esp encryption algorithm %s with key size %d", + enum_show(&esp_transformid_names, sa->encalg), + sa->enckeylen * BITS_PER_BYTE) + ) + attr->rta_type = XFRMA_ALG_AEAD; + attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen); + req.n.nlmsg_len += attr->rta_len; + + algo = (struct xfrm_algo_aead*)RTA_DATA(attr); + algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE; + algo->alg_icv_len = icv_size; + strcpy(algo->alg_name, name); + memcpy(algo->alg_key, sa->enckey, sa->enckeylen); + + attr = (struct rtattr *)((char *)attr + attr->rta_len); + break; } + default: + { + struct xfrm_algo *algo; + const char *name; - strcpy(algo.alg_name, name); - algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE; - - attr->rta_type = XFRMA_ALG_CRYPT; - attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen); - - memcpy(RTA_DATA(attr), &algo, sizeof(algo)); - memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->enckey - , sa->enckeylen); - - req.n.nlmsg_len += attr->rta_len; - attr = (struct rtattr *)((char *)attr + attr->rta_len); + name = sparse_name(ealg_list, sa->encalg); + if (!name) + { + loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u", + sa->encalg); + return FALSE; + } + DBG(DBG_CRYPT, + DBG_log("configured esp encryption algorithm %s with key size %d", + enum_show(&esp_transformid_names, sa->encalg), + sa->enckeylen * BITS_PER_BYTE) + ) + attr->rta_type = XFRMA_ALG_CRYPT; + attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + sa->enckeylen); + req.n.nlmsg_len += attr->rta_len; + + algo = (struct xfrm_algo*)RTA_DATA(attr); + algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE; + strcpy(algo->alg_name, name); + memcpy(algo->alg_key, sa->enckey, sa->enckeylen); + + attr = (struct rtattr *)((char *)attr + attr->rta_len); + } } if (sa->compalg) @@ -658,7 +726,8 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) const char *name; name = sparse_name(calg_list, sa->compalg); - if (!name) { + if (!name) + { loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u" , sa->compalg); return FALSE; @@ -702,8 +771,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) * @param sa Kernel SA to be deleted * @return bool True if successfull */ -static bool -netlink_del_sa(const struct kernel_sa *sa) +static bool netlink_del_sa(const struct kernel_sa *sa) { struct { struct nlmsghdr n; @@ -726,9 +794,8 @@ netlink_del_sa(const struct kernel_sa *sa) return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said); } -static bool -netlink_error(const char *req_type, const struct nlmsghdr *n -, const struct nlmsgerr *e, int rsp_size) +static bool netlink_error(const char *req_type, const struct nlmsghdr *n, + const struct nlmsgerr *e, int rsp_size) { if (n->nlmsg_type == NLMSG_ERROR) { @@ -751,8 +818,8 @@ netlink_error(const char *req_type, const struct nlmsghdr *n return FALSE; } -static bool -netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) +static bool netlink_get_policy(const struct kernel_sa *sa, bool inbound, + time_t *use_time) { struct { struct nlmsghdr n; @@ -789,11 +856,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) + { return FALSE; - + } if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) + { return FALSE; - + } *use_time = (time_t)rsp.u.info.curlft.use_time; if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL) @@ -803,11 +872,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) req.id.dir = XFRM_POLICY_FWD; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) + { return FALSE; - + } if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) + { return FALSE; - + } use_time_fwd = (time_t)rsp.u.info.curlft.use_time; *use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd; } @@ -820,8 +891,7 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) * @param sa Kernel SA to be queried * @return bool True if successfull */ -static bool -netlink_get_sa(const struct kernel_sa *sa, u_int *bytes) +static bool netlink_get_sa(const struct kernel_sa *sa, u_int *bytes) { struct { struct nlmsghdr n; @@ -851,18 +921,18 @@ netlink_get_sa(const struct kernel_sa *sa, u_int *bytes) rsp.n.nlmsg_type = XFRM_MSG_NEWSA; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said)) + { return FALSE; - + } if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) + { return FALSE; - + } *bytes = (u_int) rsp.u.info.curlft.bytes; - return TRUE; } -static void -linux_pfkey_register_response(const struct sadb_msg *msg) +static void linux_pfkey_register_response(const struct sadb_msg *msg) { switch (msg->sadb_msg_satype) { @@ -882,8 +952,7 @@ linux_pfkey_register_response(const struct sadb_msg *msg) /** linux_pfkey_register - Register via PFKEY our capabilities * */ -static void -linux_pfkey_register(void) +static void linux_pfkey_register(void) { pfkey_register_proto(SADB_SATYPE_AH, "AH"); pfkey_register_proto(SADB_SATYPE_ESP, "ESP"); @@ -898,8 +967,8 @@ linux_pfkey_register(void) * @param dst ip_address formatted destination * @return err_t NULL if okay, otherwise an error */ -static err_t -xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst) +static err_t xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, + ip_address *dst) { switch (family) { @@ -922,10 +991,8 @@ xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst) * @param dst ip_address formatted destination * @return err_t NULL if okay, otherwise an error */ -static err_t -xfrm_sel_to_ip_pair(const struct xfrm_selector *sel - , ip_address *src - , ip_address *dst) +static err_t xfrm_sel_to_ip_pair(const struct xfrm_selector *sel, + ip_address *src, ip_address *dst) { int family; err_t ugh; @@ -934,7 +1001,9 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src)) || (ugh = xfrm_to_ip_address(family, &sel->daddr, dst))) + { return ugh; + } /* family has been verified in xfrm_to_ip_address. */ if (family == AF_INET) @@ -951,8 +1020,7 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel return NULL; } -static void -netlink_acquire(struct nlmsghdr *n) +static void netlink_acquire(struct nlmsghdr *n) { struct xfrm_user_acquire *acquire; ip_address src, dst; @@ -978,15 +1046,17 @@ netlink_acquire(struct nlmsghdr *n) if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst)) && !(ugh = addrtosubnet(&src, &ours)) && !(ugh = addrtosubnet(&dst, &his))) + { record_and_initiate_opportunistic(&ours, &his, transport_proto , "%acquire-netlink"); - + } if (ugh != NULL) + { plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh); + } } -static void -netlink_shunt_expire(struct xfrm_userpolicy_info *pol) +static void netlink_shunt_expire(struct xfrm_userpolicy_info *pol) { ip_address src, dst; unsigned transport_proto; @@ -1004,8 +1074,7 @@ netlink_shunt_expire(struct xfrm_userpolicy_info *pol) , "delete expired bare shunt"); } -static void -netlink_policy_expire(struct nlmsghdr *n) +static void netlink_policy_expire(struct nlmsghdr *n) { struct xfrm_user_polexpire *upe; struct { @@ -1040,11 +1109,13 @@ netlink_policy_expire(struct nlmsghdr *n) rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) + { return; - + } if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol))) + { return; - + } if (req.id.index != rsp.u.pol.index) { DBG(DBG_KLIPS, @@ -1072,8 +1143,7 @@ netlink_policy_expire(struct nlmsghdr *n) } } -static bool -netlink_get(void) +static bool netlink_get(void) { struct { struct nlmsghdr n; @@ -1137,22 +1207,15 @@ netlink_get(void) return TRUE; } -static void -netlink_process_msg(void) +static void netlink_process_msg(void) { - while (netlink_get()) - ; + while (netlink_get()); } -static ipsec_spi_t -netlink_get_spi(const ip_address *src -, const ip_address *dst -, int proto -, bool tunnel_mode -, unsigned reqid -, ipsec_spi_t min -, ipsec_spi_t max -, const char *text_said) +static ipsec_spi_t netlink_get_spi(const ip_address *src, const ip_address *dst, + int proto, bool tunnel_mode, unsigned reqid, + ipsec_spi_t min, ipsec_spi_t max, + const char *text_said) { struct { struct nlmsghdr n; @@ -1185,11 +1248,13 @@ netlink_get_spi(const ip_address *src rsp.n.nlmsg_type = XFRM_MSG_NEWSA; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said)) + { return 0; - + } if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa))) + { return 0; - + } DBG(DBG_KLIPS, DBG_log("netlink_get_spi: allocated 0x%x for %s" , ntohl(rsp.u.sa.id.spi), text_said)); diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 6dfbd6732..516872e8e 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -1,5 +1,6 @@ /* mechanisms for preshared keys (public, private, and preshared secrets) * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -551,7 +552,7 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd) } *key = load_private_key(filename, &pass, type); - return key ? NULL : "Private key file -- could not be loaded"; + return *key ? NULL : "Private key file -- could not be loaded"; } /** diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index 80164fa1d..8e428a759 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -1,6 +1,6 @@ /* Support of the Online Certificate Status Protocol (OCSP) * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen - * Zuercher Hochschule Winterthur + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pluto/pem.c b/src/pluto/pem.c index 646447c1a..1a4a99af7 100644 --- a/src/pluto/pem.c +++ b/src/pluto/pem.c @@ -1,5 +1,6 @@ /* Loading of PEM encoded files with optional encryption * Copyright (C) 2001-2009 Andreas Steffen + * * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/pluto/pgpcert.c b/src/pluto/pgpcert.c index 7fb8232d5..1d5b14b26 100644 --- a/src/pluto/pgpcert.c +++ b/src/pluto/pgpcert.c @@ -85,7 +85,7 @@ static u_char pgp_version(chunk_t *blob) } /** - * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440 + * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 4880 */ static bool parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert) { @@ -171,8 +171,8 @@ static bool parse_pgp_pubkey_version_validity(chunk_t *packet, pgpcert_t *cert) */ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert) { - pgp_pubkey_alg_t pubkey_alg; - public_key_t *key; + chunk_t pubkey_packet = *packet; + pgp_pubkey_alg_t pubkey_alg; if (!parse_pgp_pubkey_version_validity(packet, cert)) { @@ -190,33 +190,51 @@ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert) { case PGP_PUBKEY_ALG_RSA: case PGP_PUBKEY_ALG_RSA_SIGN_ONLY: - key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, - BUILD_BLOB_PGP, *packet, - BUILD_END); - if (key == NULL) + cert->public_key = lib->creds->create(lib->creds, + CRED_PUBLIC_KEY, KEY_RSA, + BUILD_BLOB_PGP, *packet, + BUILD_END); + if (cert->public_key == NULL) { return FALSE; } - cert->public_key = key; - - if (cert->version == 3) - { - cert->fingerprint = key->get_id(key, ID_KEY_ID); - if (cert->fingerprint == NULL) - { - return FALSE; - } - } - else - { - plog(" computation of V4 key ID not implemented yet"); - return FALSE; - } break; default: plog(" non RSA public keys not supported"); return FALSE; } + + /* compute V4 or V3 fingerprint according to section 12.2 of RFC 4880 */ + if (cert->version == 4) + { + char pubkey_packet_header_buf[] = { + 0x99, pubkey_packet.len / 256, pubkey_packet.len % 256 + }; + chunk_t pubkey_packet_header = chunk_from_buf(pubkey_packet_header_buf); + chunk_t hash; + hasher_t *hasher; + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (hasher == NULL) + { + plog("no SHA-1 hasher available"); + return FALSE; + } + hasher->allocate_hash(hasher, pubkey_packet_header, NULL); + hasher->allocate_hash(hasher, pubkey_packet, &hash); + hasher->destroy(hasher); + cert->fingerprint = identification_create_from_encoding(ID_KEY_ID, hash); + free(hash.ptr); + } + else + { + /* V3 fingerprint is computed by public_key_t class */ + cert->fingerprint = cert->public_key->get_id(cert->public_key, ID_KEY_ID); + if (cert->fingerprint == NULL) + { + return FALSE; + } + } return TRUE; } diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index 39367cafa..5d0e008f3 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -43,11 +43,6 @@ #include <utils/enumerator.h> #include <utils/optionsfrom.h> -#ifdef INTEGRITY_TEST -#include <fips/fips.h> -#include <fips/fips_signature.h> -#endif /* INTEGRITY_TEST */ - #include <pfkeyv2.h> #include <pfkey.h> @@ -265,7 +260,18 @@ int main(int argc, char **argv) #endif /* CAPABILITIES */ /* initialize library and optionsfrom */ - library_init(STRONGSWAN_CONF); + if (!library_init(STRONGSWAN_CONF)) + { + library_deinit(); + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "pluto", argv[0])) + { + fprintf(stderr, "integrity check of pluto failed\n"); + library_deinit(); + exit(SS_RC_DAEMON_INTEGRITY); + } options = options_create(); /* handle arguments */ @@ -637,31 +643,28 @@ int main(int argc, char **argv) plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s", compile_time_interop_options); + if (lib->integrity) + { + plog("integrity tests enabled:"); + plog("lib 'libstrongswan': passed file and segment integrity tests"); + plog("daemon 'pluto': passed file integrity test"); + } + /* load plugins, further infrastructure may need it */ lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, lib->settings->get_str(lib->settings, "pluto.load", PLUGINS)); print_plugins(); -#ifdef INTEGRITY_TEST - DBG1("integrity test of libstrongswan code"); - if (fips_verify_hmac_signature(hmac_key, hmac_signature)) - { - DBG1(" integrity test passed"); - } - else + if (!init_secret() || !init_crypto()) { - DBG1(" integrity test failed"); - abort(); + plog("initialization failed - aborting pluto"); + exit_pluto(SS_RC_INITIALIZATION_FAILED); } -#endif /* INTEGRITY_TEST */ - init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf); init_virtual_ip(virtual_private); scx_init(pkcs11_module_path, pkcs11_init_args); xauth_init(); - init_secret(); init_states(); - init_crypto(); init_demux(); init_kernel(); init_adns(); diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c index b8f4a3c23..a86c9f215 100644 --- a/src/pluto/spdb.c +++ b/src/pluto/spdb.c @@ -473,14 +473,13 @@ out_sa(pb_stream *outs if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs)) return_on(ret, FALSE); - /* Within tranform: Attributes. */ + /* Within transform: Attributes. */ /* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is * automatically generated because it must be the same * in every transform. Except IPCOMP. */ - if (p->protoid != PROTO_IPCOMP - && st->st_pfs_group != NULL) + if (p->protoid != PROTO_IPCOMP && st->st_pfs_group != NULL) { passert(!oakley_mode); passert(st->st_pfs_group != &unset_group); @@ -582,8 +581,7 @@ return_out: * The code is can only handle values that can fit in unsigned long. * "Clamping" is probably an acceptable way to impose this limitation. */ -static u_int32_t -decode_long_duration(pb_stream *pbs) +static u_int32_t decode_long_duration(pb_stream *pbs) { u_int32_t val = 0; @@ -631,8 +629,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa /* Situation */ if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL)) + { return SITUATION_NOT_SUPPORTED; - + } if (*ipsecdoisit != SIT_IDENTITY_ONLY) { loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)" @@ -647,8 +646,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa * There may well be multiple transforms. */ if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs)) + { return PAYLOAD_MALFORMED; - + } if (proposal->isap_np != ISAKMP_NEXT_NONE) { loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal" @@ -711,35 +711,31 @@ static struct { u_int8_t *roof; } backup; -/* - * backup the pointer into a pb_stream +/** + * Backup the pointer into a pb_stream */ -void -backup_pbs(pb_stream *pbs) +void backup_pbs(pb_stream *pbs) { backup.start = pbs->start; backup.cur = pbs->cur; backup.roof = pbs->roof; } -/* - * restore the pointer into a pb_stream +/** + * Restore the pointer into a pb_stream */ -void -restore_pbs(pb_stream *pbs) +void restore_pbs(pb_stream *pbs) { pbs->start = backup.start; pbs->cur = backup.cur; pbs->roof = backup.roof; } -/* +/** * Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies */ -notification_t -parse_isakmp_policy(pb_stream *proposal_pbs - , u_int notrans - , lset_t *policy) +notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans, + lset_t *policy) { int last_transnum = -1; @@ -753,8 +749,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs struct isakmp_transform trans; if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs)) + { return BAD_PROPOSAL_SYNTAX; - + } if (trans.isat_transnum <= last_transnum) { /* picky, picky, picky */ @@ -781,8 +778,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs pb_stream attr_pbs; if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs)) + { return BAD_PROPOSAL_SYNTAX; - + } passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32); switch (a.isaat_af_type) @@ -827,11 +825,10 @@ parse_isakmp_policy(pb_stream *proposal_pbs return NOTHING_WRONG; } -/* - * check that we can find a preshared secret +/** + * Check that we can find a preshared secret */ -static err_t -find_preshared_key(struct state* st) +static err_t find_preshared_key(struct state* st) { err_t ugh = NULL; struct connection *c = st->st_connection; @@ -842,9 +839,13 @@ find_preshared_key(struct state* st) idtoa(&c->spd.this.id, my_id, sizeof(my_id)); if (his_id_was_instantiated(c)) + { strcpy(his_id, "%any"); + } else + { idtoa(&c->spd.that.id, his_id, sizeof(his_id)); + } ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'" , my_id, his_id); } @@ -860,13 +861,12 @@ find_preshared_key(struct state* st) * * This routine is used by main_inI1_outR1() and main_inR1_outI2(). */ -notification_t -parse_isakmp_sa_body(u_int32_t ipsecdoisit - , pb_stream *proposal_pbs - , struct isakmp_proposal *proposal - , pb_stream *r_sa_pbs - , struct state *st - , bool initiator) +notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, + pb_stream *proposal_pbs, + struct isakmp_proposal *proposal, + pb_stream *r_sa_pbs, + struct state *st, + bool initiator) { struct connection *c = st->st_connection; unsigned no_trans_left; @@ -1326,17 +1326,14 @@ static const struct ipsec_trans_attrs null_ipsec_trans_attrs = { 0, /* key_rounds */ }; -static bool -parse_ipsec_transform(struct isakmp_transform *trans -, struct ipsec_trans_attrs *attrs -, pb_stream *prop_pbs -, pb_stream *trans_pbs -, struct_desc *trans_desc -, int previous_transnum /* or -1 if none */ -, bool selection -, bool is_last -, bool is_ipcomp -, struct state *st) /* current state object */ +static bool parse_ipsec_transform(struct isakmp_transform *trans, + struct ipsec_trans_attrs *attrs, + pb_stream *prop_pbs, + pb_stream *trans_pbs, + struct_desc *trans_desc, + int previous_transnum, /* or -1 if none */ + bool selection, bool is_last, bool is_ipcomp, + struct state *st) /* current state object */ { lset_t seen_attrs = 0; lset_t seen_durations = 0; @@ -1344,8 +1341,9 @@ parse_ipsec_transform(struct isakmp_transform *trans const struct dh_desc *pfs_group = NULL; if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs)) + { return FALSE; - + } if (trans->isat_transnum <= previous_transnum) { loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing"); diff --git a/src/pluto/state.c b/src/pluto/state.c index 6ce0d50e5..5bef36c5c 100644 --- a/src/pluto/state.c +++ b/src/pluto/state.c @@ -1,6 +1,7 @@ /* routines for state objects * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pluto/timer.c b/src/pluto/timer.c index ecbee740f..89082f88e 100644 --- a/src/pluto/timer.c +++ b/src/pluto/timer.c @@ -1,6 +1,7 @@ /* timer event handling * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -139,14 +140,21 @@ void event_schedule(enum event_type type, time_t tm, struct state *st) * Generate the secret value for responder cookies, and * schedule an event for refresh. */ -void init_secret(void) +bool init_secret(void) { rng_t *rng; rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); + + if (rng == NULL) + { + plog("secret initialization failed, no RNG supported"); + return FALSE; + } rng->get_bytes(rng, sizeof(secret_of_the_day), secret_of_the_day); rng->destroy(rng); event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL); + return true; } /** diff --git a/src/pluto/timer.h b/src/pluto/timer.h index 322aeba6a..c8e9b727c 100644 --- a/src/pluto/timer.h +++ b/src/pluto/timer.h @@ -31,4 +31,4 @@ extern void delete_event(struct state *st); extern void delete_dpd_event(struct state *st); extern void daily_log_event(void); extern void free_events(void); -extern void init_secret(void); +extern bool init_secret(void); diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index ff145eb38..a532e50f2 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -197,9 +197,13 @@ static struct vid_struct _vid_tab[] = { /* * strongSwan */ - DEC_MD5_VID(STRONGSWAN, "strongSwan 4.3.2") + DEC_MD5_VID(STRONGSWAN, "strongSwan 4.3.4") + DEC_MD5_VID(STRONGSWAN_4_3_3, "strongSwan 4.3.3") + DEC_MD5_VID(STRONGSWAN_4_3_2, "strongSwan 4.3.2") DEC_MD5_VID(STRONGSWAN_4_3_1, "strongSwan 4.3.1") DEC_MD5_VID(STRONGSWAN_4_3_0, "strongSwan 4.3.0") + DEC_MD5_VID(STRONGSWAN_4_2_17,"strongSwan 4.2.17") + DEC_MD5_VID(STRONGSWAN_4_2_16,"strongSwan 4.2.16") DEC_MD5_VID(STRONGSWAN_4_2_15,"strongSwan 4.2.15") DEC_MD5_VID(STRONGSWAN_4_2_14,"strongSwan 4.2.14") DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13") @@ -237,6 +241,8 @@ static struct vid_struct _vid_tab[] = { DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1") DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0") + DEC_MD5_VID(STRONGSWAN_2_8_11,"strongSwan 2.8.11") + DEC_MD5_VID(STRONGSWAN_2_8_10,"strongSwan 2.8.10") DEC_MD5_VID(STRONGSWAN_2_8_9, "strongSwan 2.8.9") DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8") DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7") diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h index 164c1aa6d..8aa2f6348 100644 --- a/src/pluto/vendor.h +++ b/src/pluto/vendor.h @@ -92,6 +92,8 @@ enum known_vendorid { VID_STRONGSWAN_2_8_7 = 73, VID_STRONGSWAN_2_8_8 = 74, VID_STRONGSWAN_2_8_9 = 75, + VID_STRONGSWAN_2_8_10 = 76, + VID_STRONGSWAN_2_8_11 = 77, VID_STRONGSWAN_4_0_0 = 80, VID_STRONGSWAN_4_0_1 = 81, @@ -130,8 +132,12 @@ enum known_vendorid { VID_STRONGSWAN_4_2_13 =113, VID_STRONGSWAN_4_2_14 =114, VID_STRONGSWAN_4_2_15 =115, - VID_STRONGSWAN_4_3_0 =116, - VID_STRONGSWAN_4_3_1 =117, + VID_STRONGSWAN_4_2_16 =116, + VID_STRONGSWAN_4_2_17 =117, + VID_STRONGSWAN_4_3_0 =118, + VID_STRONGSWAN_4_3_1 =119, + VID_STRONGSWAN_4_3_2 =120, + VID_STRONGSWAN_4_3_3 =121, /* 101 - 200 : NAT-Traversal */ VID_NATT_STENBERG_01 =151, diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index 3919583ef..72cefb3b6 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -79,12 +79,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -189,7 +192,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c index b14e72ecb..87041f114 100644 --- a/src/scepclient/loglite.c +++ b/src/scepclient/loglite.c @@ -68,21 +68,23 @@ static void scepclient_dbg(int level, char *fmt, ...) if (level <= debug_level) { - va_start(args, fmt); - if (log_to_stderr) { if (level > 1) { fprintf(stderr, "| "); } + va_start(args, fmt); vfprintf(stderr, fmt, args); + va_end(args); fprintf(stderr, "\n"); } if (log_to_syslog) { /* write in memory buffer first */ + va_start(args, fmt); vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); /* do a syslog with every line */ while (current) @@ -96,7 +98,6 @@ static void scepclient_dbg(int level, char *fmt, ...) current = next; } } - va_end(args); } } diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 index d9bf8e4cc..4b5234da2 100644 --- a/src/scepclient/scepclient.8 +++ b/src/scepclient/scepclient.8 @@ -149,16 +149,22 @@ Change symmetric algorithm to use for encryption of certificate Request. The default is \fB3des\-cbc\fP. .PP Supported values for \fIalgo\fP: -.IP "\fBdes\-cbc\fP" 12 -DES CBC encryption (key size = 56 bit). -.IP "\fB3des\-cbc\fP" 12 +.IP "\fBdes\fP" 12 +DES-CBC encryption (key size = 56 bit). +.IP "\fB3des\fP" 12 Triple DES-EDE-CBC encryption (key size = 168 bit). -.IP "\fBaes128\-cbc\fP" 12 +.IP "\fBaes128\fP" 12 AES-CBC encryption (key size = 128 bit). -.IP "\fBaes192\-cbc\fP" 12 +.IP "\fBaes192\fP" 12 AES-CBC encryption (key size = 192 bit). -.IP "\fBaes256\-cbc\fP" 12 +.IP "\fBaes256\fP" 12 AES-CBC encryption (key size = 256 bit). +.IP "\fBcamellia128\fP" 12 +Camellia-CBC encryption (key size = 128 bit). +.IP "\fBcamellia192\fP" 12 +Camelllia-CBC encryption (key size = 192 bit). +.IP "\fBcamellia256\fP" 12 +Camellia-CBC encryption (key size = 256 bit). .RE .PP .B \-o, \-\-out \fItype\fP[=\fIfilename\fP] diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index 0e7ae3e40..6c0166d66 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -41,6 +41,8 @@ #include <asn1/oid.h> #include <utils/optionsfrom.h> #include <utils/enumerator.h> +#include <crypto/crypters/crypter.h> +#include <crypto/proposal/proposal_keywords.h> #include <credentials/keys/private_key.h> #include <credentials/keys/public_key.h> @@ -246,9 +248,8 @@ usage(const char *message) " --password (-p) <pw> challenge password\n" " - if pw is '%%prompt', password gets prompted for\n" " --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n" - " <algo> = des-cbc | 3des-cbc (default) | \n" - " aes128-cbc | aes192-cbc | aes256-cbc | \n" - " camellia128-cbc | camellia192-cbc | camellia256-cbc\n" + " <algo> = des | 3des (default) | aes128| aes192 | \n" + " aes256 | camellia128 | camellia192 | camellia256\n" "\n" "Options for enrollment (cert):\n" " --url (-u) <url> url of the SCEP server\n" @@ -385,8 +386,21 @@ int main(int argc, char **argv) scep_response = chunk_empty; log_to_stderr = TRUE; - /* initialize library and optionsfrom */ - library_init(STRONGSWAN_CONF); + /* initialize library */ + if (!library_init(STRONGSWAN_CONF)) + { + library_deinit(); + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "scepclient", argv[0])) + { + fprintf(stderr, "integrity check of scepclient failed\n"); + library_deinit(); + exit(SS_RC_DAEMON_INTEGRITY); + } + + /* initialize optionsfrom */ options = options_create(); for (;;) @@ -698,43 +712,22 @@ int main(int argc, char **argv) continue; case 'a': /*--algorithm */ - if (strcaseeq("des-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_DES_CBC; - } - else if (strcaseeq("3des-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_3DES_EDE_CBC; - } - else if (strcaseeq("aes128-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_AES128_CBC; - } - else if (strcaseeq("aes192-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_AES192_CBC; - } - else if (strcaseeq("aes256-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_AES256_CBC; - } - else if (strcaseeq("camellia128-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_CAMELLIA128_CBC; - } - else if (strcaseeq("camellia192-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_CAMELLIA192_CBC; - } - else if (strcaseeq("camellia256-cbc", optarg)) + { + const proposal_token_t *token; + + token = proposal_get_token(optarg, strlen(optarg)); + if (token == NULL || token->type != ENCRYPTION_ALGORITHM) { - pkcs7_symmetric_cipher = OID_CAMELLIA256_CBC; + usage("invalid algorithm specified"); } - else + pkcs7_symmetric_cipher = encryption_algorithm_to_oid( + token->algorithm, token->keysize); + if (pkcs7_symmetric_cipher == OID_UNKNOWN) { - usage("invalid encryption algorithm specified"); + usage("unsupported encryption algorithm specified"); } continue; + } #ifdef DEBUG case 'A': /* --debug-all */ base_debugging |= DBG_ALL; diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 439a7785a..3355b3afb 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -20,7 +20,7 @@ AM_CFLAGS = \ -DIPSEC_EAPDIR=\"${eapdir}\" \ -DDEBUG -starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la +starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf dist_man_MANS = ipsec.conf.5 starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c @@ -52,14 +52,14 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : - test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true - test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 644 ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 4e6bffdeb..a839c20b1 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -55,9 +55,11 @@ am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \ lex.yy.$(OBJEXT) loglite.$(OBJEXT) klips.$(OBJEXT) starter_OBJECTS = $(am_starter_OBJECTS) +am__DEPENDENCIES_1 = starter_DEPENDENCIES = defs.o \ $(top_builddir)/src/libfreeswan/libfreeswan.a \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -80,12 +82,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -150,6 +154,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -190,7 +195,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -241,7 +248,7 @@ INCLUDES = \ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \ -DDEBUG $(am__append_1) $(am__append_2) -starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la +starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf dist_man_MANS = ipsec.conf.5 starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c @@ -653,16 +660,16 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : - test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true - test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 644 ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/starter/args.c b/src/starter/args.c index f9d1824d8..990d7588b 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -261,8 +261,7 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_end_t, iface), NULL } }; -static void -free_list(char **list) +static void free_list(char **list) { char **s; @@ -273,22 +272,25 @@ free_list(char **list) free(list); } -char ** -new_list(char *value) +char** new_list(char *value) { char *val, *b, *e, *end, **ret; int count; val = value ? clone_str(value) : NULL; if (!val) + { return NULL; + } end = val + strlen(val); for (b = val, count = 0; b < end;) { for (e = b; ((*e != ' ') && (*e != '\0')); e++); *e = '\0'; if (e != b) + { count++; + } b = e + 1; } if (count == 0) @@ -302,7 +304,9 @@ new_list(char *value) { for (e = b; (*e != '\0'); e++); if (e != b) + { ret[count++] = clone_str(b); + } b = e + 1; } ret[count] = NULL; @@ -314,9 +318,8 @@ new_list(char *value) /* * assigns an argument value to a struct field */ -bool -assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base - , bool *assigned) +bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, + bool *assigned) { char *p = base + token_info[token].offset; const char **list = token_info[token].list; @@ -435,8 +438,9 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base /* time in seconds? */ if (*endptr == '\0' || (*endptr == 's' && endptr[1] == '\0')) + { break; - + } if (endptr[1] == '\0') { if (*endptr == 'm') /* time in minutes? */ @@ -475,8 +479,9 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base /* free any existing list */ if (*listp != NULL) + { free_list(*listp); - + } /* create a new list and assign values */ *listp = new_list(kw->value); @@ -514,8 +519,7 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base /* * frees all dynamically allocated arguments in a struct */ -void -free_args(kw_token_t first, kw_token_t last, char *base) +void free_args(kw_token_t first, kw_token_t last, char *base) { kw_token_t token; @@ -553,8 +557,7 @@ free_args(kw_token_t first, kw_token_t last, char *base) /* * clone all dynamically allocated arguments in a struct */ -void -clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2) +void clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2) { kw_token_t token; @@ -570,22 +573,29 @@ clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2) } } -static bool -cmp_list(char **list1, char **list2) +static bool cmp_list(char **list1, char **list2) { if ((list1 == NULL) && (list2 == NULL)) + { return TRUE; + } if ((list1 == NULL) || (list2 == NULL)) + { return FALSE; + } for ( ; *list1 && *list2; list1++, list2++) { if (strcmp(*list1,*list2) != 0) + { return FALSE; + } } if ((*list1 != NULL) || (*list2 != NULL)) + { return FALSE; + } return TRUE; } @@ -593,8 +603,7 @@ cmp_list(char **list1, char **list2) /* * compare all arguments in a struct */ -bool -cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) +bool cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) { kw_token_t token; @@ -606,12 +615,25 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) switch (token_info[token].type) { case ARG_ENUM: + if (token_info[token].list == LST_bool) + { + bool *b1 = (bool *)p1; + bool *b2 = (bool *)p2; + + if (*b1 != *b2) + { + return FALSE; + } + } + else { int *i1 = (int *)p1; int *i2 = (int *)p2; if (*i1 != *i2) + { return FALSE; + } } break; case ARG_UINT: @@ -620,7 +642,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) u_int *u2 = (u_int *)p2; if (*u1 != *u2) + { return FALSE; + } } break; case ARG_ULNG: @@ -630,7 +654,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) unsigned long *l2 = (unsigned long *)p2; if (*l1 != *l2) + { return FALSE; + } } break; case ARG_TIME: @@ -639,7 +665,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) time_t *t2 = (time_t *)p2; if (*t1 != *t2) + { return FALSE; + } } break; case ARG_STR: @@ -648,9 +676,13 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) char **cp2 = (char **)p2; if (*cp1 == NULL && *cp2 == NULL) + { break; + } if (*cp1 == NULL || *cp2 == NULL || strcmp(*cp1, *cp2) != 0) + { return FALSE; + } } break; case ARG_LST: @@ -659,7 +691,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) char ***listp2 = (char ***)p2; if (!cmp_list(*listp1, *listp2)) + { return FALSE; + } } break; default: diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c index 034eac317..3fff65be7 100644 --- a/src/starter/interfaces.c +++ b/src/starter/interfaces.c @@ -14,6 +14,10 @@ #include <sys/socket.h> #include <sys/ioctl.h> +#ifdef HAVE_SYS_SOCKIO_H +#include <sys/sockio.h> +#endif + #include <stdlib.h> #include <string.h> #include <unistd.h> diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c index 804467cea..1eb2a0332 100644 --- a/src/starter/invokecharon.c +++ b/src/starter/invokecharon.c @@ -36,18 +36,28 @@ static int _charon_pid = 0; static int _stop_requested; -pid_t -starter_charon_pid(void) +pid_t starter_charon_pid(void) { return _charon_pid; } -void -starter_charon_sigchild(pid_t pid) +void starter_charon_sigchild(pid_t pid, int status) { - if (pid == _charon_pid) + if (pid == _charon_pid) { - _charon_pid = 0; + _charon_pid = 0; + if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY || + status == SS_RC_DAEMON_INTEGRITY) + { + plog("charon has quit: integrity test of %s failed", + (status == 64) ? "libstrongswan" : "charon"); + _stop_requested = 1; + } + else if (status == SS_RC_INITIALIZATION_FAILED) + { + plog("charon has quit: initialization failed"); + _stop_requested = 1; + } if (!_stop_requested) { plog("charon has died -- restart scheduled (%dsec)" @@ -58,8 +68,7 @@ starter_charon_sigchild(pid_t pid) } } -int -starter_stop_charon (void) +int starter_stop_charon (void) { int i; pid_t pid = _charon_pid; @@ -106,8 +115,7 @@ starter_stop_charon (void) } -int -starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb) +int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb) { struct stat stb; int pid, i; diff --git a/src/starter/invokecharon.h b/src/starter/invokecharon.h index f0f470a8d..aaf913c9b 100644 --- a/src/starter/invokecharon.h +++ b/src/starter/invokecharon.h @@ -20,7 +20,7 @@ #define CHARON_RESTART_DELAY 5 -extern void starter_charon_sigchild (pid_t pid); +extern void starter_charon_sigchild (pid_t pid, int status); extern pid_t starter_charon_pid (void); extern int starter_stop_charon (void); extern int starter_start_charon(struct starter_config *cfg, bool no_fork, bool attach_gdb); diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c index 28bd93c5d..08fb0657a 100644 --- a/src/starter/invokepluto.c +++ b/src/starter/invokepluto.c @@ -42,11 +42,23 @@ starter_pluto_pid(void) } void -starter_pluto_sigchild(pid_t pid) +starter_pluto_sigchild(pid_t pid, int status) { if (pid == _pluto_pid) { _pluto_pid = 0; + if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY || + status == SS_RC_DAEMON_INTEGRITY) + { + plog("pluto has quit: integrity test of %s failed", + (status == 64) ? "libstrongswan" : "pluto"); + _stop_requested = 1; + } + else if (status == SS_RC_INITIALIZATION_FAILED) + { + plog("pluto has quit: initialization failed"); + _stop_requested = 1; + } if (!_stop_requested) { plog("pluto has died -- restart scheduled (%dsec)" diff --git a/src/starter/invokepluto.h b/src/starter/invokepluto.h index b0c89b1f1..c87f50c2a 100644 --- a/src/starter/invokepluto.h +++ b/src/starter/invokepluto.h @@ -17,7 +17,7 @@ #define PLUTO_RESTART_DELAY 5 -extern void starter_pluto_sigchild (pid_t pid); +extern void starter_pluto_sigchild (pid_t pid, int status); extern pid_t starter_pluto_pid (void); extern int starter_stop_pluto (void); extern int starter_start_pluto (struct starter_config *cfg, bool no_fork, bool attach_gdb); diff --git a/src/starter/keywords.h b/src/starter/keywords.h index ae9a6d15f..3a115d15d 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -122,11 +122,16 @@ typedef enum { KW_HOSTACCESS, KW_ALLOWANY, KW_UPDOWN, + KW_AUTH1, + KW_AUTH2, KW_ID, + KW_ID2, KW_RSASIGKEY, KW_CERT, + KW_CERT2, KW_SENDCERT, KW_CA, + KW_CA2, KW_GROUPS, KW_IFACE, diff --git a/src/starter/loglite.c b/src/starter/loglite.c index 415cf931c..c88b33bfd 100644 --- a/src/starter/loglite.c +++ b/src/starter/loglite.c @@ -33,6 +33,10 @@ #include <log.h> #include <whack.h> +#ifndef LOG_AUTHPRIV +#define LOG_AUTHPRIV LOG_AUTH +#endif + bool log_to_stderr = FALSE, /* should log go to stderr? */ log_to_syslog = TRUE; /* should log go to syslog? */ diff --git a/src/starter/starter.c b/src/starter/starter.c index 2d2f452b5..b675ccf1c 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -66,46 +66,66 @@ static unsigned int _action_ = 0; -static void -fsig(int signal) +static void fsig(int signal) { switch (signal) { case SIGCHLD: { - int status; + int status, exit_status = 0; pid_t pid; char *name = NULL; while ((pid = waitpid(-1, &status, WNOHANG)) > 0) { if (pid == starter_pluto_pid()) + { name = " (Pluto)"; + } if (pid == starter_charon_pid()) + { name = " (Charon)"; + } if (WIFSIGNALED(status)) + { DBG(DBG_CONTROL, DBG_log("child %d%s has been killed by sig %d\n", pid, name?name:"", WTERMSIG(status)) ) + } else if (WIFSTOPPED(status)) + { DBG(DBG_CONTROL, DBG_log("child %d%s has been stopped by sig %d\n", pid, name?name:"", WSTOPSIG(status)) ) + } else if (WIFEXITED(status)) + { + exit_status = WEXITSTATUS(status); + if (exit_status >= SS_RC_FIRST && exit_status <= SS_RC_LAST) + { + _action_ = FLAG_ACTION_QUIT; + } DBG(DBG_CONTROL, DBG_log("child %d%s has quit (exit code %d)\n", - pid, name?name:"", WEXITSTATUS(status)) + pid, name?name:"", exit_status) ) + } else + { DBG(DBG_CONTROL, DBG_log("child %d%s has quit", pid, name?name:"") ) + } if (pid == starter_pluto_pid()) - starter_pluto_sigchild(pid); + { + starter_pluto_sigchild(pid, exit_status); + } if (pid == starter_charon_pid()) - starter_charon_sigchild(pid); + { + starter_charon_sigchild(pid, exit_status); + } } } break; @@ -196,8 +216,7 @@ static void generate_selfcert() } } -static void -usage(char *name) +static void usage(char *name) { fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] " "[--debug|--debug-more|--debug-all]\n"); @@ -392,9 +411,13 @@ int main (int argc, char **argv) if (_action_ & FLAG_ACTION_QUIT) { if (starter_pluto_pid()) + { starter_stop_pluto(); + } if (starter_charon_pid()) + { starter_stop_charon(); + } starter_netkey_cleanup(); confread_free(cfg); unlink(STARTER_PID_FILE); diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am index afca95fce..363cde717 100644 --- a/src/stroke/Makefile.am +++ b/src/stroke/Makefile.am @@ -1,6 +1,7 @@ ipsec_PROGRAMS = stroke stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h +stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) INCLUDES = -I$(top_srcdir)/src/libstrongswan EXTRA_DIST = stroke_keywords.txt BUILT_SOURCES = stroke_keywords.c diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index dde80348e..e2ed28afe 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -46,7 +46,10 @@ ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(ipsec_PROGRAMS) am_stroke_OBJECTS = stroke.$(OBJEXT) stroke_keywords.$(OBJEXT) stroke_OBJECTS = $(am_stroke_OBJECTS) -stroke_LDADD = $(LDADD) +am__DEPENDENCIES_1 = +stroke_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -65,12 +68,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -135,6 +140,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -175,7 +181,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -210,6 +218,7 @@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h +stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) INCLUDES = -I$(top_srcdir)/src/libstrongswan EXTRA_DIST = stroke_keywords.txt BUILT_SOURCES = stroke_keywords.c diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index 704c88c58..abf285a86 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -25,6 +25,8 @@ #include <sys/types.h> +#include <library.h> + /** * Socket which is used to communicate between charon and stroke */ diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in index 7e2be4d1b..88b066379 100644 --- a/src/whack/Makefile.in +++ b/src/whack/Makefile.in @@ -67,12 +67,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -137,6 +139,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -177,7 +180,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ |