From 568905f488e63e28778f87ac0e38d845f45bae79 Mon Sep 17 00:00:00 2001 From: RenĂ© Mayrhofer Date: Sat, 5 Mar 2011 09:20:09 +0100 Subject: Imported Upstream version 4.5.1 --- Android.mk | 2 +- Makefile.in | 4 +- NEWS | 74 ++ configure | 447 ++++++-- configure.in | 65 +- ltmain.sh | 0 man/Makefile.in | 4 +- man/ipsec.conf.5 | 24 +- man/ipsec.conf.5.in | 22 +- man/ipsec.secrets.5 | 2 +- man/strongswan.conf.5 | 65 +- man/strongswan.conf.5.in | 63 +- scripts/Makefile.am | 8 +- scripts/Makefile.in | 43 +- scripts/fetch.c | 41 + scripts/oid2der.c | 31 + src/Makefile.am | 18 +- src/Makefile.in | 38 +- src/_copyright/Makefile.am | 1 - src/_copyright/Makefile.in | 102 +- src/_copyright/_copyright.8 | 29 - src/_updown/Makefile.in | 4 +- src/_updown_espmark/Makefile.in | 4 +- src/charon/Makefile.in | 4 +- src/charon/charon.c | 137 ++- src/checksum/Makefile.in | 4 +- src/conftest/Makefile.am | 26 + src/conftest/Makefile.in | 954 ++++++++++++++++ src/conftest/README | 315 ++++++ src/conftest/actions.c | 339 ++++++ src/conftest/actions.h | 42 + src/conftest/config.c | 343 ++++++ src/conftest/config.h | 56 + src/conftest/conftest.c | 550 +++++++++ src/conftest/conftest.h | 74 ++ src/conftest/hooks/add_notify.c | 140 +++ src/conftest/hooks/add_payload.c | 151 +++ src/conftest/hooks/custom_proposal.c | 188 +++ src/conftest/hooks/force_cookie.c | 117 ++ src/conftest/hooks/hook.h | 45 + src/conftest/hooks/ignore_message.c | 89 ++ src/conftest/hooks/ike_auth_fill.c | 145 +++ src/conftest/hooks/log_id.c | 89 ++ src/conftest/hooks/log_ke.c | 81 ++ src/conftest/hooks/log_proposals.c | 98 ++ src/conftest/hooks/log_ts.c | 86 ++ src/conftest/hooks/pretend_auth.c | 386 +++++++ src/conftest/hooks/rebuild_auth.c | 243 ++++ src/conftest/hooks/reset_seq.c | 158 +++ src/conftest/hooks/set_critical.c | 123 ++ src/conftest/hooks/set_ike_initiator.c | 87 ++ src/conftest/hooks/set_ike_request.c | 84 ++ src/conftest/hooks/set_ike_spi.c | 104 ++ src/conftest/hooks/set_ike_version.c | 111 ++ src/conftest/hooks/set_length.c | 133 +++ src/conftest/hooks/set_proposal_number.c | 163 +++ src/conftest/hooks/set_reserved.c | 245 ++++ src/conftest/hooks/unencrypted_notify.c | 153 +++ src/conftest/hooks/unsort_message.c | 133 +++ src/dumm/Makefile.in | 4 +- src/include/Makefile.in | 4 +- src/include/linux/xfrm.h | 1 + src/ipsec/Makefile.in | 4 +- src/ipsec/ipsec.8 | 2 +- src/ipsec/ipsec.in | 6 +- src/libcharon/Makefile.am | 20 +- src/libcharon/Makefile.in | 157 ++- src/libcharon/bus/bus.c | 2 +- src/libcharon/config/backend_manager.c | 74 +- src/libcharon/config/child_cfg.c | 268 ++--- src/libcharon/config/child_cfg.h | 31 +- src/libcharon/config/peer_cfg.c | 2 +- src/libcharon/config/proposal.c | 10 +- src/libcharon/daemon.c | 220 +--- src/libcharon/daemon.h | 19 +- src/libcharon/encoding/generator.c | 375 +----- src/libcharon/encoding/message.c | 174 ++- src/libcharon/encoding/message.h | 41 +- src/libcharon/encoding/parser.c | 34 +- src/libcharon/encoding/payloads/auth_payload.c | 205 ++-- src/libcharon/encoding/payloads/auth_payload.h | 24 +- src/libcharon/encoding/payloads/cert_payload.c | 198 ++-- src/libcharon/encoding/payloads/cert_payload.h | 9 + src/libcharon/encoding/payloads/certreq_payload.c | 161 ++- .../encoding/payloads/configuration_attribute.c | 108 +- src/libcharon/encoding/payloads/cp_payload.c | 169 ++- src/libcharon/encoding/payloads/delete_payload.c | 21 +- src/libcharon/encoding/payloads/eap_payload.c | 19 +- src/libcharon/encoding/payloads/id_payload.c | 220 ++-- src/libcharon/encoding/payloads/id_payload.h | 44 +- src/libcharon/encoding/payloads/ike_header.c | 315 +++--- src/libcharon/encoding/payloads/ike_header.h | 22 + src/libcharon/encoding/payloads/ke_payload.c | 203 ++-- src/libcharon/encoding/payloads/ke_payload.h | 23 +- src/libcharon/encoding/payloads/nonce_payload.c | 178 ++- src/libcharon/encoding/payloads/notify_payload.c | 207 ++-- src/libcharon/encoding/payloads/payload.c | 64 +- src/libcharon/encoding/payloads/payload.h | 39 +- .../encoding/payloads/proposal_substructure.c | 62 +- .../encoding/payloads/proposal_substructure.h | 6 +- src/libcharon/encoding/payloads/sa_payload.c | 27 +- src/libcharon/encoding/payloads/sa_payload.h | 7 + .../payloads/traffic_selector_substructure.c | 164 ++- .../encoding/payloads/transform_attribute.c | 221 ++-- .../encoding/payloads/transform_substructure.c | 299 ++--- .../encoding/payloads/transform_substructure.h | 65 +- src/libcharon/encoding/payloads/ts_payload.c | 273 ++--- src/libcharon/encoding/payloads/ts_payload.h | 34 +- src/libcharon/encoding/payloads/unknown_payload.c | 172 +-- src/libcharon/encoding/payloads/unknown_payload.h | 18 +- .../encoding/payloads/vendor_id_payload.c | 125 +- .../encoding/payloads/vendor_id_payload.h | 5 + src/libcharon/plugins/addrblock/Makefile.in | 4 +- .../plugins/addrblock/addrblock_validator.c | 9 +- src/libcharon/plugins/android/Makefile.in | 4 +- src/libcharon/plugins/android/android_creds.c | 2 +- src/libcharon/plugins/android/android_service.c | 4 +- src/libcharon/plugins/dhcp/Makefile.in | 4 +- src/libcharon/plugins/dhcp/dhcp_socket.c | 7 +- src/libcharon/plugins/eap_aka/Makefile.in | 4 +- src/libcharon/plugins/eap_aka_3gpp2/Makefile.in | 4 +- src/libcharon/plugins/eap_gtc/Makefile.in | 4 +- src/libcharon/plugins/eap_identity/Makefile.in | 4 +- src/libcharon/plugins/eap_md5/Makefile.in | 4 +- src/libcharon/plugins/eap_mschapv2/Makefile.in | 4 +- src/libcharon/plugins/eap_radius/Makefile.in | 4 +- src/libcharon/plugins/eap_sim/Makefile.in | 4 +- src/libcharon/plugins/eap_sim_file/Makefile.in | 4 +- .../plugins/eap_simaka_pseudonym/Makefile.in | 4 +- .../plugins/eap_simaka_reauth/Makefile.in | 4 +- src/libcharon/plugins/eap_simaka_sql/Makefile.in | 4 +- src/libcharon/plugins/eap_tls/Makefile.in | 4 +- src/libcharon/plugins/eap_tnc/Makefile.in | 4 +- src/libcharon/plugins/eap_tnc/eap_tnc.c | 26 +- src/libcharon/plugins/eap_ttls/Makefile.in | 4 +- src/libcharon/plugins/eap_ttls/eap_ttls_peer.c | 1 + src/libcharon/plugins/farp/Makefile.in | 4 +- src/libcharon/plugins/ha/Makefile.in | 4 +- src/libcharon/plugins/ha/ha_ctl.c | 9 +- src/libcharon/plugins/ha/ha_dispatcher.c | 8 +- src/libcharon/plugins/ha/ha_segments.c | 14 +- src/libcharon/plugins/ha/ha_socket.c | 8 +- src/libcharon/plugins/ha/ha_tunnel.c | 4 +- src/libcharon/plugins/led/Makefile.in | 4 +- src/libcharon/plugins/load_tester/Makefile.in | 4 +- .../plugins/load_tester/load_tester_config.c | 4 +- .../plugins/load_tester/load_tester_ipsec.c | 2 +- .../plugins/load_tester/load_tester_plugin.c | 4 +- src/libcharon/plugins/maemo/Makefile.am | 6 +- src/libcharon/plugins/maemo/Makefile.in | 11 +- src/libcharon/plugins/maemo/maemo_service.c | 15 +- .../plugins/maemo/org.strongswan.charon.service | 4 - .../plugins/maemo/org.strongswan.charon.service.in | 4 + src/libcharon/plugins/medcli/Makefile.in | 4 +- src/libcharon/plugins/medcli/medcli_config.c | 8 +- src/libcharon/plugins/medsrv/Makefile.in | 4 +- src/libcharon/plugins/nm/Makefile.in | 4 +- src/libcharon/plugins/nm/nm_creds.c | 6 +- src/libcharon/plugins/nm/nm_service.c | 4 +- src/libcharon/plugins/smp/Makefile.in | 4 +- src/libcharon/plugins/socket_default/Makefile.in | 4 +- src/libcharon/plugins/socket_dynamic/Makefile.in | 4 +- src/libcharon/plugins/socket_raw/Makefile.in | 4 +- src/libcharon/plugins/sql/Makefile.in | 4 +- src/libcharon/plugins/sql/sql_config.c | 169 ++- src/libcharon/plugins/sql/sql_cred.c | 246 ++-- src/libcharon/plugins/sql/sql_plugin.c | 18 +- src/libcharon/plugins/stroke/Makefile.am | 3 +- src/libcharon/plugins/stroke/Makefile.in | 10 +- src/libcharon/plugins/stroke/stroke_ca.c | 76 +- src/libcharon/plugins/stroke/stroke_config.c | 103 +- src/libcharon/plugins/stroke/stroke_control.c | 189 +++- src/libcharon/plugins/stroke/stroke_control.h | 7 + src/libcharon/plugins/stroke/stroke_cred.c | 409 +------ src/libcharon/plugins/stroke/stroke_list.c | 130 ++- src/libcharon/plugins/stroke/stroke_plugin.c | 18 +- src/libcharon/plugins/stroke/stroke_shared_key.c | 140 --- src/libcharon/plugins/stroke/stroke_shared_key.h | 60 - src/libcharon/plugins/stroke/stroke_socket.c | 23 + src/libcharon/plugins/tnc_imc/Makefile.am | 7 +- src/libcharon/plugins/tnc_imc/Makefile.in | 18 +- src/libcharon/plugins/tnc_imc/tnc_imc.c | 207 ++++ src/libcharon/plugins/tnc_imc/tnc_imc.h | 36 + .../plugins/tnc_imc/tnc_imc_bind_function.c | 83 ++ src/libcharon/plugins/tnc_imc/tnc_imc_manager.c | 238 ++++ src/libcharon/plugins/tnc_imc/tnc_imc_manager.h | 32 + src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c | 141 ++- src/libcharon/plugins/tnc_imv/Makefile.am | 8 +- src/libcharon/plugins/tnc_imv/Makefile.in | 21 +- src/libcharon/plugins/tnc_imv/tnc_imv.c | 208 ++++ src/libcharon/plugins/tnc_imv/tnc_imv.h | 36 + .../plugins/tnc_imv/tnc_imv_bind_function.c | 137 +++ src/libcharon/plugins/tnc_imv/tnc_imv_manager.c | 295 +++++ src/libcharon/plugins/tnc_imv/tnc_imv_manager.h | 32 + src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c | 137 ++- .../plugins/tnc_imv/tnc_imv_recommendations.c | 415 +++++++ .../plugins/tnc_imv/tnc_imv_recommendations.h | 33 + src/libcharon/plugins/tnccs_11/Makefile.am | 16 +- src/libcharon/plugins/tnccs_11/Makefile.in | 92 +- src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c | 323 ++++++ src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h | 100 ++ .../plugins/tnccs_11/messages/imc_imv_msg.c | 242 ++++ .../plugins/tnccs_11/messages/imc_imv_msg.h | 71 ++ .../plugins/tnccs_11/messages/tnccs_error_msg.c | 191 ++++ .../plugins/tnccs_11/messages/tnccs_error_msg.h | 80 ++ .../plugins/tnccs_11/messages/tnccs_msg.c | 140 +++ .../plugins/tnccs_11/messages/tnccs_msg.h | 102 ++ .../messages/tnccs_preferred_language_msg.c | 137 +++ .../messages/tnccs_preferred_language_msg.h | 64 ++ .../tnccs_11/messages/tnccs_reason_strings_msg.c | 149 +++ .../tnccs_11/messages/tnccs_reason_strings_msg.h | 64 ++ .../tnccs_11/messages/tnccs_recommendation_msg.c | 186 +++ .../tnccs_11/messages/tnccs_recommendation_msg.h | 64 ++ .../messages/tnccs_tncs_contact_info_msg.c | 118 ++ .../messages/tnccs_tncs_contact_info_msg.h | 54 + src/libcharon/plugins/tnccs_11/tnccs_11.c | 515 ++++++--- src/libcharon/plugins/tnccs_20/Makefile.am | 21 +- src/libcharon/plugins/tnccs_20/Makefile.in | 121 +- .../plugins/tnccs_20/batch/pb_tnc_batch.c | 543 +++++++++ .../plugins/tnccs_20/batch/pb_tnc_batch.h | 126 +++ .../messages/pb_access_recommendation_msg.c | 180 +++ .../messages/pb_access_recommendation_msg.h | 76 ++ .../tnccs_20/messages/pb_assessment_result_msg.c | 172 +++ .../tnccs_20/messages/pb_assessment_result_msg.h | 60 + .../plugins/tnccs_20/messages/pb_error_msg.c | 346 ++++++ .../plugins/tnccs_20/messages/pb_error_msg.h | 127 +++ .../tnccs_20/messages/pb_experimental_msg.c | 102 ++ .../tnccs_20/messages/pb_experimental_msg.h | 53 + .../tnccs_20/messages/pb_language_preference_msg.c | 175 +++ .../tnccs_20/messages/pb_language_preference_msg.h | 60 + .../plugins/tnccs_20/messages/pb_pa_msg.c | 293 +++++ .../plugins/tnccs_20/messages/pb_pa_msg.h | 123 ++ .../tnccs_20/messages/pb_reason_string_msg.c | 216 ++++ .../tnccs_20/messages/pb_reason_string_msg.h | 69 ++ .../messages/pb_remediation_parameters_msg.c | 259 +++++ .../messages/pb_remediation_parameters_msg.h | 96 ++ .../plugins/tnccs_20/messages/pb_tnc_msg.c | 75 ++ .../plugins/tnccs_20/messages/pb_tnc_msg.h | 128 +++ .../tnccs_20/state_machine/pb_tnc_state_machine.c | 287 +++++ .../tnccs_20/state_machine/pb_tnc_state_machine.h | 88 ++ src/libcharon/plugins/tnccs_20/tnccs_20.c | 575 +++++++++- src/libcharon/plugins/tnccs_dynamic/Makefile.am | 17 + src/libcharon/plugins/tnccs_dynamic/Makefile.in | 607 ++++++++++ .../plugins/tnccs_dynamic/tnccs_dynamic.c | 146 +++ .../plugins/tnccs_dynamic/tnccs_dynamic.h | 36 + .../plugins/tnccs_dynamic/tnccs_dynamic_plugin.c | 47 + .../plugins/tnccs_dynamic/tnccs_dynamic_plugin.h | 42 + src/libcharon/plugins/uci/Makefile.in | 4 +- src/libcharon/plugins/uci/uci_config.c | 4 +- src/libcharon/plugins/unit_tester/Makefile.in | 4 +- src/libcharon/plugins/updown/Makefile.in | 4 +- src/libcharon/processing/jobs/acquire_job.c | 31 +- .../processing/jobs/delete_child_sa_job.c | 35 +- src/libcharon/processing/jobs/delete_ike_sa_job.c | 31 +- src/libcharon/processing/jobs/migrate_job.c | 39 +- .../processing/jobs/process_message_job.c | 29 +- src/libcharon/processing/jobs/rekey_child_sa_job.c | 33 +- src/libcharon/processing/jobs/rekey_ike_sa_job.c | 31 +- src/libcharon/processing/jobs/retransmit_job.c | 31 +- src/libcharon/processing/jobs/roam_job.c | 29 +- src/libcharon/processing/jobs/send_dpd_job.c | 29 +- src/libcharon/processing/jobs/send_keepalive_job.c | 29 +- src/libcharon/processing/jobs/start_action_job.c | 101 ++ src/libcharon/processing/jobs/start_action_job.h | 49 + src/libcharon/processing/jobs/update_sa_job.c | 33 +- src/libcharon/sa/authenticators/authenticator.c | 20 +- src/libcharon/sa/authenticators/authenticator.h | 8 +- .../sa/authenticators/eap_authenticator.c | 18 +- .../sa/authenticators/eap_authenticator.h | 8 +- .../sa/authenticators/psk_authenticator.c | 94 +- .../sa/authenticators/psk_authenticator.h | 8 +- .../sa/authenticators/pubkey_authenticator.c | 90 +- .../sa/authenticators/pubkey_authenticator.h | 8 +- src/libcharon/sa/child_sa.c | 12 +- src/libcharon/sa/child_sa.h | 3 +- src/libcharon/sa/connect_manager.c | 5 +- src/libcharon/sa/ike_sa.c | 79 +- src/libcharon/sa/ike_sa.h | 3 +- src/libcharon/sa/ike_sa_manager.c | 474 ++++---- src/libcharon/sa/ike_sa_manager.h | 18 +- src/libcharon/sa/keymat.c | 10 +- src/libcharon/sa/keymat.h | 8 +- src/libcharon/sa/task_manager.c | 46 +- src/libcharon/sa/task_manager.h | 10 + src/libcharon/sa/tasks/child_create.c | 182 +-- src/libcharon/sa/tasks/child_rekey.c | 7 +- src/libcharon/sa/tasks/ike_auth.c | 200 ++-- src/libcharon/sa/tasks/ike_cert_pre.c | 19 +- src/libcharon/sa/tasks/ike_rekey.c | 7 +- src/libcharon/tnc/imc/imc.h | 175 +++ src/libcharon/tnc/imc/imc_manager.h | 116 ++ src/libcharon/tnc/imv/imv.h | 175 +++ src/libcharon/tnc/imv/imv_manager.h | 134 +++ src/libcharon/tnc/imv/imv_recommendations.c | 24 + src/libcharon/tnc/imv/imv_recommendations.h | 117 ++ src/libcharon/tnc/tnccs/tnccs.c | 23 + src/libcharon/tnc/tnccs/tnccs.h | 82 ++ src/libcharon/tnc/tnccs/tnccs_manager.c | 477 ++++++++ src/libcharon/tnc/tnccs/tnccs_manager.h | 184 +++ src/libcharon/tnc/tncif.h | 106 ++ src/libcharon/tnc/tncifimc.h | 180 +++ src/libcharon/tnc/tncifimv.c | 36 + src/libcharon/tnc/tncifimv.h | 248 ++++ src/libcharon/tnccs/tnccs.c | 22 - src/libcharon/tnccs/tnccs.h | 52 - src/libcharon/tnccs/tnccs_manager.c | 148 --- src/libcharon/tnccs/tnccs_manager.h | 74 -- src/libfast/Makefile.in | 4 +- src/libfast/request.c | 11 +- src/libfast/request.h | 8 + src/libfreeswan/Makefile.am | 12 +- src/libfreeswan/Makefile.in | 40 +- src/libfreeswan/atosa.3 | 217 ---- src/libfreeswan/atosa.c | 198 ---- src/libfreeswan/copyright.c | 12 +- src/libfreeswan/freeswan.h | 29 - src/libfreeswan/keyblobtoid.3 | 102 -- src/libfreeswan/keyblobtoid.c | 146 --- src/libfreeswan/prng.3 | 120 -- src/libfreeswan/prng.c | 200 ---- src/libfreeswan/satoa.c | 100 -- src/libhydra/Makefile.in | 4 +- src/libhydra/kernel/kernel_interface.c | 8 +- src/libhydra/kernel/kernel_interface.h | 3 +- src/libhydra/kernel/kernel_ipsec.h | 3 +- src/libhydra/plugins/attr/Makefile.in | 4 +- src/libhydra/plugins/attr/attr_plugin.c | 19 +- src/libhydra/plugins/attr_sql/Makefile.in | 4 +- src/libhydra/plugins/attr_sql/attr_sql_plugin.c | 23 +- src/libhydra/plugins/kernel_klips/Makefile.in | 4 +- .../plugins/kernel_klips/kernel_klips_ipsec.c | 2 +- .../plugins/kernel_klips/kernel_klips_plugin.c | 19 +- src/libhydra/plugins/kernel_netlink/Makefile.in | 4 +- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 42 +- .../plugins/kernel_netlink/kernel_netlink_plugin.c | 17 +- src/libhydra/plugins/kernel_pfkey/Makefile.in | 4 +- .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 17 +- .../plugins/kernel_pfkey/kernel_pfkey_plugin.c | 19 +- src/libhydra/plugins/kernel_pfroute/Makefile.in | 4 +- .../plugins/kernel_pfroute/kernel_pfroute_plugin.c | 19 +- src/libhydra/plugins/resolve/Makefile.in | 4 +- src/libhydra/plugins/resolve/resolve_plugin.c | 18 +- src/libsimaka/Makefile.in | 4 +- src/libstrongswan/Makefile.am | 24 +- src/libstrongswan/Makefile.in | 186 +-- src/libstrongswan/asn1/asn1.c | 94 ++ src/libstrongswan/asn1/asn1.h | 16 + src/libstrongswan/asn1/asn1_parser.c | 66 +- src/libstrongswan/asn1/oid.c | 715 ++++++------ src/libstrongswan/asn1/oid.h | 178 +-- src/libstrongswan/asn1/oid.txt | 17 +- src/libstrongswan/credentials/auth_cfg.c | 155 ++- src/libstrongswan/credentials/auth_cfg.h | 8 + src/libstrongswan/credentials/builder.c | 8 + src/libstrongswan/credentials/builder.h | 18 +- src/libstrongswan/credentials/cert_validator.h | 7 +- src/libstrongswan/credentials/certificates/crl.h | 15 + src/libstrongswan/credentials/certificates/x509.c | 28 - src/libstrongswan/credentials/certificates/x509.h | 89 +- src/libstrongswan/credentials/credential_manager.c | 90 +- .../credentials/sets/auth_cfg_wrapper.c | 3 +- src/libstrongswan/credentials/sets/mem_cred.c | 240 +++- src/libstrongswan/credentials/sets/mem_cred.h | 50 +- src/libstrongswan/crypto/crypto_factory.c | 133 ++- src/libstrongswan/crypto/crypto_factory.h | 31 +- src/libstrongswan/crypto/crypto_tester.c | 166 +-- src/libstrongswan/crypto/crypto_tester.h | 16 +- src/libstrongswan/eap/eap.h | 2 +- src/libstrongswan/enum.c | 2 +- src/libstrongswan/fetcher/fetcher_manager.c | 4 +- src/libstrongswan/integrity_checker.c | 62 +- src/libstrongswan/plugins/aes/Makefile.in | 4 +- src/libstrongswan/plugins/aes/aes_plugin.c | 4 +- src/libstrongswan/plugins/af_alg/Makefile.am | 20 + src/libstrongswan/plugins/af_alg/Makefile.in | 612 ++++++++++ src/libstrongswan/plugins/af_alg/af_alg_crypter.c | 237 ++++ src/libstrongswan/plugins/af_alg/af_alg_crypter.h | 54 + src/libstrongswan/plugins/af_alg/af_alg_hasher.c | 170 +++ src/libstrongswan/plugins/af_alg/af_alg_hasher.h | 52 + src/libstrongswan/plugins/af_alg/af_alg_ops.c | 226 ++++ src/libstrongswan/plugins/af_alg/af_alg_ops.h | 92 ++ src/libstrongswan/plugins/af_alg/af_alg_plugin.c | 74 ++ src/libstrongswan/plugins/af_alg/af_alg_plugin.h | 42 + src/libstrongswan/plugins/af_alg/af_alg_prf.c | 211 ++++ src/libstrongswan/plugins/af_alg/af_alg_prf.h | 52 + src/libstrongswan/plugins/af_alg/af_alg_signer.c | 206 ++++ src/libstrongswan/plugins/af_alg/af_alg_signer.h | 52 + src/libstrongswan/plugins/agent/Makefile.in | 4 +- src/libstrongswan/plugins/blowfish/Makefile.in | 4 +- .../plugins/blowfish/blowfish_plugin.c | 4 +- src/libstrongswan/plugins/ccm/Makefile.in | 4 +- src/libstrongswan/plugins/ccm/ccm_plugin.c | 37 +- src/libstrongswan/plugins/constraints/Makefile.am | 16 + src/libstrongswan/plugins/constraints/Makefile.in | 604 ++++++++++ .../plugins/constraints/constraints_plugin.c | 65 ++ .../plugins/constraints/constraints_plugin.h | 42 + .../plugins/constraints/constraints_validator.c | 578 ++++++++++ .../plugins/constraints/constraints_validator.h | 49 + src/libstrongswan/plugins/ctr/Makefile.in | 4 +- src/libstrongswan/plugins/ctr/ctr_plugin.c | 22 +- src/libstrongswan/plugins/curl/Makefile.in | 4 +- src/libstrongswan/plugins/curl/curl_fetcher.c | 16 +- src/libstrongswan/plugins/curl/curl_plugin.c | 16 +- src/libstrongswan/plugins/des/Makefile.in | 4 +- src/libstrongswan/plugins/des/des_plugin.c | 8 +- src/libstrongswan/plugins/dnskey/Makefile.in | 4 +- src/libstrongswan/plugins/dnskey/dnskey_plugin.c | 19 +- src/libstrongswan/plugins/fips_prf/Makefile.in | 4 +- src/libstrongswan/plugins/fips_prf/fips_prf.c | 55 +- .../plugins/fips_prf/fips_prf_plugin.c | 28 +- src/libstrongswan/plugins/gcm/Makefile.in | 4 +- src/libstrongswan/plugins/gcm/gcm_plugin.c | 20 +- src/libstrongswan/plugins/gcrypt/Makefile.in | 4 +- src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c | 68 +- src/libstrongswan/plugins/gmp/Makefile.in | 4 +- src/libstrongswan/plugins/gmp/gmp_plugin.c | 26 +- src/libstrongswan/plugins/hmac/Makefile.in | 4 +- src/libstrongswan/plugins/hmac/hmac_plugin.c | 88 +- src/libstrongswan/plugins/ldap/Makefile.in | 4 +- src/libstrongswan/plugins/ldap/ldap_fetcher.c | 35 +- src/libstrongswan/plugins/ldap/ldap_plugin.c | 16 +- src/libstrongswan/plugins/md4/Makefile.in | 4 +- src/libstrongswan/plugins/md4/md4_plugin.c | 20 +- src/libstrongswan/plugins/md5/Makefile.in | 4 +- src/libstrongswan/plugins/md5/md5_plugin.c | 20 +- src/libstrongswan/plugins/mysql/Makefile.in | 4 +- src/libstrongswan/plugins/mysql/mysql_database.c | 40 +- src/libstrongswan/plugins/mysql/mysql_plugin.c | 15 +- src/libstrongswan/plugins/openssl/Makefile.in | 4 +- src/libstrongswan/plugins/openssl/openssl_crl.c | 11 +- src/libstrongswan/plugins/openssl/openssl_plugin.c | 74 +- src/libstrongswan/plugins/openssl/openssl_x509.c | 100 +- src/libstrongswan/plugins/padlock/Makefile.in | 4 +- src/libstrongswan/plugins/padlock/padlock_plugin.c | 12 +- src/libstrongswan/plugins/pem/Makefile.in | 4 +- src/libstrongswan/plugins/pem/pem_encoder.c | 2 +- src/libstrongswan/plugins/pem/pem_plugin.c | 18 +- src/libstrongswan/plugins/pgp/Makefile.in | 4 +- src/libstrongswan/plugins/pgp/pgp_plugin.c | 21 +- src/libstrongswan/plugins/pkcs1/Makefile.in | 4 +- src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c | 16 +- src/libstrongswan/plugins/pkcs11/Makefile.in | 4 +- src/libstrongswan/plugins/pkcs11/pkcs11_creds.c | 23 +- src/libstrongswan/plugins/pkcs11/pkcs11_library.c | 67 +- src/libstrongswan/plugins/pkcs11/pkcs11_library.h | 21 +- src/libstrongswan/plugins/pkcs11/pkcs11_manager.c | 5 +- src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c | 14 +- .../plugins/pkcs11/pkcs11_private_key.c | 18 +- src/libstrongswan/plugins/plugin_loader.c | 111 +- src/libstrongswan/plugins/pubkey/Makefile.in | 4 +- src/libstrongswan/plugins/pubkey/pubkey_plugin.c | 18 +- src/libstrongswan/plugins/random/Makefile.in | 4 +- src/libstrongswan/plugins/random/random_plugin.c | 22 +- src/libstrongswan/plugins/random/random_rng.c | 37 +- src/libstrongswan/plugins/revocation/Makefile.in | 4 +- .../plugins/revocation/revocation_validator.c | 279 +++-- src/libstrongswan/plugins/sha1/Makefile.in | 4 +- src/libstrongswan/plugins/sha1/sha1_plugin.c | 22 +- src/libstrongswan/plugins/sha2/Makefile.in | 4 +- src/libstrongswan/plugins/sha2/sha2_plugin.c | 26 +- src/libstrongswan/plugins/soup/Makefile.am | 16 + src/libstrongswan/plugins/soup/Makefile.in | 601 ++++++++++ src/libstrongswan/plugins/soup/soup_fetcher.c | 159 +++ src/libstrongswan/plugins/soup/soup_fetcher.h | 44 + src/libstrongswan/plugins/soup/soup_plugin.c | 72 ++ src/libstrongswan/plugins/soup/soup_plugin.h | 42 + src/libstrongswan/plugins/sqlite/Makefile.in | 4 +- src/libstrongswan/plugins/sqlite/sqlite_database.c | 45 +- src/libstrongswan/plugins/sqlite/sqlite_plugin.c | 18 +- src/libstrongswan/plugins/test_vectors/Makefile.in | 4 +- .../plugins/test_vectors/test_vectors_plugin.c | 16 +- src/libstrongswan/plugins/x509/Makefile.in | 4 +- src/libstrongswan/plugins/x509/x509_cert.c | 1192 +++++++++++++++----- src/libstrongswan/plugins/x509/x509_crl.c | 173 ++- src/libstrongswan/plugins/x509/x509_plugin.c | 16 +- src/libstrongswan/plugins/xcbc/Makefile.in | 4 +- src/libstrongswan/plugins/xcbc/xcbc_plugin.c | 30 +- src/libstrongswan/printf_hook.c | 24 +- src/libstrongswan/processing/processor.c | 2 +- src/libstrongswan/selectors/traffic_selector.c | 6 +- src/libstrongswan/settings.c | 838 +++++++++++--- src/libstrongswan/settings.h | 171 ++- src/libstrongswan/utils.c | 8 + src/libstrongswan/utils.h | 17 +- src/libstrongswan/utils/backtrace.c | 14 +- src/libstrongswan/utils/backtrace.h | 9 +- src/libstrongswan/utils/hashtable.c | 3 +- src/libstrongswan/utils/host.c | 39 + src/libstrongswan/utils/host.h | 9 + src/libstrongswan/utils/identification.c | 10 +- src/libstrongswan/utils/leak_detective.c | 33 +- src/libstrongswan/utils/optionsfrom.c | 30 +- src/libtls/Makefile.in | 4 +- src/libtls/tls.h | 2 +- src/libtls/tls_crypto.c | 10 +- src/libtls/tls_eap.c | 12 +- src/libtls/tls_reader.c | 18 +- src/libtls/tls_writer.c | 2 +- src/manager/Makefile.in | 4 +- src/medsrv/Makefile.in | 4 +- src/openac/Makefile.in | 4 +- src/pki/Makefile.in | 4 +- src/pki/command.c | 2 +- src/pki/command.h | 2 +- src/pki/commands/issue.c | 223 +++- src/pki/commands/print.c | 151 ++- src/pki/commands/self.c | 171 ++- src/pki/commands/signcrl.c | 86 +- src/pluto/Makefile.in | 4 +- src/pluto/ca.c | 2 +- src/pluto/crl.c | 10 +- src/pluto/crypto.c | 279 +++-- src/pluto/demux.c | 2 +- src/pluto/ike_alg.c | 81 +- src/pluto/ike_alg.h | 6 +- src/pluto/kernel.c | 6 +- src/pluto/kernel_alg.c | 50 +- src/pluto/keys.c | 8 +- src/pluto/ocsp.c | 4 +- src/pluto/plugins/xauth/Makefile.in | 4 +- src/pluto/pluto.8 | 10 +- src/pluto/x509.c | 8 +- src/scepclient/Makefile.in | 4 +- src/scepclient/scepclient.8 | 4 +- src/starter/Makefile.am | 21 +- src/starter/Makefile.in | 126 +-- src/starter/args.c | 2 + src/starter/confread.c | 17 + src/starter/confread.h | 2 + src/starter/keywords.c | 288 ++--- src/starter/keywords.h | 6 +- src/starter/keywords.txt | 7 +- src/starter/starter.8 | 0 src/starter/starterstroke.c | 2 + src/stroke/Makefile.in | 4 +- src/stroke/stroke.c | 25 + src/stroke/stroke_keywords.c | 98 +- src/stroke/stroke_keywords.h | 3 + src/stroke/stroke_keywords.txt | 3 + src/stroke/stroke_msg.h | 10 +- src/whack/Makefile.in | 4 +- testing/INSTALL | 13 +- testing/Makefile.in | 4 +- testing/do-tests.in | 1 + testing/hosts/default/etc/hosts | 2 + testing/hosts/default/etc/ipsec.d/tables.sql | 38 +- testing/hosts/winnetou/etc/openssl/index.txt | 1 + testing/hosts/winnetou/etc/openssl/index.txt.old | 1 + testing/hosts/winnetou/etc/openssl/newcerts/23.pem | 25 + testing/hosts/winnetou/etc/openssl/serial | 2 +- testing/hosts/winnetou/etc/openssl/serial.old | 2 +- testing/scripts/build-umlrootfs | 20 + testing/scripts/kstart-umls | 2 +- testing/scripts/xstart-umls | 2 +- testing/testing.conf | 18 +- testing/tests/ha/both-active/description.txt | 8 + testing/tests/ha/both-active/evaltest.dat | 20 + .../ha/both-active/hosts/alice/etc/init.d/iptables | 104 ++ .../ha/both-active/hosts/alice/etc/ipsec.conf | 22 + .../hosts/alice/etc/ipsec.d/certs/marsCert.pem | 25 + .../hosts/alice/etc/ipsec.d/private/marsKey.pem | 27 + .../ha/both-active/hosts/alice/etc/ipsec.secrets | 3 + .../ha/both-active/hosts/alice/etc/strongswan.conf | 15 + .../ha/both-active/hosts/carol/etc/ipsec.conf | 23 + .../ha/both-active/hosts/carol/etc/strongswan.conf | 5 + .../tests/ha/both-active/hosts/dave/etc/ipsec.conf | 23 + .../ha/both-active/hosts/dave/etc/strongswan.conf | 6 + .../ha/both-active/hosts/moon/etc/init.d/iptables | 104 ++ .../tests/ha/both-active/hosts/moon/etc/ipsec.conf | 22 + .../hosts/moon/etc/ipsec.d/certs/marsCert.pem | 25 + .../hosts/moon/etc/ipsec.d/private/marsKey.pem | 27 + .../ha/both-active/hosts/moon/etc/ipsec.secrets | 3 + .../ha/both-active/hosts/moon/etc/strongswan.conf | 15 + testing/tests/ha/both-active/posttest.dat | 17 + testing/tests/ha/both-active/pretest.dat | 18 + testing/tests/ha/both-active/test.conf | 21 + testing/tests/ikev1/dpd-restart/evaltest.dat | 4 +- testing/tests/ikev1/dynamic-initiator/pretest.dat | 2 +- testing/tests/ikev1/dynamic-responder/pretest.dat | 2 +- testing/tests/ikev1/net2net-start/pretest.dat | 2 +- testing/tests/ikev1/xauth-rsa-fail/description.txt | 2 +- .../tests/ikev1/xauth-rsa-nosecret/description.txt | 2 +- .../tests/ikev2/critical-extension/description.txt | 5 + .../tests/ikev2/critical-extension/evaltest.dat | 6 + .../critical-extension/hosts/moon/etc/ipsec.conf | 25 + .../hosts/moon/etc/ipsec.d/certs/moonCert.der | Bin 0 -> 952 bytes .../hosts/moon/etc/strongswan.conf | 12 + .../critical-extension/hosts/sun/etc/ipsec.conf | 25 + .../hosts/sun/etc/ipsec.d/certs/sunCert.der | Bin 0 -> 951 bytes .../hosts/sun/etc/strongswan.conf | 6 + .../tests/ikev2/critical-extension/posttest.dat | 5 + testing/tests/ikev2/critical-extension/pretest.dat | 6 + testing/tests/ikev2/critical-extension/test.conf | 21 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../rw-eap-tnc-11-radius-block/description.txt | 11 + .../ikev2/rw-eap-tnc-11-radius-block/evaltest.dat | 14 + .../hosts/alice/etc/raddb/clients.conf | 4 + .../hosts/alice/etc/raddb/dictionary | 2 + .../hosts/alice/etc/raddb/dictionary.tnc | 5 + .../hosts/alice/etc/raddb/eap.conf | 25 + .../hosts/alice/etc/raddb/proxy.conf | 5 + .../hosts/alice/etc/raddb/radiusd.conf | 120 ++ .../hosts/alice/etc/raddb/sites-available/default | 44 + .../alice/etc/raddb/sites-available/inner-tunnel | 32 + .../etc/raddb/sites-available/inner-tunnel-second | 23 + .../hosts/alice/etc/raddb/users | 2 + .../hosts/alice/etc/tnc_config | 3 + .../hosts/carol/etc/ipsec.conf | 24 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 6 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../hosts/carol/etc/tnc_config | 3 + .../hosts/dave/etc/ipsec.conf | 24 + .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 6 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../hosts/dave/etc/tnc_config | 3 + .../hosts/moon/etc/init.d/iptables | 84 ++ .../hosts/moon/etc/ipsec.conf | 25 + .../hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 12 + .../ikev2/rw-eap-tnc-11-radius-block/posttest.dat | 8 + .../ikev2/rw-eap-tnc-11-radius-block/pretest.dat | 15 + .../ikev2/rw-eap-tnc-11-radius-block/test.conf | 26 + .../ikev2/rw-eap-tnc-11-radius/description.txt | 10 + .../tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat | 19 + .../hosts/alice/etc/raddb/clients.conf | 4 + .../hosts/alice/etc/raddb/dictionary | 2 + .../hosts/alice/etc/raddb/dictionary.tnc | 5 + .../hosts/alice/etc/raddb/eap.conf | 25 + .../hosts/alice/etc/raddb/proxy.conf | 5 + .../hosts/alice/etc/raddb/radiusd.conf | 120 ++ .../hosts/alice/etc/raddb/sites-available/default | 44 + .../alice/etc/raddb/sites-available/inner-tunnel | 32 + .../etc/raddb/sites-available/inner-tunnel-second | 36 + .../hosts/alice/etc/raddb/users | 2 + .../hosts/alice/etc/tnc_config | 3 + .../hosts/carol/etc/ipsec.conf | 24 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 6 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../hosts/carol/etc/tnc_config | 3 + .../rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf | 24 + .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 6 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config | 3 + .../hosts/moon/etc/init.d/iptables | 84 ++ .../rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf | 35 + .../hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 13 + .../tests/ikev2/rw-eap-tnc-11-radius/posttest.dat | 8 + .../tests/ikev2/rw-eap-tnc-11-radius/pretest.dat | 18 + testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf | 26 + testing/tests/ikev2/rw-eap-tnc-11/description.txt | 9 + testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat | 19 + .../ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf | 23 + .../rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets | 3 + .../rw-eap-tnc-11/hosts/carol/etc/strongswan.conf | 6 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config | 3 + .../ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf | 23 + .../rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets | 3 + .../rw-eap-tnc-11/hosts/dave/etc/strongswan.conf | 6 + .../rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config | 3 + .../ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf | 36 + .../rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets | 6 + .../rw-eap-tnc-11/hosts/moon/etc/strongswan.conf | 13 + .../ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config | 3 + testing/tests/ikev2/rw-eap-tnc-11/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-11/pretest.dat | 15 + testing/tests/ikev2/rw-eap-tnc-11/test.conf | 26 + .../ikev2/rw-eap-tnc-20-block/description.txt | 11 + .../tests/ikev2/rw-eap-tnc-20-block/evaltest.dat | 12 + .../rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf | 23 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 14 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-block/hosts/carol/etc/tnc_config | 3 + .../rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf | 23 + .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 14 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-block/hosts/dave/etc/tnc_config | 3 + .../rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf | 26 + .../hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 19 + .../rw-eap-tnc-20-block/hosts/moon/etc/tnc_config | 3 + .../tests/ikev2/rw-eap-tnc-20-block/posttest.dat | 6 + .../tests/ikev2/rw-eap-tnc-20-block/pretest.dat | 15 + testing/tests/ikev2/rw-eap-tnc-20-block/test.conf | 26 + .../tests/ikev2/rw-eap-tnc-20-tls/description.txt | 10 + testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat | 19 + .../rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf | 24 + .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config | 3 + .../rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf | 24 + .../hosts/dave/etc/strongswan.conf | 11 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config | 3 + .../rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf | 36 + .../rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 16 + .../rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config | 3 + testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat | 15 + testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf | 26 + testing/tests/ikev2/rw-eap-tnc-20/description.txt | 11 + testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat | 19 + .../ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf | 23 + .../rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets | 3 + .../rw-eap-tnc-20/hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config | 4 + .../ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf | 23 + .../rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets | 3 + .../rw-eap-tnc-20/hosts/dave/etc/strongswan.conf | 11 + .../rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config | 4 + .../ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf | 36 + .../rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets | 6 + .../rw-eap-tnc-20/hosts/moon/etc/strongswan.conf | 16 + .../ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config | 4 + testing/tests/ikev2/rw-eap-tnc-20/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-20/pretest.dat | 15 + testing/tests/ikev2/rw-eap-tnc-20/test.conf | 26 + .../tests/ikev2/rw-eap-tnc-block/description.txt | 8 - testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat | 12 - .../rw-eap-tnc-block/hosts/carol/etc/ipsec.conf | 23 - .../rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-block/hosts/carol/etc/tnc_config | 3 - .../rw-eap-tnc-block/hosts/dave/etc/ipsec.conf | 23 - .../rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-block/hosts/dave/etc/tnc_config | 3 - .../rw-eap-tnc-block/hosts/moon/etc/ipsec.conf | 26 - .../rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets | 6 - .../hosts/moon/etc/strongswan.conf | 13 - .../rw-eap-tnc-block/hosts/moon/etc/tnc_config | 3 - testing/tests/ikev2/rw-eap-tnc-block/posttest.dat | 6 - testing/tests/ikev2/rw-eap-tnc-block/pretest.dat | 15 - testing/tests/ikev2/rw-eap-tnc-block/test.conf | 26 - .../tests/ikev2/rw-eap-tnc-dynamic/description.txt | 12 + .../tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat | 27 + .../rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf | 23 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config | 4 + .../rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf | 23 + .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 11 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config | 4 + .../rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf | 36 + .../hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 16 + .../rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config | 4 + .../tests/ikev2/rw-eap-tnc-dynamic/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat | 15 + testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf | 26 + .../ikev2/rw-eap-tnc-radius-block/description.txt | 11 - .../ikev2/rw-eap-tnc-radius-block/evaltest.dat | 14 - .../hosts/alice/etc/raddb/clients.conf | 4 - .../hosts/alice/etc/raddb/dictionary | 2 - .../hosts/alice/etc/raddb/dictionary.tnc | 5 - .../hosts/alice/etc/raddb/eap.conf | 25 - .../hosts/alice/etc/raddb/proxy.conf | 5 - .../hosts/alice/etc/raddb/radiusd.conf | 120 -- .../hosts/alice/etc/raddb/sites-available/default | 44 - .../alice/etc/raddb/sites-available/inner-tunnel | 32 - .../etc/raddb/sites-available/inner-tunnel-second | 23 - .../hosts/alice/etc/raddb/users | 2 - .../hosts/alice/etc/tnc_config | 3 - .../hosts/carol/etc/ipsec.conf | 24 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../hosts/carol/etc/tnc_config | 3 - .../hosts/dave/etc/ipsec.conf | 24 - .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../hosts/dave/etc/tnc_config | 3 - .../hosts/moon/etc/init.d/iptables | 84 -- .../hosts/moon/etc/ipsec.conf | 25 - .../hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 12 - .../ikev2/rw-eap-tnc-radius-block/posttest.dat | 8 - .../ikev2/rw-eap-tnc-radius-block/pretest.dat | 15 - .../tests/ikev2/rw-eap-tnc-radius-block/test.conf | 26 - .../tests/ikev2/rw-eap-tnc-radius/description.txt | 10 - testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat | 19 - .../hosts/alice/etc/raddb/clients.conf | 4 - .../hosts/alice/etc/raddb/dictionary | 2 - .../hosts/alice/etc/raddb/dictionary.tnc | 5 - .../hosts/alice/etc/raddb/eap.conf | 25 - .../hosts/alice/etc/raddb/proxy.conf | 5 - .../hosts/alice/etc/raddb/radiusd.conf | 120 -- .../hosts/alice/etc/raddb/sites-available/default | 44 - .../alice/etc/raddb/sites-available/inner-tunnel | 32 - .../etc/raddb/sites-available/inner-tunnel-second | 36 - .../rw-eap-tnc-radius/hosts/alice/etc/raddb/users | 2 - .../rw-eap-tnc-radius/hosts/alice/etc/tnc_config | 3 - .../rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf | 24 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-radius/hosts/carol/etc/tnc_config | 3 - .../rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf | 24 - .../rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-radius/hosts/dave/etc/tnc_config | 3 - .../hosts/moon/etc/init.d/iptables | 84 -- .../rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf | 35 - .../rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 13 - testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat | 8 - testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat | 18 - testing/tests/ikev2/rw-eap-tnc-radius/test.conf | 26 - testing/tests/ikev2/rw-eap-tnc-tls/description.txt | 7 - testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat | 19 - .../rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf | 24 - .../rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-tls/hosts/carol/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf | 24 - .../rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf | 36 - .../rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets | 6 - .../rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf | 13 - .../ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config | 3 - testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat | 6 - testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat | 15 - testing/tests/ikev2/rw-eap-tnc-tls/test.conf | 26 - testing/tests/ikev2/rw-eap-tnc/description.txt | 9 - testing/tests/ikev2/rw-eap-tnc/evaltest.dat | 19 - .../ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf | 23 - .../ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets | 3 - .../rw-eap-tnc/hosts/carol/etc/strongswan.conf | 6 - .../rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file | 1 - .../ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf | 23 - .../ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets | 3 - .../rw-eap-tnc/hosts/dave/etc/strongswan.conf | 6 - .../rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file | 1 - .../ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf | 36 - .../ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets | 6 - .../rw-eap-tnc/hosts/moon/etc/strongswan.conf | 13 - .../ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config | 3 - testing/tests/ikev2/rw-eap-tnc/posttest.dat | 6 - testing/tests/ikev2/rw-eap-tnc/pretest.dat | 15 - testing/tests/ikev2/rw-eap-tnc/test.conf | 26 - .../ikev2/two-certs/hosts/carol/etc/ipsec.conf | 1 + .../critical-extension/description.txt | 5 + .../openssl-ikev2/critical-extension/evaltest.dat | 6 + .../critical-extension/hosts/moon/etc/ipsec.conf | 25 + .../hosts/moon/etc/ipsec.d/certs/moonCert.der | Bin 0 -> 952 bytes .../hosts/moon/etc/strongswan.conf | 12 + .../critical-extension/hosts/sun/etc/ipsec.conf | 25 + .../hosts/sun/etc/ipsec.d/certs/sunCert.der | Bin 0 -> 951 bytes .../hosts/sun/etc/strongswan.conf | 6 + .../openssl-ikev2/critical-extension/posttest.dat | 5 + .../openssl-ikev2/critical-extension/pretest.dat | 6 + .../openssl-ikev2/critical-extension/test.conf | 21 + testing/tests/p2pnat/behind-same-nat/pretest.dat | 2 +- testing/tests/p2pnat/medsrv-psk/pretest.dat | 2 +- testing/tests/sql/multi-level-ca/description.txt | 6 + testing/tests/sql/multi-level-ca/evaltest.dat | 18 + .../sql/multi-level-ca/hosts/carol/etc/ipsec.conf | 7 + .../hosts/carol/etc/ipsec.d/data.sql | 192 ++++ .../multi-level-ca/hosts/carol/etc/ipsec.secrets | 3 + .../multi-level-ca/hosts/carol/etc/strongswan.conf | 10 + .../sql/multi-level-ca/hosts/dave/etc/ipsec.conf | 7 + .../multi-level-ca/hosts/dave/etc/ipsec.d/data.sql | 194 ++++ .../multi-level-ca/hosts/dave/etc/ipsec.secrets | 3 + .../multi-level-ca/hosts/dave/etc/strongswan.conf | 10 + .../sql/multi-level-ca/hosts/moon/etc/ipsec.conf | 7 + .../multi-level-ca/hosts/moon/etc/ipsec.d/data.sql | 164 +++ .../multi-level-ca/hosts/moon/etc/ipsec.secrets | 3 + .../multi-level-ca/hosts/moon/etc/strongswan.conf | 10 + testing/tests/sql/multi-level-ca/posttest.dat | 10 + testing/tests/sql/multi-level-ca/pretest.dat | 18 + testing/tests/sql/multi-level-ca/test.conf | 21 + .../net2net-cert/hosts/moon/etc/ipsec.d/data.sql | 4 +- .../net2net-cert/hosts/sun/etc/ipsec.d/data.sql | 4 +- .../tests/sql/net2net-route-pem/description.txt | 10 + testing/tests/sql/net2net-route-pem/evaltest.dat | 16 + .../net2net-route-pem/hosts/moon/etc/ipsec.conf | 8 + .../hosts/moon/etc/ipsec.d/data.sql | 249 ++++ .../net2net-route-pem/hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 10 + .../sql/net2net-route-pem/hosts/sun/etc/ipsec.conf | 8 + .../hosts/sun/etc/ipsec.d/data.sql | 249 ++++ .../net2net-route-pem/hosts/sun/etc/ipsec.secrets | 3 + .../hosts/sun/etc/strongswan.conf | 10 + testing/tests/sql/net2net-route-pem/posttest.dat | 6 + testing/tests/sql/net2net-route-pem/pretest.dat | 13 + testing/tests/sql/net2net-route-pem/test.conf | 21 + .../tests/sql/net2net-start-pem/description.txt | 10 + testing/tests/sql/net2net-start-pem/evaltest.dat | 12 + .../net2net-start-pem/hosts/moon/etc/ipsec.conf | 8 + .../hosts/moon/etc/ipsec.d/data.sql | 279 +++++ .../net2net-start-pem/hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 10 + .../sql/net2net-start-pem/hosts/sun/etc/ipsec.conf | 8 + .../hosts/sun/etc/ipsec.d/data.sql | 273 +++++ .../net2net-start-pem/hosts/sun/etc/ipsec.secrets | 3 + .../hosts/sun/etc/strongswan.conf | 10 + testing/tests/sql/net2net-start-pem/posttest.dat | 6 + testing/tests/sql/net2net-start-pem/pretest.dat | 11 + testing/tests/sql/net2net-start-pem/test.conf | 21 + 922 files changed, 38462 insertions(+), 11282 deletions(-) mode change 100644 => 100755 ltmain.sh create mode 100644 scripts/fetch.c create mode 100644 scripts/oid2der.c delete mode 100644 src/_copyright/_copyright.8 create mode 100644 src/conftest/Makefile.am create mode 100644 src/conftest/Makefile.in create mode 100644 src/conftest/README create mode 100644 src/conftest/actions.c create mode 100644 src/conftest/actions.h create mode 100644 src/conftest/config.c create mode 100644 src/conftest/config.h create mode 100644 src/conftest/conftest.c create mode 100644 src/conftest/conftest.h create mode 100644 src/conftest/hooks/add_notify.c create mode 100644 src/conftest/hooks/add_payload.c create mode 100644 src/conftest/hooks/custom_proposal.c create mode 100644 src/conftest/hooks/force_cookie.c create mode 100644 src/conftest/hooks/hook.h create mode 100644 src/conftest/hooks/ignore_message.c create mode 100644 src/conftest/hooks/ike_auth_fill.c create mode 100644 src/conftest/hooks/log_id.c create mode 100644 src/conftest/hooks/log_ke.c create mode 100644 src/conftest/hooks/log_proposals.c create mode 100644 src/conftest/hooks/log_ts.c create mode 100644 src/conftest/hooks/pretend_auth.c create mode 100644 src/conftest/hooks/rebuild_auth.c create mode 100644 src/conftest/hooks/reset_seq.c create mode 100644 src/conftest/hooks/set_critical.c create mode 100644 src/conftest/hooks/set_ike_initiator.c create mode 100644 src/conftest/hooks/set_ike_request.c create mode 100644 src/conftest/hooks/set_ike_spi.c create mode 100644 src/conftest/hooks/set_ike_version.c create mode 100644 src/conftest/hooks/set_length.c create mode 100644 src/conftest/hooks/set_proposal_number.c create mode 100644 src/conftest/hooks/set_reserved.c create mode 100644 src/conftest/hooks/unencrypted_notify.c create mode 100644 src/conftest/hooks/unsort_message.c delete mode 100644 src/libcharon/plugins/maemo/org.strongswan.charon.service create mode 100644 src/libcharon/plugins/maemo/org.strongswan.charon.service.in delete mode 100644 src/libcharon/plugins/stroke/stroke_shared_key.c delete mode 100644 src/libcharon/plugins/stroke/stroke_shared_key.h create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc.c create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc.h create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_manager.c create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_manager.h create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv.c create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv.h create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_manager.c create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_manager.h create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h create mode 100644 src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c create mode 100644 src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c create mode 100644 src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c create mode 100644 src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h create mode 100644 src/libcharon/plugins/tnccs_dynamic/Makefile.am create mode 100644 src/libcharon/plugins/tnccs_dynamic/Makefile.in create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h create mode 100644 src/libcharon/processing/jobs/start_action_job.c create mode 100644 src/libcharon/processing/jobs/start_action_job.h create mode 100644 src/libcharon/tnc/imc/imc.h create mode 100644 src/libcharon/tnc/imc/imc_manager.h create mode 100644 src/libcharon/tnc/imv/imv.h create mode 100644 src/libcharon/tnc/imv/imv_manager.h create mode 100644 src/libcharon/tnc/imv/imv_recommendations.c create mode 100644 src/libcharon/tnc/imv/imv_recommendations.h create mode 100644 src/libcharon/tnc/tnccs/tnccs.c create mode 100644 src/libcharon/tnc/tnccs/tnccs.h create mode 100644 src/libcharon/tnc/tnccs/tnccs_manager.c create mode 100644 src/libcharon/tnc/tnccs/tnccs_manager.h create mode 100644 src/libcharon/tnc/tncif.h create mode 100644 src/libcharon/tnc/tncifimc.h create mode 100644 src/libcharon/tnc/tncifimv.c create mode 100644 src/libcharon/tnc/tncifimv.h delete mode 100644 src/libcharon/tnccs/tnccs.c delete mode 100644 src/libcharon/tnccs/tnccs.h delete mode 100644 src/libcharon/tnccs/tnccs_manager.c delete mode 100644 src/libcharon/tnccs/tnccs_manager.h delete mode 100644 src/libfreeswan/atosa.3 delete mode 100644 src/libfreeswan/atosa.c delete mode 100644 src/libfreeswan/keyblobtoid.3 delete mode 100644 src/libfreeswan/keyblobtoid.c delete mode 100644 src/libfreeswan/prng.3 delete mode 100644 src/libfreeswan/prng.c delete mode 100644 src/libfreeswan/satoa.c delete mode 100644 src/libstrongswan/credentials/certificates/x509.c create mode 100644 src/libstrongswan/plugins/af_alg/Makefile.am create mode 100644 src/libstrongswan/plugins/af_alg/Makefile.in create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_crypter.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_crypter.h create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_hasher.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_hasher.h create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_ops.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_ops.h create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_plugin.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_plugin.h create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_prf.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_prf.h create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_signer.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_signer.h create mode 100644 src/libstrongswan/plugins/constraints/Makefile.am create mode 100644 src/libstrongswan/plugins/constraints/Makefile.in create mode 100644 src/libstrongswan/plugins/constraints/constraints_plugin.c create mode 100644 src/libstrongswan/plugins/constraints/constraints_plugin.h create mode 100644 src/libstrongswan/plugins/constraints/constraints_validator.c create mode 100644 src/libstrongswan/plugins/constraints/constraints_validator.h create mode 100644 src/libstrongswan/plugins/soup/Makefile.am create mode 100644 src/libstrongswan/plugins/soup/Makefile.in create mode 100644 src/libstrongswan/plugins/soup/soup_fetcher.c create mode 100644 src/libstrongswan/plugins/soup/soup_fetcher.h create mode 100644 src/libstrongswan/plugins/soup/soup_plugin.c create mode 100644 src/libstrongswan/plugins/soup/soup_plugin.h delete mode 100644 src/starter/starter.8 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/23.pem create mode 100644 testing/tests/ha/both-active/description.txt create mode 100644 testing/tests/ha/both-active/evaltest.dat create mode 100755 testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables create mode 100755 testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ha/both-active/posttest.dat create mode 100644 testing/tests/ha/both-active/pretest.dat create mode 100644 testing/tests/ha/both-active/test.conf create mode 100644 testing/tests/ikev2/critical-extension/description.txt create mode 100644 testing/tests/ikev2/critical-extension/evaltest.dat create mode 100755 testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der create mode 100644 testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der create mode 100644 testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/critical-extension/posttest.dat create mode 100644 testing/tests/ikev2/critical-extension/pretest.dat create mode 100644 testing/tests/ikev2/critical-extension/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc/evaltest.dat delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/ikev2/rw-eap-tnc/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc/test.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/description.txt create mode 100644 testing/tests/openssl-ikev2/critical-extension/evaltest.dat create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/posttest.dat create mode 100644 testing/tests/openssl-ikev2/critical-extension/pretest.dat create mode 100644 testing/tests/openssl-ikev2/critical-extension/test.conf create mode 100644 testing/tests/sql/multi-level-ca/description.txt create mode 100644 testing/tests/sql/multi-level-ca/evaltest.dat create mode 100755 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/sql/multi-level-ca/posttest.dat create mode 100644 testing/tests/sql/multi-level-ca/pretest.dat create mode 100644 testing/tests/sql/multi-level-ca/test.conf create mode 100644 testing/tests/sql/net2net-route-pem/description.txt create mode 100644 testing/tests/sql/net2net-route-pem/evaltest.dat create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/sql/net2net-route-pem/posttest.dat create mode 100644 testing/tests/sql/net2net-route-pem/pretest.dat create mode 100644 testing/tests/sql/net2net-route-pem/test.conf create mode 100644 testing/tests/sql/net2net-start-pem/description.txt create mode 100644 testing/tests/sql/net2net-start-pem/evaltest.dat create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/sql/net2net-start-pem/posttest.dat create mode 100644 testing/tests/sql/net2net-start-pem/pretest.dat create mode 100644 testing/tests/sql/net2net-start-pem/test.conf diff --git a/Android.mk b/Android.mk index d6c83367f..4c90f6340 100644 --- a/Android.mk +++ b/Android.mk @@ -53,7 +53,7 @@ strongswan_CFLAGS := \ -DUSE_VSTR \ -DROUTING_TABLE=0 \ -DROUTING_TABLE_PRIO=220 \ - -DVERSION=\"4.5.0\" \ + -DVERSION=\"4.5.1\" \ -DPLUGINS='"$(strongswan_PLUGINS)"' \ -DIPSEC_DIR=\"/system/bin\" \ -DIPSEC_PIDDIR=\"/data/misc/vpn\" \ diff --git a/Makefile.in b/Makefile.in index 56c31b104..eba785b0c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -229,9 +229,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -270,6 +268,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/NEWS b/NEWS index ed0d18211..42af2d37f 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,77 @@ +strongswan-4.5.1 +---------------- + +- Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol (BP) + compatible with Trusted Network Connect (TNC). The TNCCS 2.0 protocol + requires the tnccs_20, tnc_imc and tnc_imv plugins but does not depend + on the libtnc library. Any available IMV/IMC pairs conforming to the + Trusted Computing Group's TNC-IF-IMV/IMC 1.2 interface specification + can be loaded via /etc/tnc_config. + +- Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv + in place of the external libtnc library. + +- The tnccs_dynamic plugin loaded on a TNC server in addition to the + tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS + protocol version used by a TNC client and invokes an instance of + the corresponding protocol stack. + +- IKE and ESP proposals can now be stored in an SQL database using a + new proposals table. The start_action field in the child_configs + tables allows the automatic starting or routing of connections stored + in an SQL database. + +- The new certificate_authorities and certificate_distribution_points + tables make it possible to store CRL and OCSP Certificate Distribution + points in an SQL database. + +- The new 'include' statement allows to recursively include other files in + strongswan.conf. Existing sections and values are thereby extended and + replaced, respectively. + +- Due to the changes in the parser for strongswan.conf, the configuration + syntax for the attr plugin has changed. Previously, it was possible to + specify multiple values of a specific attribute type by adding multiple + key/value pairs with the same key (e.g. dns) to the plugins.attr section. + Because values with the same key now replace previously defined values + this is not possible anymore. As an alternative, multiple values can be + specified by separating them with a comma (e.g. dns = 1.2.3.4, 2.3.4.5). + +- ipsec listalgs now appends (set in square brackets) to each crypto + algorithm listed the plugin that registered the function. + +- Traffic Flow Confidentiality padding supported with Linux 2.6.38 can be used + by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all packets to a given + boundary, the special value '%mtu' pads all packets to the path MTU. + +- The new af-alg plugin can use various crypto primitives of the Linux Crypto + API using the AF_ALG interface introduced with 2.6.38. This removes the need + for additional userland implementations of symmetric cipher, hash, hmac and + xcbc algorithms. + +- The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and + responder. The notify is sent when initiating configurations with a unique + policy, set in ipsec.conf via the global 'uniqueids' option. + +- The conftest conformance testing framework enables the IKEv2 stack to perform + many tests using a distinct tool and configuration frontend. Various hooks + can alter reserved bits, flags, add custom notifies and proposals, reorder + or drop messages and much more. It is enabled using the --enable-conftest + ./configure switch. + +- The new libstrongswan constraints plugin provides advanced X.509 constraint + checking. In additon to X.509 pathLen constraints, the plugin checks for + nameConstraints and certificatePolicies, including policyMappings and + policyConstraints. The x509 certificate plugin and the pki tool have been + enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf + connection keywords take OIDs a peer certificate must have. + +- The left/rightauth ipsec.conf keywords accept values with a minimum strength + for trustchain public keys in bits, such as rsa-2048 or ecdsa-256. + +- The revocation and x509 libstrongswan plugins and the pki tool gained basic + support for delta CRLs. + strongswan-4.5.0 ---------------- diff --git a/configure b/configure index d823c3045..b0b1cdc60 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.67 for strongSwan 4.5.0. +# Generated by GNU Autoconf 2.67 for strongSwan 4.5.1. # # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -698,8 +698,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='4.5.0' -PACKAGE_STRING='strongSwan 4.5.0' +PACKAGE_VERSION='4.5.1' +PACKAGE_STRING='strongSwan 4.5.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -753,12 +753,18 @@ USE_VSTR_FALSE USE_VSTR_TRUE USE_LIBCAP_FALSE USE_LIBCAP_TRUE +USE_IPSEC_SCRIPT_FALSE +USE_IPSEC_SCRIPT_TRUE USE_FILE_CONFIG_FALSE USE_FILE_CONFIG_TRUE +USE_LIBCHARON_FALSE +USE_LIBCHARON_TRUE USE_LIBHYDRA_FALSE USE_LIBHYDRA_TRUE USE_LIBSTRONGSWAN_FALSE USE_LIBSTRONGSWAN_TRUE +USE_CONFTEST_FALSE +USE_CONFTEST_TRUE USE_SCRIPTS_FALSE USE_SCRIPTS_TRUE USE_TOOLS_FALSE @@ -821,6 +827,8 @@ USE_SOCKET_RAW_FALSE USE_SOCKET_RAW_TRUE USE_SOCKET_DEFAULT_FALSE USE_SOCKET_DEFAULT_TRUE +USE_TNCCS_DYNAMIC_FALSE +USE_TNCCS_DYNAMIC_TRUE USE_TNCCS_20_FALSE USE_TNCCS_20_TRUE USE_TNCCS_11_FALSE @@ -889,6 +897,8 @@ USE_MEDSRV_FALSE USE_MEDSRV_TRUE USE_STROKE_FALSE USE_STROKE_TRUE +USE_AF_ALG_FALSE +USE_AF_ALG_TRUE USE_GCM_FALSE USE_GCM_TRUE USE_CCM_FALSE @@ -923,6 +933,8 @@ USE_PKCS1_FALSE USE_PKCS1_TRUE USE_PUBKEY_FALSE USE_PUBKEY_TRUE +USE_CONSTRAINTS_FALSE +USE_CONSTRAINTS_TRUE USE_REVOCATION_FALSE USE_REVOCATION_TRUE USE_X509_FALSE @@ -949,6 +961,8 @@ USE_AES_FALSE USE_AES_TRUE USE_LDAP_FALSE USE_LDAP_TRUE +USE_SOUP_FALSE +USE_SOUP_TRUE USE_CURL_FALSE USE_CURL_TRUE USE_TEST_VECTORS_FALSE @@ -980,14 +994,14 @@ gtk_LIBS gtk_CFLAGS xml_LIBS xml_CFLAGS +soup_LIBS +soup_CFLAGS PTHREADLIB RTLIB SOCKLIB BTLIB DLLIB ALLOCA -ipsecgid -ipsecuid GPERF PERL YFLAGS @@ -1138,6 +1152,7 @@ with_xauth_module with_user with_group enable_curl +enable_soup enable_ldap enable_aes enable_des @@ -1151,6 +1166,7 @@ enable_gmp enable_random enable_x509 enable_revocation +enable_constraints enable_pubkey enable_pkcs1 enable_pgp @@ -1158,6 +1174,7 @@ enable_dnskey enable_pem enable_hmac enable_xcbc +enable_af_alg enable_test_vectors enable_mysql enable_sqlite @@ -1191,6 +1208,7 @@ enable_tnc_imc enable_tnc_imv enable_tnccs_11 enable_tnccs_20 +enable_tnccs_dynamic enable_kernel_netlink enable_kernel_pfkey enable_kernel_pfroute @@ -1214,6 +1232,7 @@ enable_threads enable_charon enable_tools enable_scripts +enable_conftest enable_updown enable_attr enable_attr_sql @@ -1259,6 +1278,8 @@ CPPFLAGS CPP YACC YFLAGS +soup_CFLAGS +soup_LIBS xml_CFLAGS xml_LIBS gtk_CFLAGS @@ -1809,7 +1830,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 4.5.0 to adapt to many kinds of systems. +\`configure' configures strongSwan 4.5.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1879,7 +1900,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 4.5.0:";; + short | recursive ) echo "Configuration of strongSwan 4.5.1:";; esac cat <<\_ACEOF @@ -1889,6 +1910,8 @@ Optional Features: --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-curl enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl. + --enable-soup enable soup fetcher plugin to fetch from HTTP via + libsoup. Requires libsoup. --enable-ldap enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP. --disable-aes disable AES software implementation plugin. @@ -1905,6 +1928,7 @@ Optional Features: --disable-random disable RNG implementation on top of /dev/(u)random. --disable-x509 disable X509 certificate implementation plugin. --disable-revocation disable X509 CRL/OCSP revocation check plugin. + --disable-constraints disable advanced X509 constraint checking plugin. --disable-pubkey disable RAW public key support plugin. --disable-pkcs1 disable PKCS1 key decoding plugin. --disable-pgp disable PGP key decoding plugin. @@ -1912,6 +1936,7 @@ Optional Features: --disable-pem disable PEM decoding plugin. --disable-hmac disable HMAC crypto implementation plugin. --disable-xcbc disable xcbc crypto implementation plugin. + --enable-af-alg enable AF_ALG crypto interface to Linux Crypto API. --enable-test-vectors enable plugin providing crypto test vectors. --enable-mysql enable MySQL database support. Requires libmysqlclient_r. @@ -1955,6 +1980,7 @@ Optional Features: --enable-tnc-imv enable TNC IMV module. --enable-tnccs-11 enable TNCCS 1.1 protocol module. --enable-tnccs-20 enable TNCCS 2.0 protocol module. + --enable-tnccs-dynamic enable dynamic TNCCS protocol discovery module. --disable-kernel-netlink disable the netlink kernel interface. --enable-kernel-pfkey enable the PF_KEY kernel interface. @@ -1990,6 +2016,7 @@ Optional Features: pki). --disable-scripts disable additional utilities (found in directory scripts). + --enable-conftest enforce Suite B conformance test framework. --disable-updown disable updown firewall script plugin. --disable-attr disable strongswan.conf based configuration attribute plugin. @@ -2092,6 +2119,8 @@ Some influential environment variables: YFLAGS The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of `-d' given by some make applications. + soup_CFLAGS C compiler flags for soup, overriding pkg-config + soup_LIBS linker flags for soup, overriding pkg-config xml_CFLAGS C compiler flags for xml, overriding pkg-config xml_LIBS linker flags for xml, overriding pkg-config gtk_CFLAGS C compiler flags for gtk, overriding pkg-config @@ -2168,7 +2197,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 4.5.0 +strongSwan configure 4.5.1 generated by GNU Autoconf 2.67 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2644,7 +2673,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 4.5.0, which was +It was created by strongSwan $as_me 4.5.1, which was generated by GNU Autoconf 2.67. Invocation command line was $ $0 $@ @@ -3459,7 +3488,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='4.5.0' + VERSION='4.5.1' cat >>confdefs.h <<_ACEOF @@ -3947,6 +3976,21 @@ else fi +# Check whether --enable-soup was given. +if test "${enable_soup+set}" = set; then : + enableval=$enable_soup; soup_given=true + if test x$enableval = xyes; then + soup=true + else + soup=false + fi +else + soup=false + soup_given=false + +fi + + # Check whether --enable-ldap was given. if test "${enable_ldap+set}" = set; then : enableval=$enable_ldap; ldap_given=true @@ -4142,6 +4186,21 @@ else fi +# Check whether --enable-constraints was given. +if test "${enable_constraints+set}" = set; then : + enableval=$enable_constraints; constraints_given=true + if test x$enableval = xyes; then + constraints=true + else + constraints=false + fi +else + constraints=true + constraints_given=false + +fi + + # Check whether --enable-pubkey was given. if test "${enable_pubkey+set}" = set; then : enableval=$enable_pubkey; pubkey_given=true @@ -4247,6 +4306,21 @@ else fi +# Check whether --enable-af-alg was given. +if test "${enable_af_alg+set}" = set; then : + enableval=$enable_af_alg; af_alg_given=true + if test x$enableval = xyes; then + af_alg=true + else + af_alg=false + fi +else + af_alg=false + af_alg_given=false + +fi + + # Check whether --enable-test-vectors was given. if test "${enable_test_vectors+set}" = set; then : enableval=$enable_test_vectors; test_vectors_given=true @@ -4742,6 +4816,21 @@ else fi +# Check whether --enable-tnccs-dynamic was given. +if test "${enable_tnccs_dynamic+set}" = set; then : + enableval=$enable_tnccs_dynamic; tnccs_dynamic_given=true + if test x$enableval = xyes; then + tnccs_dynamic=true + else + tnccs_dynamic=false + fi +else + tnccs_dynamic=false + tnccs_dynamic_given=false + +fi + + # Check whether --enable-kernel-netlink was given. if test "${enable_kernel_netlink+set}" = set; then : enableval=$enable_kernel_netlink; kernel_netlink_given=true @@ -5087,6 +5176,21 @@ else fi +# Check whether --enable-conftest was given. +if test "${enable_conftest+set}" = set; then : + enableval=$enable_conftest; conftest_given=true + if test x$enableval = xyes; then + conftest=true + else + conftest=false + fi +else + conftest=false + conftest_given=false + +fi + + # Check whether --enable-updown was given. if test "${enable_updown+set}" = set; then : enableval=$enable_updown; updown_given=true @@ -7769,13 +7873,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:7772: $ac_compile\"" >&5) + (eval echo "\"\$as_me:7876: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:7775: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:7879: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:7778: output\"" >&5) + (eval echo "\"\$as_me:7882: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -8980,7 +9084,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8983 "configure"' > conftest.$ac_ext + echo '#line 9087 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -10242,11 +10346,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10245: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10349: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10249: \$? = $ac_status" >&5 + echo "$as_me:10353: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -10581,11 +10685,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10584: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10688: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10588: \$? = $ac_status" >&5 + echo "$as_me:10692: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -10686,11 +10790,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10689: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10793: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10693: \$? = $ac_status" >&5 + echo "$as_me:10797: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10741,11 +10845,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10744: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10848: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10748: \$? = $ac_status" >&5 + echo "$as_me:10852: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -13125,7 +13229,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 13128 "configure" +#line 13232 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -13221,7 +13325,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 13224 "configure" +#line 13328 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -13855,27 +13959,6 @@ else $as_echo "not found" >&6; } fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid of user \"$ipsecuser\"" >&5 -$as_echo_n "checking for uid of user \"$ipsecuser\"... " >&6; } -ipsecuid=`id -u $ipsecuser 2>/dev/null` -if test -n "$ipsecuid"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ipsecuid" >&5 -$as_echo "$ipsecuid" >&6; } - -else - as_fn_error $? "not found" "$LINENO" 5 -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gid of group \"$ipsecgroup\"" >&5 -$as_echo_n "checking for gid of group \"$ipsecgroup\"... " >&6; } -ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'` -if test -n "$ipsecgid"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ipsecgid" >&5 -$as_echo "$ipsecgid" >&6; } - -else - as_fn_error $? "not found" "$LINENO" 5 -fi - if test x$eap_aka_3gpp2 = xtrue; then gmp=true; @@ -13901,7 +13984,7 @@ if test x$fips_prf = xtrue; then fi fi -if test x$smp = xtrue; then +if test x$smp = xtrue -o x$tnccs_11 = xtrue; then xml=true fi @@ -15245,6 +15328,100 @@ else fi +fi + +if test x$soup = xtrue; then + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for soup" >&5 +$as_echo_n "checking for soup... " >&6; } + +if test -n "$soup_CFLAGS"; then + pkg_cv_soup_CFLAGS="$soup_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsoup-2.4\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsoup-2.4") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_soup_CFLAGS=`$PKG_CONFIG --cflags "libsoup-2.4" 2>/dev/null` +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$soup_LIBS"; then + pkg_cv_soup_LIBS="$soup_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsoup-2.4\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsoup-2.4") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_soup_LIBS=`$PKG_CONFIG --libs "libsoup-2.4" 2>/dev/null` +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + soup_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libsoup-2.4" 2>&1` + else + soup_PKG_ERRORS=`$PKG_CONFIG --print-errors "libsoup-2.4" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$soup_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (libsoup-2.4) were not met: + +$soup_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables soup_CFLAGS +and soup_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details." "$LINENO" 5 +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables soup_CFLAGS +and soup_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5 ; } +else + soup_CFLAGS=$pkg_cv_soup_CFLAGS + soup_LIBS=$pkg_cv_soup_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi + + fi if test x$xml = xtrue; then @@ -15931,17 +16108,6 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then - ac_fn_c_check_header_mongrel "$LINENO" "libtnc.h" "ac_cv_header_libtnc_h" "$ac_includes_default" -if test "x$ac_cv_header_libtnc_h" = x""yes; then : - -else - as_fn_error $? "libtnc header libtnc.h not found!" "$LINENO" 5 -fi - - -fi - if test x$uci = xtrue; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5 $as_echo_n "checking for main in -luci... " >&6; } @@ -16544,6 +16710,15 @@ if test x$curl = xtrue; then libcharon_plugins=${libcharon_plugins}" curl" pluto_plugins=${pluto_plugins}" curl" scepclient_plugins=${scepclient_plugins}" curl" + scripts_plugins=${scripts_plugins}" curl" + + fi + +if test x$soup = xtrue; then + s_plugins=${s_plugins}" soup" + libcharon_plugins=${libcharon_plugins}" soup" + pluto_plugins=${pluto_plugins}" soup" + scripts_plugins=${scripts_plugins}" soup" fi @@ -16552,6 +16727,7 @@ if test x$ldap = xtrue; then libcharon_plugins=${libcharon_plugins}" ldap" pluto_plugins=${pluto_plugins}" ldap" scepclient_plugins=${scepclient_plugins}" ldap" + scripts_plugins=${scripts_plugins}" ldap" fi @@ -16681,6 +16857,12 @@ if test x$revocation = xtrue; then fi +if test x$constraints = xtrue; then + s_plugins=${s_plugins}" constraints" + libcharon_plugins=${libcharon_plugins}" constraints" + + fi + if test x$pubkey = xtrue; then s_plugins=${s_plugins}" pubkey" libcharon_plugins=${libcharon_plugins}" pubkey" @@ -16825,6 +17007,18 @@ if test x$gcm = xtrue; then fi +if test x$af_alg = xtrue; then + s_plugins=${s_plugins}" af-alg" + libcharon_plugins=${libcharon_plugins}" af-alg" + pluto_plugins=${pluto_plugins}" af-alg" + openac_plugins=${openac_plugins}" af-alg" + scepclient_plugins=${scepclient_plugins}" af-alg" + pki_plugins=${pki_plugins}" af-alg" + scripts_plugins=${scripts_plugins}" af-alg" + medsrv_plugins=${medsrv_plugins}" af-alg" + + fi + if test x$xauth = xtrue; then p_plugins=${p_plugins}" xauth" pluto_plugins=${pluto_plugins}" xauth" @@ -16845,6 +17039,12 @@ if test x$attr_sql = xtrue; then fi +if test x$load_tester = xtrue; then + c_plugins=${c_plugins}" load-tester" + libcharon_plugins=${libcharon_plugins}" load-tester" + + fi + if test x$kernel_pfkey = xtrue; then h_plugins=${h_plugins}" kernel-pfkey" libcharon_plugins=${libcharon_plugins}" kernel-pfkey" @@ -16880,12 +17080,6 @@ if test x$resolve = xtrue; then fi -if test x$load_tester = xtrue; then - c_plugins=${c_plugins}" load-tester" - libcharon_plugins=${libcharon_plugins}" load-tester" - - fi - if test x$socket_default = xtrue; then c_plugins=${c_plugins}" socket-default" libcharon_plugins=${libcharon_plugins}" socket-default" @@ -17024,15 +17218,9 @@ if test x$eap_tnc = xtrue; then fi -if test x$tnc_imc = xtrue; then - c_plugins=${c_plugins}" tnc-imc" - libcharon_plugins=${libcharon_plugins}" tnc-imc" - - fi - -if test x$tnc_imv = xtrue; then - c_plugins=${c_plugins}" tnc-imv" - libcharon_plugins=${libcharon_plugins}" tnc-imv" +if test x$tnccs_20 = xtrue; then + c_plugins=${c_plugins}" tnccs-20" + libcharon_plugins=${libcharon_plugins}" tnccs-20" fi @@ -17042,9 +17230,21 @@ if test x$tnccs_11 = xtrue; then fi -if test x$tnccs_20 = xtrue; then - c_plugins=${c_plugins}" tnccs-20" - libcharon_plugins=${libcharon_plugins}" tnccs-20" +if test x$tnccs_dynamic = xtrue; then + c_plugins=${c_plugins}" tnccs-dynamic" + libcharon_plugins=${libcharon_plugins}" tnccs-dynamic" + + fi + +if test x$tnc_imc = xtrue; then + c_plugins=${c_plugins}" tnc-imc" + libcharon_plugins=${libcharon_plugins}" tnc-imc" + + fi + +if test x$tnc_imv = xtrue; then + c_plugins=${c_plugins}" tnc-imv" + libcharon_plugins=${libcharon_plugins}" tnc-imv" fi @@ -17147,6 +17347,14 @@ else USE_CURL_FALSE= fi + if test x$soup = xtrue; then + USE_SOUP_TRUE= + USE_SOUP_FALSE='#' +else + USE_SOUP_TRUE='#' + USE_SOUP_FALSE= +fi + if test x$ldap = xtrue; then USE_LDAP_TRUE= USE_LDAP_FALSE='#' @@ -17251,6 +17459,14 @@ else USE_REVOCATION_FALSE= fi + if test x$constraints = xtrue; then + USE_CONSTRAINTS_TRUE= + USE_CONSTRAINTS_FALSE='#' +else + USE_CONSTRAINTS_TRUE='#' + USE_CONSTRAINTS_FALSE= +fi + if test x$pubkey = xtrue; then USE_PUBKEY_TRUE= USE_PUBKEY_FALSE='#' @@ -17387,6 +17603,14 @@ else USE_GCM_FALSE= fi + if test x$af_alg = xtrue; then + USE_AF_ALG_TRUE= + USE_AF_ALG_FALSE='#' +else + USE_AF_ALG_TRUE='#' + USE_AF_ALG_FALSE= +fi + if test x$stroke = xtrue; then USE_STROKE_TRUE= @@ -17660,6 +17884,14 @@ else USE_TNCCS_20_FALSE= fi + if test x$tnccs_dynamic = xtrue; then + USE_TNCCS_DYNAMIC_TRUE= + USE_TNCCS_DYNAMIC_FALSE='#' +else + USE_TNCCS_DYNAMIC_TRUE='#' + USE_TNCCS_DYNAMIC_FALSE= +fi + if test x$socket_default = xtrue; then USE_SOCKET_DEFAULT_TRUE= USE_SOCKET_DEFAULT_FALSE='#' @@ -17911,7 +18143,15 @@ else USE_SCRIPTS_FALSE= fi - if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue; then + if test x$conftest = xtrue; then + USE_CONFTEST_TRUE= + USE_CONFTEST_FALSE='#' +else + USE_CONFTEST_TRUE='#' + USE_CONFTEST_FALSE= +fi + + if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then USE_LIBSTRONGSWAN_TRUE= USE_LIBSTRONGSWAN_FALSE='#' else @@ -17927,6 +18167,14 @@ else USE_LIBHYDRA_FALSE= fi + if test x$charon = xtrue -o x$conftest = xtrue; then + USE_LIBCHARON_TRUE= + USE_LIBCHARON_FALSE='#' +else + USE_LIBCHARON_TRUE='#' + USE_LIBCHARON_FALSE= +fi + if test x$pluto = xtrue -o x$stroke = xtrue; then USE_FILE_CONFIG_TRUE= USE_FILE_CONFIG_FALSE='#' @@ -17935,6 +18183,14 @@ else USE_FILE_CONFIG_FALSE= fi + if test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then + USE_IPSEC_SCRIPT_TRUE= + USE_IPSEC_SCRIPT_FALSE='#' +else + USE_IPSEC_SCRIPT_TRUE='#' + USE_IPSEC_SCRIPT_FALSE= +fi + if test x$capabilities = xlibcap; then USE_LIBCAP_TRUE= USE_LIBCAP_FALSE='#' @@ -17992,7 +18248,7 @@ fi -ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -18153,6 +18409,10 @@ if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then as_fn_error $? "conditional \"USE_CURL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_SOUP_TRUE}" && test -z "${USE_SOUP_FALSE}"; then + as_fn_error $? "conditional \"USE_SOUP\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_LDAP_TRUE}" && test -z "${USE_LDAP_FALSE}"; then as_fn_error $? "conditional \"USE_LDAP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18205,6 +18465,10 @@ if test -z "${USE_REVOCATION_TRUE}" && test -z "${USE_REVOCATION_FALSE}"; then as_fn_error $? "conditional \"USE_REVOCATION\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_CONSTRAINTS_TRUE}" && test -z "${USE_CONSTRAINTS_FALSE}"; then + as_fn_error $? "conditional \"USE_CONSTRAINTS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then as_fn_error $? "conditional \"USE_PUBKEY\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18273,6 +18537,10 @@ if test -z "${USE_GCM_TRUE}" && test -z "${USE_GCM_FALSE}"; then as_fn_error $? "conditional \"USE_GCM\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_AF_ALG_TRUE}" && test -z "${USE_AF_ALG_FALSE}"; then + as_fn_error $? "conditional \"USE_AF_ALG\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then as_fn_error $? "conditional \"USE_STROKE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18409,6 +18677,10 @@ if test -z "${USE_TNCCS_20_TRUE}" && test -z "${USE_TNCCS_20_FALSE}"; then as_fn_error $? "conditional \"USE_TNCCS_20\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_TNCCS_DYNAMIC_TRUE}" && test -z "${USE_TNCCS_DYNAMIC_FALSE}"; then + as_fn_error $? "conditional \"USE_TNCCS_DYNAMIC\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_SOCKET_DEFAULT_TRUE}" && test -z "${USE_SOCKET_DEFAULT_FALSE}"; then as_fn_error $? "conditional \"USE_SOCKET_DEFAULT\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18533,6 +18805,10 @@ if test -z "${USE_SCRIPTS_TRUE}" && test -z "${USE_SCRIPTS_FALSE}"; then as_fn_error $? "conditional \"USE_SCRIPTS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_CONFTEST_TRUE}" && test -z "${USE_CONFTEST_FALSE}"; then + as_fn_error $? "conditional \"USE_CONFTEST\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then as_fn_error $? "conditional \"USE_LIBSTRONGSWAN\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18541,10 +18817,18 @@ if test -z "${USE_LIBHYDRA_TRUE}" && test -z "${USE_LIBHYDRA_FALSE}"; then as_fn_error $? "conditional \"USE_LIBHYDRA\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_LIBCHARON_TRUE}" && test -z "${USE_LIBCHARON_FALSE}"; then + as_fn_error $? "conditional \"USE_LIBCHARON\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then as_fn_error $? "conditional \"USE_FILE_CONFIG\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_IPSEC_SCRIPT_TRUE}" && test -z "${USE_IPSEC_SCRIPT_FALSE}"; then + as_fn_error $? "conditional \"USE_IPSEC_SCRIPT\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_LIBCAP_TRUE}" && test -z "${USE_LIBCAP_FALSE}"; then as_fn_error $? "conditional \"USE_LIBCAP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18973,7 +19257,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 4.5.0, which was +This file was extended by strongSwan $as_me 4.5.1, which was generated by GNU Autoconf 2.67. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19030,7 +19314,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 4.5.0 +strongSwan config.status 4.5.1 configured by $0, generated by GNU Autoconf 2.67, with options \\"\$ac_cs_config\\" @@ -19424,12 +19708,14 @@ do "src/libstrongswan/plugins/xcbc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/xcbc/Makefile" ;; "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;; "src/libstrongswan/plugins/revocation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/revocation/Makefile" ;; + "src/libstrongswan/plugins/constraints/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/constraints/Makefile" ;; "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;; "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;; "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;; "src/libstrongswan/plugins/dnskey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/dnskey/Makefile" ;; "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;; "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;; + "src/libstrongswan/plugins/soup/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/soup/Makefile" ;; "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;; "src/libstrongswan/plugins/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mysql/Makefile" ;; "src/libstrongswan/plugins/sqlite/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sqlite/Makefile" ;; @@ -19441,6 +19727,7 @@ do "src/libstrongswan/plugins/ctr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ctr/Makefile" ;; "src/libstrongswan/plugins/ccm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ccm/Makefile" ;; "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;; + "src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;; "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;; "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;; "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;; @@ -19477,6 +19764,7 @@ do "src/libcharon/plugins/tnc_imv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imv/Makefile" ;; "src/libcharon/plugins/tnccs_11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_11/Makefile" ;; "src/libcharon/plugins/tnccs_20/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_20/Makefile" ;; + "src/libcharon/plugins/tnccs_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_dynamic/Makefile" ;; "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;; "src/libcharon/plugins/socket_raw/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_raw/Makefile" ;; "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;; @@ -19512,6 +19800,7 @@ do "src/manager/Makefile") CONFIG_FILES="$CONFIG_FILES src/manager/Makefile" ;; "src/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/medsrv/Makefile" ;; "src/checksum/Makefile") CONFIG_FILES="$CONFIG_FILES src/checksum/Makefile" ;; + "src/conftest/Makefile") CONFIG_FILES="$CONFIG_FILES src/conftest/Makefile" ;; "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;; "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;; diff --git a/configure.in b/configure.in index 83c35d614..823456239 100644 --- a/configure.in +++ b/configure.in @@ -16,7 +16,7 @@ dnl =========================== dnl initialize & set some vars dnl =========================== -AC_INIT(strongSwan,4.5.0) +AC_INIT(strongSwan,4.5.1) AM_INIT_AUTOMAKE(tar-ustar) AC_CONFIG_MACRO_DIR([m4/config]) PKG_PROG_PKG_CONFIG @@ -66,6 +66,7 @@ AC_ARG_WITH( m4_include(m4/macros/enable-disable.m4) ARG_ENABL_SET([curl], [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.]) +ARG_ENABL_SET([soup], [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.]) ARG_ENABL_SET([ldap], [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.]) ARG_DISBL_SET([aes], [disable AES software implementation plugin.]) ARG_DISBL_SET([des], [disable DES/3DES software implementation plugin.]) @@ -79,6 +80,7 @@ ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementa ARG_DISBL_SET([random], [disable RNG implementation on top of /dev/(u)random.]) ARG_DISBL_SET([x509], [disable X509 certificate implementation plugin.]) ARG_DISBL_SET([revocation], [disable X509 CRL/OCSP revocation check plugin.]) +ARG_DISBL_SET([constraints], [disable advanced X509 constraint checking plugin.]) ARG_DISBL_SET([pubkey], [disable RAW public key support plugin.]) ARG_DISBL_SET([pkcs1], [disable PKCS1 key decoding plugin.]) ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.]) @@ -86,6 +88,7 @@ ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.]) ARG_DISBL_SET([pem], [disable PEM decoding plugin.]) ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.]) ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.]) +ARG_ENABL_SET([af-alg], [enable AF_ALG crypto interface to Linux Crypto API.]) ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.]) ARG_ENABL_SET([mysql], [enable MySQL database support. Requires libmysqlclient_r.]) ARG_ENABL_SET([sqlite], [enable SQLite database support. Requires libsqlite3.]) @@ -119,6 +122,7 @@ ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.]) ARG_ENABL_SET([tnc-imv], [enable TNC IMV module.]) ARG_ENABL_SET([tnccs-11], [enable TNCCS 1.1 protocol module.]) ARG_ENABL_SET([tnccs-20], [enable TNCCS 2.0 protocol module.]) +ARG_ENABL_SET([tnccs-dynamic], [enable dynamic TNCCS protocol discovery module.]) ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.]) ARG_ENABL_SET([kernel-pfkey], [enable the PF_KEY kernel interface.]) ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.]) @@ -142,6 +146,7 @@ ARG_DISBL_SET([threads], [disable the use of threads in pluto. Charon alw ARG_DISBL_SET([charon], [disable the IKEv2 keying daemon charon.]) ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).]) ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).]) +ARG_ENABL_SET([conftest], [enforce Suite B conformance test framework.]) ARG_DISBL_SET([updown], [disable updown firewall script plugin.]) ARG_DISBL_SET([attr], [disable strongswan.conf based configuration attribute plugin.]) ARG_ENABL_SET([attr-sql], [enable SQL based configuration attribute plugin.]) @@ -201,24 +206,6 @@ else AC_MSG_RESULT([not found]) fi -dnl translate user/group to numercial ids -AC_MSG_CHECKING([for uid of user "$ipsecuser"]) -ipsecuid=`id -u $ipsecuser 2>/dev/null` -if test -n "$ipsecuid"; then - AC_MSG_RESULT([$ipsecuid]) - AC_SUBST(ipsecuid) -else - AC_MSG_ERROR([not found]) -fi -AC_MSG_CHECKING([for gid of group "$ipsecgroup"]) -ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'` -if test -n "$ipsecgid"; then - AC_MSG_RESULT([$ipsecgid]) - AC_SUBST(ipsecgid) -else - AC_MSG_ERROR([not found]) -fi - dnl ========================= dnl dependency calculation dnl ========================= @@ -247,7 +234,7 @@ if test x$fips_prf = xtrue; then fi fi -if test x$smp = xtrue; then +if test x$smp = xtrue -o x$tnccs_11 = xtrue; then xml=true fi @@ -513,6 +500,12 @@ if test x$curl = xtrue; then AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])]) fi +if test x$soup = xtrue; then + PKG_CHECK_MODULES(soup, [libsoup-2.4]) + AC_SUBST(soup_CFLAGS) + AC_SUBST(soup_LIBS) +fi + if test x$xml = xtrue; then PKG_CHECK_MODULES(xml, [libxml-2.0]) AC_SUBST(xml_CFLAGS) @@ -607,10 +600,6 @@ if test x$gcrypt = xtrue; then ) fi -if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then - AC_CHECK_HEADER([libtnc.h],,[AC_MSG_ERROR([libtnc header libtnc.h not found!])]) -fi - if test x$uci = xtrue; then AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])]) AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])]) @@ -708,8 +697,9 @@ h_plugins= s_plugins= ADD_PLUGIN([test-vectors], [s libcharon pluto openac scepclient pki]) -ADD_PLUGIN([curl], [s libcharon pluto scepclient]) -ADD_PLUGIN([ldap], [s libcharon pluto scepclient]) +ADD_PLUGIN([curl], [s libcharon pluto scepclient scripts]) +ADD_PLUGIN([soup], [s libcharon pluto scripts]) +ADD_PLUGIN([ldap], [s libcharon pluto scepclient scripts]) ADD_PLUGIN([mysql], [s libcharon pluto pool manager medsrv]) ADD_PLUGIN([sqlite], [s libcharon pluto pool manager medsrv]) ADD_PLUGIN([aes], [s libcharon pluto openac scepclient pki scripts]) @@ -722,6 +712,7 @@ ADD_PLUGIN([md5], [s libcharon pluto openac scepclient pki]) ADD_PLUGIN([random], [s libcharon pluto openac scepclient pki scripts medsrv]) ADD_PLUGIN([x509], [s libcharon pluto openac scepclient pki scripts]) ADD_PLUGIN([revocation], [s libcharon]) +ADD_PLUGIN([constraints], [s libcharon]) ADD_PLUGIN([pubkey], [s libcharon]) ADD_PLUGIN([pkcs1], [s libcharon pluto openac scepclient pki scripts manager medsrv]) ADD_PLUGIN([pgp], [s libcharon pluto]) @@ -739,15 +730,16 @@ ADD_PLUGIN([hmac], [s libcharon pluto scripts]) ADD_PLUGIN([ctr], [s libcharon scripts]) ADD_PLUGIN([ccm], [s libcharon scripts]) ADD_PLUGIN([gcm], [s libcharon scripts]) +ADD_PLUGIN([af-alg], [s libcharon pluto openac scepclient pki scripts medsrv]) ADD_PLUGIN([xauth], [p pluto]) ADD_PLUGIN([attr], [h libcharon pluto]) ADD_PLUGIN([attr-sql], [h libcharon pluto]) +ADD_PLUGIN([load-tester], [c libcharon]) ADD_PLUGIN([kernel-pfkey], [h libcharon pluto]) ADD_PLUGIN([kernel-pfroute], [h libcharon pluto]) ADD_PLUGIN([kernel-klips], [h libcharon pluto]) ADD_PLUGIN([kernel-netlink], [h libcharon pluto]) ADD_PLUGIN([resolve], [h libcharon pluto]) -ADD_PLUGIN([load-tester], [c libcharon]) ADD_PLUGIN([socket-default], [c libcharon]) ADD_PLUGIN([socket-raw], [c libcharon]) ADD_PLUGIN([socket-dynamic], [c libcharon]) @@ -771,10 +763,11 @@ ADD_PLUGIN([eap-radius], [c libcharon]) ADD_PLUGIN([eap-tls], [c libcharon]) ADD_PLUGIN([eap-ttls], [c libcharon]) ADD_PLUGIN([eap-tnc], [c libcharon]) +ADD_PLUGIN([tnccs-20], [c libcharon]) +ADD_PLUGIN([tnccs-11], [c libcharon]) +ADD_PLUGIN([tnccs-dynamic], [c libcharon]) ADD_PLUGIN([tnc-imc], [c libcharon]) ADD_PLUGIN([tnc-imv], [c libcharon]) -ADD_PLUGIN([tnccs-11], [c libcharon]) -ADD_PLUGIN([tnccs-20], [c libcharon]) ADD_PLUGIN([medsrv], [c libcharon]) ADD_PLUGIN([medcli], [c libcharon]) ADD_PLUGIN([nm], [c libcharon]) @@ -810,6 +803,7 @@ dnl libstrongswan plugins dnl ===================== AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue) AM_CONDITIONAL(USE_CURL, test x$curl = xtrue) +AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue) AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue) AM_CONDITIONAL(USE_AES, test x$aes = xtrue) AM_CONDITIONAL(USE_DES, test x$des = xtrue) @@ -823,6 +817,7 @@ AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue) AM_CONDITIONAL(USE_X509, test x$x509 = xtrue) AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue) +AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue) AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue) AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue) AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue) @@ -840,6 +835,7 @@ AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue) AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue) AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue) AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue) +AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue) dnl charon plugins dnl ============== @@ -877,6 +873,7 @@ AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue) AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue) AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue) AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue) +AM_CONDITIONAL(USE_TNCCS_DYNAMIC, test x$tnccs_dynamic = xtrue) AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue) AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue) AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue) @@ -917,9 +914,12 @@ AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue) AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue) AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue) AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue) -AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue) +AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue) +AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue) +AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue) +AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap) AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue) AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue) @@ -965,12 +965,14 @@ AC_OUTPUT( src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile + src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile + src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile @@ -982,6 +984,7 @@ AC_OUTPUT( src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile + src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile @@ -1018,6 +1021,7 @@ AC_OUTPUT( src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile + src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile @@ -1053,6 +1057,7 @@ AC_OUTPUT( src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile + src/conftest/Makefile scripts/Makefile testing/Makefile ) diff --git a/ltmain.sh b/ltmain.sh old mode 100644 new mode 100755 diff --git a/man/Makefile.in b/man/Makefile.in index 4388e318b..f0d8cde7d 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -198,9 +198,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -239,6 +237,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5 index b1e60b280..1b74fab08 100644 --- a/man/ipsec.conf.5 +++ b/man/ipsec.conf.5 @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "2010-10-19" "4.5.0rc2" "strongSwan" +.TH IPSEC.CONF 5 "2010-10-19" "4.5.1" "strongSwan" .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA), .B psk for pre-shared key authentication and .B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of +to (require the) use of the Extensible Authentication Protocol. +To require a trustchain public key strength for the remote side, specify the +key type followed by the strength in bits (for example +.BR rsa-2048 +or +.BR ecdsa-256 ). +For .B eap, an optional EAP method can be appended. Currently defined methods are .BR eap-aka , @@ -589,7 +594,7 @@ sets to the distinguished name of the certificate's subject and .B leftca to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a +The left participant's ID can be overridden by specifying a .B leftid value which must be certified by the certificate, though. .TP @@ -598,6 +603,10 @@ Same as .B leftcert, but for the second authentication round (IKEv2 only). .TP +.BR leftcertpolicy " = " +Comma separated list of certificate policy OIDs the peers certificate must have. +OIDs are specified using the numerical dotted representation (IKEv2 only). +.TP .BR leftfirewall " = yes | " no whether the left participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from \fIleftsubnet\fR, @@ -953,6 +962,13 @@ synonym for .BR reqid " = " sets the reqid for a given connection to a pre-configured fixed value. .TP +.BR tfc " = " +number of bytes to pad ESP payload data to. Traffic Flow Confidentiality +is currently supported in IKEv2 and applies to outgoing packets only. The +special value +.BR %mtu +fills up ESP packets with padding to have the size of the MTU. +.TP .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop" the type of the connection; currently the accepted values are diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 187f36957..9a789acef 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA), .B psk for pre-shared key authentication and .B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of +to (require the) use of the Extensible Authentication Protocol. +To require a trustchain public key strength for the remote side, specify the +key type followed by the strength in bits (for example +.BR rsa-2048 +or +.BR ecdsa-256 ). +For .B eap, an optional EAP method can be appended. Currently defined methods are .BR eap-aka , @@ -589,7 +594,7 @@ sets to the distinguished name of the certificate's subject and .B leftca to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a +The left participant's ID can be overridden by specifying a .B leftid value which must be certified by the certificate, though. .TP @@ -598,6 +603,10 @@ Same as .B leftcert, but for the second authentication round (IKEv2 only). .TP +.BR leftcertpolicy " = " +Comma separated list of certificate policy OIDs the peers certificate must have. +OIDs are specified using the numerical dotted representation (IKEv2 only). +.TP .BR leftfirewall " = yes | " no whether the left participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from \fIleftsubnet\fR, @@ -953,6 +962,13 @@ synonym for .BR reqid " = " sets the reqid for a given connection to a pre-configured fixed value. .TP +.BR tfc " = " +number of bytes to pad ESP payload data to. Traffic Flow Confidentiality +is currently supported in IKEv2 and applies to outgoing packets only. The +special value +.BR %mtu +fills up ESP packets with padding to have the size of the MTU. +.TP .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop" the type of the connection; currently the accepted values are diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5 index 1e586a491..3eb60afcf 100644 --- a/man/ipsec.secrets.5 +++ b/man/ipsec.secrets.5 @@ -1,4 +1,4 @@ -.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.0rc2" "strongSwan" +.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.1" "strongSwan" .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 index 2a8703503..2e58a87d0 100644 --- a/man/strongswan.conf.5 +++ b/man/strongswan.conf.5 @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.0rc2" "strongSwan" +.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.1" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -60,6 +60,61 @@ An example file in this format might look like this: .PP Indentation is optional, you may use tabs or spaces. +.SH INCLUDING FILES +Using the +.B include +statement it is possible to include other files into strongswan.conf, e.g. +.PP +.EX + include /some/path/*.conf +.EE +.PP +If the file name is not an absolute path, it is considered to be relative +to the directory of the file containing the include statement. The file name +may include shell wildcards (see +.IR sh (1)). +Also, such inclusions can be nested. +.PP +Sections loaded from included files +.I extend +previously loaded sections; already existing values are +.IR replaced . +It is important to note that settings are added relative to the section the +include statement is in. +.PP +As an example, the following three files result in the same final +config as the one given above: +.PP +.EX + a = b + section-one { + somevalue = before include + include include.conf + } + include other.conf + +include.conf: + # settings loaded from this file are added to section-one + # the following replaces the previous value + somevalue = asdf + subsection { + othervalue = yyy + } + yetanother = zz + +other.conf: + # this extends section-one and subsection + section-one { + subsection { + # this replaces the previous value + othervalue = xxx + } + } + section-two { + x = 12 + } +.EE + .SH READING VALUES Values are accessed using a dot-separated section list and a key. With reference to the example above, accessing @@ -405,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup .TP .BR libstrongswan.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output +.TP +.BR libstrongswan.x509.enforce_critical " [yes]" +Discard certificates with unsupported or unknown critical extensions .SS libstrongswan.plugins subsection .TP .BR libstrongswan.plugins.attr-sql.database @@ -420,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! ENGINE ID to use in the OpenSSL plugin .TP .BR libstrongswan.plugins.pkcs11.modules - .TP .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" - -.TP -.BR libstrongswan.plugins.x509.enforce_critical " [no]" -Discard certificates with unsupported or unknown critical extensions .SS libtls section .TP .BR libtls.cipher diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 77db9a3c0..47aa6d552 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -60,6 +60,61 @@ An example file in this format might look like this: .PP Indentation is optional, you may use tabs or spaces. +.SH INCLUDING FILES +Using the +.B include +statement it is possible to include other files into strongswan.conf, e.g. +.PP +.EX + include /some/path/*.conf +.EE +.PP +If the file name is not an absolute path, it is considered to be relative +to the directory of the file containing the include statement. The file name +may include shell wildcards (see +.IR sh (1)). +Also, such inclusions can be nested. +.PP +Sections loaded from included files +.I extend +previously loaded sections; already existing values are +.IR replaced . +It is important to note that settings are added relative to the section the +include statement is in. +.PP +As an example, the following three files result in the same final +config as the one given above: +.PP +.EX + a = b + section-one { + somevalue = before include + include include.conf + } + include other.conf + +include.conf: + # settings loaded from this file are added to section-one + # the following replaces the previous value + somevalue = asdf + subsection { + othervalue = yyy + } + yetanother = zz + +other.conf: + # this extends section-one and subsection + section-one { + subsection { + # this replaces the previous value + othervalue = xxx + } + } + section-two { + x = 12 + } +.EE + .SH READING VALUES Values are accessed using a dot-separated section list and a key. With reference to the example above, accessing @@ -405,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup .TP .BR libstrongswan.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output +.TP +.BR libstrongswan.x509.enforce_critical " [yes]" +Discard certificates with unsupported or unknown critical extensions .SS libstrongswan.plugins subsection .TP .BR libstrongswan.plugins.attr-sql.database @@ -420,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! ENGINE ID to use in the OpenSSL plugin .TP .BR libstrongswan.plugins.pkcs11.modules - .TP .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" - -.TP -.BR libstrongswan.plugins.x509.enforce_critical " [no]" -Discard certificates with unsupported or unknown critical extensions .SS libtls section .TP .BR libtls.cipher diff --git a/scripts/Makefile.am b/scripts/Makefile.am index 827fb7dfb..2cd8b499b 100644 --- a/scripts/Makefile.am +++ b/scripts/Makefile.am @@ -2,8 +2,8 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls AM_CFLAGS = \ -DPLUGINS="\"${scripts_plugins}\"" -noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql \ - thread_analysis dh_speed pubkey_speed crypt_burn +noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \ + thread_analysis dh_speed pubkey_speed crypt_burn fetch if USE_TLS noinst_PROGRAMS += tls_test @@ -17,16 +17,20 @@ bin2sql_SOURCES = bin2sql.c id2sql_SOURCES = id2sql.c key2keyid_SOURCES = key2keyid.c keyid2sql_SOURCES = keyid2sql.c +oid2der_SOURCES = oid2der.c thread_analysis_SOURCES = thread_analysis.c dh_speed_SOURCES = dh_speed.c pubkey_speed_SOURCES = pubkey_speed.c crypt_burn_SOURCES = crypt_burn.c +fetch_SOURCES = fetch.c id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +oid2der_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid.o : $(top_builddir)/config.status diff --git a/scripts/Makefile.in b/scripts/Makefile.in index e28424350..891555dcd 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -35,8 +35,9 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \ - key2keyid$(EXEEXT) keyid2sql$(EXEEXT) thread_analysis$(EXEEXT) \ - dh_speed$(EXEEXT) pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) + key2keyid$(EXEEXT) keyid2sql$(EXEEXT) oid2der$(EXEEXT) \ + thread_analysis$(EXEEXT) dh_speed$(EXEEXT) \ + pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) fetch$(EXEEXT) subdir = scripts DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -69,6 +70,10 @@ am_dh_speed_OBJECTS = dh_speed.$(OBJEXT) dh_speed_OBJECTS = $(am_dh_speed_OBJECTS) dh_speed_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +am_fetch_OBJECTS = fetch.$(OBJEXT) +fetch_OBJECTS = $(am_fetch_OBJECTS) +fetch_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la am_id2sql_OBJECTS = id2sql.$(OBJEXT) id2sql_OBJECTS = $(am_id2sql_OBJECTS) id2sql_DEPENDENCIES = \ @@ -81,6 +86,10 @@ am_keyid2sql_OBJECTS = keyid2sql.$(OBJEXT) keyid2sql_OBJECTS = $(am_keyid2sql_OBJECTS) keyid2sql_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +am_oid2der_OBJECTS = oid2der.$(OBJEXT) +oid2der_OBJECTS = $(am_oid2der_OBJECTS) +oid2der_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la am_pubkey_speed_OBJECTS = pubkey_speed.$(OBJEXT) pubkey_speed_OBJECTS = $(am_pubkey_speed_OBJECTS) pubkey_speed_DEPENDENCIES = \ @@ -102,13 +111,15 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \ - $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \ - $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ - $(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) + $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \ + $(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ + $(oid2der_SOURCES) $(pubkey_speed_SOURCES) \ + $(thread_analysis_SOURCES) DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \ - $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \ - $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ - $(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) + $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \ + $(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ + $(oid2der_SOURCES) $(pubkey_speed_SOURCES) \ + $(thread_analysis_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -231,9 +242,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -272,6 +281,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -291,16 +302,20 @@ bin2sql_SOURCES = bin2sql.c id2sql_SOURCES = id2sql.c key2keyid_SOURCES = key2keyid.c keyid2sql_SOURCES = keyid2sql.c +oid2der_SOURCES = oid2der.c thread_analysis_SOURCES = thread_analysis.c dh_speed_SOURCES = dh_speed.c pubkey_speed_SOURCES = pubkey_speed.c crypt_burn_SOURCES = crypt_burn.c +fetch_SOURCES = fetch.c id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +oid2der_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la all: all-am .SUFFIXES: @@ -356,6 +371,9 @@ crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) @rm -f dh_speed$(EXEEXT) $(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS) +fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) + @rm -f fetch$(EXEEXT) + $(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS) id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) @rm -f id2sql$(EXEEXT) $(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS) @@ -365,6 +383,9 @@ key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) @rm -f keyid2sql$(EXEEXT) $(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS) +oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) + @rm -f oid2der$(EXEEXT) + $(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS) pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) @rm -f pubkey_speed$(EXEEXT) $(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS) @@ -382,9 +403,11 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2sql.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypt_burn.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh_speed.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid2sql.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid2der.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_speed.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_analysis.Po@am__quote@ diff --git a/scripts/fetch.c b/scripts/fetch.c new file mode 100644 index 000000000..57abce4ca --- /dev/null +++ b/scripts/fetch.c @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include +#include + +int main(int argc, char *argv[]) +{ + chunk_t res; + + library_init(NULL); + atexit(library_deinit); + lib->plugins->load(lib->plugins, NULL, PLUGINS); + + if (argc != 2) + { + fprintf(stderr, "usage: %s \n", argv[0]); + } + if (lib->fetcher->fetch(lib->fetcher, argv[1], &res, FETCH_END) == SUCCESS) + { + ignore_result(write(1, res.ptr, res.len)); + free(res.ptr); + return 0; + } + return 1; +} diff --git a/scripts/oid2der.c b/scripts/oid2der.c new file mode 100644 index 000000000..0da3bbb62 --- /dev/null +++ b/scripts/oid2der.c @@ -0,0 +1,31 @@ + +#include +#include + +/** + * convert string OID to DER encoding + */ +int main(int argc, char *argv[]) +{ + int i, nr = 0; + chunk_t oid; + + while (argc > ++nr) + { + oid = asn1_oid_from_string(argv[nr]); + if (oid.len) + { + for (i = 0; i < oid.len; i++) + { + printf("0x%02x,", oid.ptr[i]); + } + printf("\n"); + free(oid.ptr); + } + else + { + return 1; + } + } + return 0; +} diff --git a/src/Makefile.am b/src/Makefile.am index 0edddc9fc..cd75de5e9 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -16,8 +16,16 @@ if USE_TLS SUBDIRS += libtls endif +if USE_LIBCHARON + SUBDIRS += libcharon +endif + if USE_FILE_CONFIG - SUBDIRS += libfreeswan starter ipsec _copyright + SUBDIRS += libfreeswan starter +endif + +if USE_IPSEC_SCRIPT + SUBDIRS += ipsec _copyright endif if USE_PLUTO @@ -25,7 +33,7 @@ if USE_PLUTO endif if USE_CHARON - SUBDIRS += libcharon charon + SUBDIRS += charon endif if USE_STROKE @@ -40,6 +48,10 @@ if USE_TOOLS SUBDIRS += libfreeswan openac scepclient pki endif +if USE_CONFTEST + SUBDIRS += conftest +endif + if USE_DUMM SUBDIRS += dumm endif @@ -64,4 +76,4 @@ EXTRA_DIST = strongswan.conf install-exec-local : test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)" - test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true + test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true diff --git a/src/Makefile.in b/src/Makefile.in index cb688d795..63d29b694 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -37,17 +37,20 @@ host_triplet = @host@ @USE_LIBHYDRA_TRUE@am__append_2 = libhydra @USE_SIMAKA_TRUE@am__append_3 = libsimaka @USE_TLS_TRUE@am__append_4 = libtls -@USE_FILE_CONFIG_TRUE@am__append_5 = libfreeswan starter ipsec _copyright -@USE_PLUTO_TRUE@am__append_6 = pluto whack -@USE_CHARON_TRUE@am__append_7 = libcharon charon -@USE_STROKE_TRUE@am__append_8 = stroke -@USE_UPDOWN_TRUE@am__append_9 = _updown _updown_espmark -@USE_TOOLS_TRUE@am__append_10 = libfreeswan openac scepclient pki -@USE_DUMM_TRUE@am__append_11 = dumm -@USE_FAST_TRUE@am__append_12 = libfast -@USE_MANAGER_TRUE@am__append_13 = manager -@USE_MEDSRV_TRUE@am__append_14 = medsrv -@USE_INTEGRITY_TEST_TRUE@am__append_15 = checksum +@USE_LIBCHARON_TRUE@am__append_5 = libcharon +@USE_FILE_CONFIG_TRUE@am__append_6 = libfreeswan starter +@USE_IPSEC_SCRIPT_TRUE@am__append_7 = ipsec _copyright +@USE_PLUTO_TRUE@am__append_8 = pluto whack +@USE_CHARON_TRUE@am__append_9 = charon +@USE_STROKE_TRUE@am__append_10 = stroke +@USE_UPDOWN_TRUE@am__append_11 = _updown _updown_espmark +@USE_TOOLS_TRUE@am__append_12 = libfreeswan openac scepclient pki +@USE_CONFTEST_TRUE@am__append_13 = conftest +@USE_DUMM_TRUE@am__append_14 = dumm +@USE_FAST_TRUE@am__append_15 = libfast +@USE_MANAGER_TRUE@am__append_16 = manager +@USE_MEDSRV_TRUE@am__append_17 = medsrv +@USE_INTEGRITY_TEST_TRUE@am__append_18 = checksum subdir = src DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -82,9 +85,9 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libtls \ - libfreeswan starter ipsec _copyright pluto whack libcharon \ + libcharon libfreeswan starter ipsec _copyright pluto whack \ charon stroke _updown _updown_espmark openac scepclient pki \ - dumm libfast manager medsrv checksum + conftest dumm libfast manager medsrv checksum DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -230,9 +233,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -271,6 +272,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -285,7 +288,8 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_4) $(am__append_5) $(am__append_6) \ $(am__append_7) $(am__append_8) $(am__append_9) \ $(am__append_10) $(am__append_11) $(am__append_12) \ - $(am__append_13) $(am__append_14) $(am__append_15) + $(am__append_13) $(am__append_14) $(am__append_15) \ + $(am__append_16) $(am__append_17) $(am__append_18) EXTRA_DIST = strongswan.conf all: all-recursive @@ -636,7 +640,7 @@ uninstall-am: install-exec-local : test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)" - test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true + test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/_copyright/Makefile.am b/src/_copyright/Makefile.am index 33c4ffc23..405e08b3d 100644 --- a/src/_copyright/Makefile.am +++ b/src/_copyright/Makefile.am @@ -1,6 +1,5 @@ ipsec_PROGRAMS = _copyright _copyright_SOURCES = _copyright.c -dist_man8_MANS = _copyright.8 INCLUDES = \ -I$(top_srcdir)/src/libfreeswan \ diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 58ebb523c..8d4ef733e 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -36,8 +36,7 @@ build_triplet = @build@ host_triplet = @host@ ipsec_PROGRAMS = _copyright$(EXEEXT) subdir = src/_copyright -DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -53,7 +52,7 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" +am__installdirs = "$(DESTDIR)$(ipsecdir)" PROGRAMS = $(ipsec_PROGRAMS) am__copyright_OBJECTS = _copyright.$(OBJEXT) _copyright_OBJECTS = $(am__copyright_OBJECTS) @@ -75,30 +74,6 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(_copyright_SOURCES) DIST_SOURCES = $(_copyright_SOURCES) -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -man8dir = $(mandir)/man8 -NROFF = nroff -MANS = $(dist_man8_MANS) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -221,9 +196,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +235,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -273,7 +248,6 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ _copyright_SOURCES = _copyright.c -dist_man8_MANS = _copyright.8 INCLUDES = \ -I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/libstrongswan @@ -394,40 +368,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(dist_man8_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ - done; } - -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -482,19 +422,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) - @list='$(MANS)'; if test -n "$$list"; then \ - list=`for p in $$list; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ - if test -n "$$list" && \ - grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ - echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ - grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ - echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ - echo " typically \`make maintainer-clean' will remove them" >&2; \ - exit 1; \ - else :; fi; \ - else :; fi @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -526,9 +453,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) +all-am: Makefile $(PROGRAMS) installdirs: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(ipsecdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -579,7 +506,7 @@ info: info-am info-am: -install-data-am: install-ipsecPROGRAMS install-man +install-data-am: install-ipsecPROGRAMS install-dvi: install-dvi-am @@ -595,7 +522,7 @@ install-info: install-info-am install-info-am: -install-man: install-man8 +install-man: install-pdf: install-pdf-am @@ -625,9 +552,7 @@ ps: ps-am ps-am: -uninstall-am: uninstall-ipsecPROGRAMS uninstall-man - -uninstall-man: uninstall-man8 +uninstall-am: uninstall-ipsecPROGRAMS .MAKE: install-am install-strip @@ -638,13 +563,12 @@ uninstall-man: uninstall-man8 install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am \ - install-ipsecPROGRAMS install-man install-man8 install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ + install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-ipsecPROGRAMS \ - uninstall-man uninstall-man8 + tags uninstall uninstall-am uninstall-ipsecPROGRAMS # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/src/_copyright/_copyright.8 b/src/_copyright/_copyright.8 deleted file mode 100644 index 99386254b..000000000 --- a/src/_copyright/_copyright.8 +++ /dev/null @@ -1,29 +0,0 @@ -.TH _COPYRIGHT 8 "25 Apr 2002" -.SH NAME -ipsec _copyright \- prints FreeSWAN copyright -.SH DESCRIPTION -.I _copyright -outputs the FreeSWAN copyright, and version numbers for "ipsec --copyright" -.SH "SEE ALSO" -ipsec(8) -.SH HISTORY -Man page written for the Linux FreeS/WAN project - -by Michael Richardson. Program written by Henry Spencer. -.\" -.\" $Log: _copyright.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" Revision 1.1 2002/04/26 01:21:43 mcr -.\" while tracking down a missing (not installed) /etc/ipsec.conf, -.\" MCR has decided that it is not okay for each program subdir to have -.\" some subset (determined with -f) of possible files. -.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -.\" Optional PROGRAM.5 files have been added to the makefiles. -.\" -.\" -.\" diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index 44c058d03..fa33bb570 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -200,9 +200,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -241,6 +239,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index db44ee74e..a428db4e2 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -200,9 +200,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -241,6 +239,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index 5a60af3d8..f502b0f25 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -199,9 +199,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -240,6 +238,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/charon/charon.c b/src/charon/charon.c index fd255e919..d1fff5bd9 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -26,6 +26,8 @@ #include #include #include +#include +#include #include #include #include @@ -42,6 +44,9 @@ #include #endif +#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ +#define LOG_AUTHPRIV LOG_AUTH +#endif /** * PID file, in which charon stores its process id @@ -268,6 +273,134 @@ static void unlink_pidfile() unlink(PID_FILE); } +/** + * Initialize logging + */ +static void initialize_loggers(bool use_stderr, level_t levels[]) +{ + sys_logger_t *sys_logger; + file_logger_t *file_logger; + enumerator_t *enumerator; + char *facility, *filename; + int loggers_defined = 0; + debug_t group; + level_t def; + bool append, ike_name; + FILE *file; + + /* setup sysloggers */ + enumerator = lib->settings->create_section_enumerator(lib->settings, + "charon.syslog"); + while (enumerator->enumerate(enumerator, &facility)) + { + loggers_defined++; + + ike_name = lib->settings->get_bool(lib->settings, + "charon.syslog.%s.ike_name", FALSE, facility); + if (streq(facility, "daemon")) + { + sys_logger = sys_logger_create(LOG_DAEMON, ike_name); + } + else if (streq(facility, "auth")) + { + sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name); + } + else + { + continue; + } + def = lib->settings->get_int(lib->settings, + "charon.syslog.%s.default", 1, facility); + for (group = 0; group < DBG_MAX; group++) + { + sys_logger->set_level(sys_logger, group, + lib->settings->get_int(lib->settings, + "charon.syslog.%s.%N", def, + facility, debug_lower_names, group)); + } + charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger); + charon->bus->add_listener(charon->bus, &sys_logger->listener); + } + enumerator->destroy(enumerator); + + /* and file loggers */ + enumerator = lib->settings->create_section_enumerator(lib->settings, + "charon.filelog"); + while (enumerator->enumerate(enumerator, &filename)) + { + loggers_defined++; + if (streq(filename, "stderr")) + { + file = stderr; + } + else if (streq(filename, "stdout")) + { + file = stdout; + } + else + { + append = lib->settings->get_bool(lib->settings, + "charon.filelog.%s.append", TRUE, filename); + file = fopen(filename, append ? "a" : "w"); + if (file == NULL) + { + DBG1(DBG_DMN, "opening file %s for logging failed: %s", + filename, strerror(errno)); + continue; + } + if (lib->settings->get_bool(lib->settings, + "charon.filelog.%s.flush_line", FALSE, filename)) + { + setlinebuf(file); + } + } + file_logger = file_logger_create(file, + lib->settings->get_str(lib->settings, + "charon.filelog.%s.time_format", NULL, filename), + lib->settings->get_bool(lib->settings, + "charon.filelog.%s.ike_name", FALSE, filename)); + def = lib->settings->get_int(lib->settings, + "charon.filelog.%s.default", 1, filename); + for (group = 0; group < DBG_MAX; group++) + { + file_logger->set_level(file_logger, group, + lib->settings->get_int(lib->settings, + "charon.filelog.%s.%N", def, + filename, debug_lower_names, group)); + } + charon->file_loggers->insert_last(charon->file_loggers, file_logger); + charon->bus->add_listener(charon->bus, &file_logger->listener); + + } + enumerator->destroy(enumerator); + + /* set up legacy style default loggers provided via command-line */ + if (!loggers_defined) + { + /* set up default stdout file_logger */ + file_logger = file_logger_create(stdout, NULL, FALSE); + charon->bus->add_listener(charon->bus, &file_logger->listener); + charon->file_loggers->insert_last(charon->file_loggers, file_logger); + /* set up default daemon sys_logger */ + sys_logger = sys_logger_create(LOG_DAEMON, FALSE); + charon->bus->add_listener(charon->bus, &sys_logger->listener); + charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger); + for (group = 0; group < DBG_MAX; group++) + { + sys_logger->set_level(sys_logger, group, levels[group]); + if (use_stderr) + { + file_logger->set_level(file_logger, group, levels[group]); + } + } + + /* set up default auth sys_logger */ + sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE); + charon->bus->add_listener(charon->bus, &sys_logger->listener); + charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger); + sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT); + } +} /** * print command line usage and exit @@ -395,8 +528,10 @@ int main(int argc, char *argv[]) goto deinit; } + initialize_loggers(!use_syslog, levels); + /* initialize daemon */ - if (!charon->initialize(charon, use_syslog, levels)) + if (!charon->initialize(charon)) { DBG1(DBG_DMN, "initialization failed - aborting charon"); goto deinit; diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index 61bfc1a9d..65aa91422 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -237,9 +237,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -278,6 +276,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/conftest/Makefile.am b/src/conftest/Makefile.am new file mode 100644 index 000000000..7eab0df27 --- /dev/null +++ b/src/conftest/Makefile.am @@ -0,0 +1,26 @@ +ipsec_PROGRAMS = conftest + +AM_CFLAGS = -rdynamic + +conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \ + hooks/hook.h hooks/ike_auth_fill.c hooks/unsort_message.c \ + hooks/add_notify.c hooks/unencrypted_notify.c hooks/ignore_message.c \ + hooks/add_payload.c hooks/set_critical.c hooks/force_cookie.c \ + hooks/set_ike_version.c hooks/pretend_auth.c hooks/set_length.c \ + hooks/log_proposals.c hooks/set_proposal_number.c hooks/log_ke.c \ + hooks/log_id.c hooks/custom_proposal.c hooks/set_ike_spi.c \ + hooks/set_ike_request.c hooks/set_reserved.c hooks/set_ike_initiator.c \ + hooks/log_ts.c hooks/rebuild_auth.c hooks/reset_seq.c + +INCLUDES = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +conftest_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libcharon/libcharon.la \ + -lm $(PTHREADLIB) $(DLLIB) + +EXTRA_DIST = README diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in new file mode 100644 index 000000000..1c07710e0 --- /dev/null +++ b/src/conftest/Makefile.in @@ -0,0 +1,954 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +ipsec_PROGRAMS = conftest$(EXEEXT) +subdir = src/conftest +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(ipsecdir)" +PROGRAMS = $(ipsec_PROGRAMS) +am_conftest_OBJECTS = conftest.$(OBJEXT) config.$(OBJEXT) \ + actions.$(OBJEXT) ike_auth_fill.$(OBJEXT) \ + unsort_message.$(OBJEXT) add_notify.$(OBJEXT) \ + unencrypted_notify.$(OBJEXT) ignore_message.$(OBJEXT) \ + add_payload.$(OBJEXT) set_critical.$(OBJEXT) \ + force_cookie.$(OBJEXT) set_ike_version.$(OBJEXT) \ + pretend_auth.$(OBJEXT) set_length.$(OBJEXT) \ + log_proposals.$(OBJEXT) set_proposal_number.$(OBJEXT) \ + log_ke.$(OBJEXT) log_id.$(OBJEXT) custom_proposal.$(OBJEXT) \ + set_ike_spi.$(OBJEXT) set_ike_request.$(OBJEXT) \ + set_reserved.$(OBJEXT) set_ike_initiator.$(OBJEXT) \ + log_ts.$(OBJEXT) rebuild_auth.$(OBJEXT) reset_seq.$(OBJEXT) +conftest_OBJECTS = $(am_conftest_OBJECTS) +am__DEPENDENCIES_1 = +conftest_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libcharon/libcharon.la \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(conftest_SOURCES) +DIST_SOURCES = $(conftest_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CFLAGS = -rdynamic +conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \ + hooks/hook.h hooks/ike_auth_fill.c hooks/unsort_message.c \ + hooks/add_notify.c hooks/unencrypted_notify.c hooks/ignore_message.c \ + hooks/add_payload.c hooks/set_critical.c hooks/force_cookie.c \ + hooks/set_ike_version.c hooks/pretend_auth.c hooks/set_length.c \ + hooks/log_proposals.c hooks/set_proposal_number.c hooks/log_ke.c \ + hooks/log_id.c hooks/custom_proposal.c hooks/set_ike_spi.c \ + hooks/set_ike_request.c hooks/set_reserved.c hooks/set_ike_initiator.c \ + hooks/log_ts.c hooks/rebuild_auth.c hooks/reset_seq.c + +INCLUDES = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +conftest_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libcharon/libcharon.la \ + -lm $(PTHREADLIB) $(DLLIB) + +EXTRA_DIST = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/conftest/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/conftest/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-ipsecPROGRAMS: $(ipsec_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" + @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p || test -f $$p1; \ + then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-ipsecPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files + +clean-ipsecPROGRAMS: + @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) + @rm -f conftest$(EXEEXT) + $(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/actions.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/add_notify.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/add_payload.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/config.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/conftest.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/custom_proposal.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/force_cookie.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ignore_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth_fill.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_ke.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_proposals.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_ts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pretend_auth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rebuild_auth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/reset_seq.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_critical.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_initiator.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_request.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_spi.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_version.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_length.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_proposal_number.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_reserved.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unencrypted_notify.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unsort_message.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +ike_auth_fill.o: hooks/ike_auth_fill.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.o -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/ike_auth_fill.c' object='ike_auth_fill.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c + +ike_auth_fill.obj: hooks/ike_auth_fill.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.obj -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/ike_auth_fill.c' object='ike_auth_fill.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi` + +unsort_message.o: hooks/unsort_message.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.o -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/unsort_message.c' object='unsort_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c + +unsort_message.obj: hooks/unsort_message.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.obj -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/unsort_message.c' object='unsort_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi` + +add_notify.o: hooks/add_notify.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.o -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/add_notify.c' object='add_notify.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c + +add_notify.obj: hooks/add_notify.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.obj -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/add_notify.c' object='add_notify.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi` + +unencrypted_notify.o: hooks/unencrypted_notify.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.o -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/unencrypted_notify.c' object='unencrypted_notify.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c + +unencrypted_notify.obj: hooks/unencrypted_notify.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.obj -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/unencrypted_notify.c' object='unencrypted_notify.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi` + +ignore_message.o: hooks/ignore_message.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.o -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/ignore_message.c' object='ignore_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c + +ignore_message.obj: hooks/ignore_message.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.obj -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/ignore_message.c' object='ignore_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi` + +add_payload.o: hooks/add_payload.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.o -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/add_payload.c' object='add_payload.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c + +add_payload.obj: hooks/add_payload.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.obj -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/add_payload.c' object='add_payload.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi` + +set_critical.o: hooks/set_critical.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.o -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_critical.c' object='set_critical.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c + +set_critical.obj: hooks/set_critical.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.obj -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_critical.c' object='set_critical.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi` + +force_cookie.o: hooks/force_cookie.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.o -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/force_cookie.c' object='force_cookie.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c + +force_cookie.obj: hooks/force_cookie.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.obj -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/force_cookie.c' object='force_cookie.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi` + +set_ike_version.o: hooks/set_ike_version.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.o -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_version.c' object='set_ike_version.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c + +set_ike_version.obj: hooks/set_ike_version.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.obj -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_version.c' object='set_ike_version.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi` + +pretend_auth.o: hooks/pretend_auth.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.o -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/pretend_auth.c' object='pretend_auth.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c + +pretend_auth.obj: hooks/pretend_auth.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.obj -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/pretend_auth.c' object='pretend_auth.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi` + +set_length.o: hooks/set_length.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.o -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_length.c' object='set_length.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c + +set_length.obj: hooks/set_length.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.obj -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_length.c' object='set_length.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi` + +log_proposals.o: hooks/log_proposals.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.o -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_proposals.c' object='log_proposals.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c + +log_proposals.obj: hooks/log_proposals.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.obj -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_proposals.c' object='log_proposals.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi` + +set_proposal_number.o: hooks/set_proposal_number.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.o -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_proposal_number.c' object='set_proposal_number.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c + +set_proposal_number.obj: hooks/set_proposal_number.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.obj -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_proposal_number.c' object='set_proposal_number.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi` + +log_ke.o: hooks/log_ke.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.o -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_ke.c' object='log_ke.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c + +log_ke.obj: hooks/log_ke.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.obj -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_ke.c' object='log_ke.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi` + +log_id.o: hooks/log_id.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.o -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_id.c' object='log_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c + +log_id.obj: hooks/log_id.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.obj -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_id.c' object='log_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi` + +custom_proposal.o: hooks/custom_proposal.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.o -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/custom_proposal.c' object='custom_proposal.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c + +custom_proposal.obj: hooks/custom_proposal.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.obj -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/custom_proposal.c' object='custom_proposal.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi` + +set_ike_spi.o: hooks/set_ike_spi.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.o -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_spi.c' object='set_ike_spi.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c + +set_ike_spi.obj: hooks/set_ike_spi.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.obj -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_spi.c' object='set_ike_spi.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi` + +set_ike_request.o: hooks/set_ike_request.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.o -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_request.c' object='set_ike_request.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c + +set_ike_request.obj: hooks/set_ike_request.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.obj -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_request.c' object='set_ike_request.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi` + +set_reserved.o: hooks/set_reserved.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.o -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_reserved.c' object='set_reserved.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c + +set_reserved.obj: hooks/set_reserved.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.obj -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_reserved.c' object='set_reserved.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi` + +set_ike_initiator.o: hooks/set_ike_initiator.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.o -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_initiator.c' object='set_ike_initiator.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c + +set_ike_initiator.obj: hooks/set_ike_initiator.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.obj -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_initiator.c' object='set_ike_initiator.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi` + +log_ts.o: hooks/log_ts.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.o -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_ts.c' object='log_ts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c + +log_ts.obj: hooks/log_ts.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.obj -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_ts.c' object='log_ts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi` + +rebuild_auth.o: hooks/rebuild_auth.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.o -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/rebuild_auth.c' object='rebuild_auth.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c + +rebuild_auth.obj: hooks/rebuild_auth.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.obj -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/rebuild_auth.c' object='rebuild_auth.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi` + +reset_seq.o: hooks/reset_seq.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.o -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/reset_seq.c' object='reset_seq.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c + +reset_seq.obj: hooks/reset_seq.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.obj -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/reset_seq.c' object='reset_seq.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) +installdirs: + for dir in "$(DESTDIR)$(ipsecdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-ipsecPROGRAMS + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-ipsecPROGRAMS + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-ipsecPROGRAMS clean-libtool ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am \ + install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-ipsecPROGRAMS + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/conftest/README b/src/conftest/README new file mode 100644 index 000000000..e2156921f --- /dev/null +++ b/src/conftest/README @@ -0,0 +1,315 @@ + + + conftest - an IKEv2 conformance testing framework + ================================================= + + +1. Introduction +--------------- + +conftest is a conformance testing framework for IKEv2 and related protocols, +based on the strongSwan IKEv2 daemon charon. It uses a specialized configuration +and control front-end, but links against the mainstream strongSwan IKEv2 stack. + +The conftest framework can test other implementations of IKEv2 and related +standards. It can inject or mangle packets to test the behavior of other +implementations under certain conditions. + +2. Test suites +-------------- + +The framework can use different sets of conformance tests, called test suites. +Each test suite contains a global suite configuration file, usually named +suite.conf. It contains the global settings for all tests in this suite, mostly +credentials and connection definitions. + +A test suite consists of several test cases. Each test has its own configuration +file, often called test.conf. The test configuration file may contain test +specific credentials and connection definitions, but primarily defines actions +and hooks. Actions trigger certain protocol specific operations, such as +initiating or terminating a tunnel. Hooks are used to change the behavior of +the IKE stack, most likely to stress some factors of the IKE protocol and +provoke unintended behavior in the tested platform. + +3. Configuration syntax +----------------------- + +Both the suite and the test specific configuration file use the same syntax. +It is the same as used by the strongswan.conf file used to configure the +strongSwan software suite. + +The syntax is as follows: + + settings := (section|keyvalue)* + section := name { settings } + keyvalue := key = value\n + +Settings contain zero or more sub-sections or key/value pairs. A section +consists of a name, followed by curly open and close brackets. The value in the +key/value pair starts after the equal sign and is terminated by the end of the +line. + +The test specific configuration is merged to the suite configuration, resulting +in a unified configuration. Sections are merged, keys in the test configuration +overwrite existing identical keys in the suite configuration. + +4. Logging +---------- + +Logging verbosity can be controlled in the log section of a suite/test +configuration. The stdout subsection takes logging facility/verbosity key +value pairs, the different facility types are defined in debug_lower_names at +src/libstrongswan/debug.c. +Any other sub-section in the log section is considered as a file name to log +to. Each section takes the same facility/verbosity keys as the special stdout +section. + +5. Connections +-------------- + +Both the suite and test configuration may contain connection definitions under +the configs section. Each IKE_SA configuration has a sub-section. Each IKE_SA +sub-section contains one or more CHILD_SA configuration sub-sections: + +configs { + ike-a { + # ... ike options + child-a1 { + # ... child options + } + child-a2 { + # ... + } + } +} + +Configuration names can be chosen arbitrary, but should be unique within the +same file. + +The IKE_SA configuration uses the following options (as key/value pairs): + + lhost: Address (IP or Hostname) of this host + rhost: Address (IP or Hostname) of tested host + lid: IKEv2 identifier of this host + rid: IKEv2 identifier of tested host + proposal: IKE_SA proposal list, comma separated, e.g.: + aes128-sha1-modp2048,3des-md5-sha1-modp1024-modp1536 + Supported algorithm names are defined under + src/libstrongswan/crypt/proposal/proposal_keywords.txt + fake_nat: Fake the NAT_DETECTION_*_IP payloads to simulate a NAT + scenario + rsa_strength: connection requires a trustchain with RSA keys of given bits + ecdsa_strength: connection requires a trustchain with ECDSA keys of given bits + cert_policy: connection requries a certificate with the given OID policy + +The following CHILD_SA specific configuration options are supported: + + lts: Local side traffic selectors, comma separated CIDR subnets + rts: Remote side traffic selectors, comma separated CIDR subnets + transport: Propose IPsec transport mode instead of tunnel mode + tfc_padding: Inject Traffic Flow Confidentialty bytes to align packets to the + given length + +6. Credentials +-------------- + +Credentials may be defined globally in the suite or locally in the test specific +configuration file. Certificates files are defined in the certs section, either +in the trusted or in the untrusted section. Trusted certificates are trust +anchors, usually root CA certificates. Untrusted certificates do not build a +trust anchor and usually contain intermediate or end entity certificates. + +Certificates files are loaded relative to the configuration file path and may +be encoded either in plain ASN.1 DER or in PEM format. The prefix of the +key/value pair is used to specify the type of the certificate, usually x509 or +crl. + +Private keys can be defined in the suite or test config file under the keys +section. The prefix of the key/value pair must be either rsa or ecdsa, the +specified file may be encoded in ASN.1 DER or unencrypted PEM. + +certs { + trusted { + x509-a-ca = ca.pem + } + untrusted { + x509-me = /path/to/cert.pem + crl-from-ca = /path/to/crl.pem + } +} +keys { + ecdsa-me = /path/to/key.pem +} + +7. Actions +---------- + +The actions section in the test specific configuration file defines +the IKEv2 protocol actions to trigger. Currently, the following actions +are supported and take these arguments (as key/value pairs): + + initiate: Initiate an IKE- and CHILD_SA + config: name of the CHILD_SA configuration to initiate + delay: Delay to trigger action after startup + rekey_ike: Rekey an IKE_SA + config: name of originating IKE_SA configuration + delay: Delay to trigger action after startup + rekey_child: Rekey an CHILD_SA + config: name of originating CHILD_SA configuration + delay: Delay to trigger action after startup + liveness: Do a liveness check (DPD) on the IKE_SA + config: name of originating IKE_SA configuration + delay: Delay to trigger action after startup + close_ike: Close an IKE_SA + config: name of originating IKE_SA configuration + delay: Delay to trigger action after startup + close_child: Close a CHILD_SA + config: name of originating IKE_SA configuration + delay: Delay to trigger action after startup + +To trigger the same action multiple times, the action sections must be named +uniquely. Append an arbitrary string to the action name. The following example +initiates a connection and rekeys it twice: + +actions { + initiate { + config = child-a1 + } + rekey_ike-1 { + config = ike-a + delay = 3 + } + rekey_ike-2 { + config = ike-a + delay = 6 + } +} + +8. Hooks +-------- + +The hooks section section in the test configuration defines different hooks +to use to mangle packets or trigger other protocol modifications. These +hook functions are implemented in the hooks folder of conftest. + +Currently, the following hooks are defined with the following options: + + add_notify: Add a notify to a message + request: yes to include in request, no in response + id: IKEv2 message identifier of message to add notify + type: notify type to add, names defined in notify_type_names + under src/libcharon/encoding/payloads/notify_payload.c + data: notification data to add, prepend 0x to interpret the + string as hex string + spi: SPI to use in notify + esp: yes to send an ESP protocol notify, no for IKE + add_payload: Add an arbitrary payload to a message + request: yes to include in request, no in response + id: IKEv2 message identifier of message to add payload + type: type of the payload to add, names defined in + payload_type_short_names in payload.c + data: data to append after generic payload header, use 0x + prefix for hex encoded data + critical: yes to set payload critical bit + replace: yes to replace an existing payload of the same type + custom_proposal: set a custom proposal value in the SA payload + request: yes to include in request, no in response + id: IKEv2 message identifier of message to add notify + The hook takes subsections with numerical names, each + defining a proposal substructure. The substructure + takes key/value pairs, where key defines the type, value + the specific algorithm. + force_cookie: Reject IKE_SA_INIT requests with a COOKIE + ignore_message: Ignore a specific message, simulating packet loss + inbound: yes to ignore incoming, no for outgoing messages + request: yes to ignore requests, no for responses + id: IKEv2 message identifier of message to ignore + ike_auth_fill: Fill up IKE_AUTH message to a given size using a CERT + payload. + request: yes to fill requests messages, no for responses + id: IKEv2 message identifier of message to fill up + bytes: number of bytes the final IKE_AUTH message should have + log_id: Comfortably log received ID payload contents + log_ke: Comfortably log received KE payload DH groups + log_proposal: Comfortably log all proposals received in SA payloads + log_ts: Comfortably log all received TS payloads + pretend_auth: magically reconstruct IKE_AUTH response even if + AUTHENTICATION_FAILED received + rebuild_auth: rebuild AUTH payload, i.e. if ID payload changed + reset_seq: Reset sequence numbers of an ESP SA + delay: Seconds to delay reset after SA established + set_critical: Set critical bit on existing payloads: + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle payloads + payloads: space separated payload list to set critical bit on + set_ike_initiator: toggle IKE initiator flag in IKE header + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + set_ike_request: toggle IKE request flag in IKE header + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + set_ike_spi: set the IKE SPIs in IKE header + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + spii: initiator SPI to set (as decimal integer) + spir: responder SPI to set + set_ike_version: set version fields in IKE header + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + major: major version to set + minor: minor version to set + higher: yes to set Higher Version Supported flag + set_length: set the length in a payload header + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + type: payload type to mangle + diff: difference to add/remove from real length (+1,-3 etc.) + set_proposal_number:Change the number of a proposal in a SA payload + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + from: proposal number to mangle + to: new porposal number to set instead of from + set_reserved: set arbitrary reserved bits/bytes in payloads + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + The hook takes a list of subsection, each named as payload + type. Each section takes a bits and a bytes key, the + value is a comma separated list of decimal numbers of + bits/bytes to mangle (1 is the first reserved bit/byte + in the payload). The byteval key defines to which value + set mangled bytes in the byte list. + unencrypted_notify: Send an unencrypted message with a notify after + establishing an IKE_SA + id: IKEv2 message identifier of message to send + type: notify type to add, names defined in notify_type_names + under src/libcharon/encoding/payloads/notify_payload.c + data: notification data to add, prepend 0x to interpret the + string as hex string + spi: SPI to use in notify + esp: yes to send an ESP protocol notify, no for IKE + unsort_message: reorder the payloads in a message + request: yes to reorder requests messages, no for responses + id: IKEv2 message identifier of message to reorder + order: payload order, space separated payload names as defined + in payload_type_short_names under + src/libcharon/encoding/payloads/payload.c + +9. Invoking +----------- + +Compile time options required depend on the test suite. A minimalistic +strongSwan build with the OpenSSL crypto backend can be configured with: + +./configure --sysconfdir=/etc --disable-pluto --disable-scripts \ + --disable-tools --disable-aes --disable-des --disable-md5 \ + --disable-sha1 --disable-sha2 --disable-fips-prf --disable-gmp \ + --disable-pubkey --disable-pgp --disable-dnskey --disable-updown \ + --disable-attr --disable-resolve --enable-openssl --enable-conftest \ + --enable-gcm --enable-ccm --enable-ctr + +The conftest utility is installed by default under /usr/local/libexec/ipsec/, +but can be invoked with the ipsec helper script. It takes a suite specific +configuration file after the --suite option and a test specific file with +the --test option: + + ipsec conftest --suite suite.conf --test 1.1.1/test.conf diff --git a/src/conftest/actions.c b/src/conftest/actions.c new file mode 100644 index 000000000..e66e9d7f1 --- /dev/null +++ b/src/conftest/actions.c @@ -0,0 +1,339 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "actions.h" +#include "conftest.h" + +#include +#include +#include +#include +#include + +typedef struct private_actions_t private_actions_t; + +/** + * Private data of an actions_t object. + */ +struct private_actions_t { + + /** + * Public actions_t interface. + */ + actions_t public; +}; + +/** + * Initiate a CHILD_SA + */ +static job_requeue_t initiate(char *config) +{ + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg = NULL, *current; + enumerator_t *enumerator; + + peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, config); + if (!peer_cfg) + { + DBG1(DBG_CFG, "initiating '%s' failed, config not found", config); + return JOB_REQUEUE_NONE; + } + enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (streq(current->get_name(current), config)) + { + child_cfg = current; + child_cfg->get_ref(child_cfg); + break; + } + } + enumerator->destroy(enumerator); + if (child_cfg) + { + DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config); + charon->controller->initiate(charon->controller, peer_cfg, child_cfg, + NULL, NULL); + } + else + { + DBG1(DBG_CFG, "initiating '%s' failed, CHILD_SA config not found", + config); + } + + return JOB_REQUEUE_NONE; +} + +/** + * Rekey an IKE_SA + */ +static job_requeue_t rekey_ike(char *config) +{ + enumerator_t *enumerator; + job_t *job = NULL; + ike_sa_t *ike_sa; + + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + if (strcaseeq(config, ike_sa->get_name(ike_sa))) + { + job = (job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE); + break; + } + } + enumerator->destroy(enumerator); + + if (job) + { + DBG1(DBG_CFG, "starting rekey of IKE_SA '%s'", config); + lib->processor->queue_job(lib->processor, job); + } + else + { + DBG1(DBG_CFG, "rekeying '%s' failed, IKE_SA not found", config); + } + return JOB_REQUEUE_NONE; +} + +/** + * Rekey an CHILD_SA + */ +static job_requeue_t rekey_child(char *config) +{ + enumerator_t *enumerator; + iterator_t *children; + ike_sa_t *ike_sa; + child_sa_t *child_sa; + u_int32_t reqid = 0, spi = 0; + protocol_id_t proto = PROTO_ESP; + + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + children = ike_sa->create_child_sa_iterator(ike_sa); + while (children->iterate(children, (void**)&child_sa)) + { + if (streq(config, child_sa->get_name(child_sa))) + { + reqid = child_sa->get_reqid(child_sa); + proto = child_sa->get_protocol(child_sa); + spi = child_sa->get_spi(child_sa, TRUE); + break; + } + } + children->destroy(children); + } + enumerator->destroy(enumerator); + if (reqid) + { + DBG1(DBG_CFG, "starting rekey of CHILD_SA '%s'", config); + lib->processor->queue_job(lib->processor, + (job_t*)rekey_child_sa_job_create(reqid, proto, spi)); + } + else + { + DBG1(DBG_CFG, "rekeying '%s' failed, CHILD_SA not found", config); + } + return JOB_REQUEUE_NONE; +} + +/** + * Do a liveness check + */ +static job_requeue_t liveness(char *config) +{ + enumerator_t *enumerator; + job_t *job = NULL; + ike_sa_t *ike_sa; + + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + if (strcaseeq(config, ike_sa->get_name(ike_sa))) + { + job = (job_t*)send_dpd_job_create(ike_sa->get_id(ike_sa)); + break; + } + } + enumerator->destroy(enumerator); + + if (job) + { + DBG1(DBG_CFG, "starting liveness check of IKE_SA '%s'", config); + lib->processor->queue_job(lib->processor, job); + } + else + { + DBG1(DBG_CFG, "liveness check for '%s' failed, IKE_SA not found", config); + } + return JOB_REQUEUE_NONE; +} + +/** + * Close an IKE_SA with all CHILD_SAs + */ +static job_requeue_t close_ike(char *config) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + int id = 0; + + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + if (strcaseeq(config, ike_sa->get_name(ike_sa))) + { + id = ike_sa->get_unique_id(ike_sa); + break; + } + } + enumerator->destroy(enumerator); + if (id) + { + DBG1(DBG_CFG, "closing IKE_SA '%s'", config); + charon->controller->terminate_ike(charon->controller, id, NULL, NULL); + } + else + { + DBG1(DBG_CFG, "unable to close IKE_SA '%s', not found", config); + } + return JOB_REQUEUE_NONE; +} + +/** + * Close a CHILD_SAs + */ +static job_requeue_t close_child(char *config) +{ + enumerator_t *enumerator; + iterator_t *children; + ike_sa_t *ike_sa; + child_sa_t *child_sa; + int id = 0; + + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + + children = ike_sa->create_child_sa_iterator(ike_sa); + while (children->iterate(children, (void**)&child_sa)) + { + if (streq(config, child_sa->get_name(child_sa))) + { + id = child_sa->get_reqid(child_sa); + break; + } + } + children->destroy(children); + } + enumerator->destroy(enumerator); + if (id) + { + DBG1(DBG_CFG, "closing CHILD_SA '%s'", config); + charon->controller->terminate_child(charon->controller, id, NULL, NULL); + } + else + { + DBG1(DBG_CFG, "unable to close CHILD_SA '%s', not found", config); + } + return JOB_REQUEUE_NONE; +} + +/** + * Load a single action + */ +static void load_action(settings_t *settings, char *action) +{ + static struct { + char *name; + callback_job_cb_t cb; + } actions[] = { + {"initiate", (void*)initiate}, + {"rekey_ike", (void*)rekey_ike}, + {"rekey_child", (void*)rekey_child}, + {"liveness", (void*)liveness}, + {"close_ike", (void*)close_ike}, + {"close_child", (void*)close_child}, + }; + bool found = FALSE; + int i; + + for (i = 0; i < countof(actions); i++) + { + if (strncaseeq(actions[i].name, action, strlen(actions[i].name))) + { + int delay; + char *config; + + found = TRUE; + delay = settings->get_int(settings, "actions.%s.delay", 0, action); + config = settings->get_str(settings, "actions.%s.config", + NULL, action); + if (!config) + { + DBG1(DBG_CFG, "no config defined for action '%s'", action); + break; + } + lib->scheduler->schedule_job(lib->scheduler, + (job_t*)callback_job_create(actions[i].cb, config, NULL, NULL), + delay); + } + } + if (!found) + { + DBG1(DBG_CFG, "unknown action '%s', skipped", action); + } +} + +/** + * Load configured actions + */ +static void load_actions(settings_t *settings) +{ + enumerator_t *enumerator; + char *action; + + enumerator = settings->create_section_enumerator(settings, "actions"); + while (enumerator->enumerate(enumerator, &action)) + { + load_action(settings, action); + } + enumerator->destroy(enumerator); +} + +METHOD(actions_t, destroy, void, + private_actions_t *this) +{ + free(this); +} + +/** + * See header + */ +actions_t *actions_create() +{ + private_actions_t *this; + + INIT(this, + .public = { + .destroy = _destroy, + }, + ); + + load_actions(conftest->test); + + return &this->public; +} diff --git a/src/conftest/actions.h b/src/conftest/actions.h new file mode 100644 index 000000000..2e1cbbacd --- /dev/null +++ b/src/conftest/actions.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup actions actions + * @{ @ingroup conftest + */ + +#ifndef ACTIONS_H_ +#define ACTIONS_H_ + +typedef struct actions_t actions_t; + +/** + * actionss to trigger based on configuration. + */ +struct actions_t { + + /** + * Destroy a actions_t. + */ + void (*destroy)(actions_t *this); +}; + +/** + * Create a actions instance. + */ +actions_t *actions_create(); + +#endif /** ACTIONS_H_ @}*/ diff --git a/src/conftest/config.c b/src/conftest/config.c new file mode 100644 index 000000000..952141211 --- /dev/null +++ b/src/conftest/config.c @@ -0,0 +1,343 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "config.h" + +#include +#include + +typedef struct private_config_t private_config_t; + +/** + * Private data of an config_t object. + */ +struct private_config_t { + + /** + * Public config_t interface. + */ + config_t public; + + /** + * List of loaded peer configs + */ + linked_list_t *configs; +}; + +/** + * filter function for ike configs + */ +static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out) +{ + *out = (*in)->get_ike_cfg(*in); + return TRUE; +} + +METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, + private_config_t *this, host_t *me, host_t *other) +{ + + return enumerator_create_filter( + this->configs->create_enumerator(this->configs), + (void*)ike_filter, NULL, NULL); +} + +METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, + private_config_t *this, identification_t *me, identification_t *other) +{ + return this->configs->create_enumerator(this->configs); +} + +METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, + private_config_t *this, char *name) +{ + enumerator_t *e1, *e2; + peer_cfg_t *current, *found = NULL; + child_cfg_t *child; + + e1 = this->configs->create_enumerator(this->configs); + while (e1->enumerate(e1, ¤t)) + { + e2 = current->create_child_cfg_enumerator(current); + while (e2->enumerate(e2, &child)) + { + if (streq(child->get_name(child), name)) + { + found = current; + found->get_ref(found); + break; + } + } + e2->destroy(e2); + if (found) + { + break; + } + } + e1->destroy(e1); + return found; +} + +/** + * Load IKE config for a given section name + */ +static ike_cfg_t *load_ike_config(private_config_t *this, + settings_t *settings, char *config) +{ + enumerator_t *enumerator; + ike_cfg_t *ike_cfg; + proposal_t *proposal; + char *token; + + ike_cfg = ike_cfg_create(TRUE, + settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config), + settings->get_str(settings, "configs.%s.lhost", "%any", config), + settings->get_int(settings, "configs.%s.lport", 500, config), + settings->get_str(settings, "configs.%s.rhost", "%any", config), + settings->get_int(settings, "configs.%s.rport", 500, config)); + token = settings->get_str(settings, "configs.%s.proposal", NULL, config); + if (token) + { + enumerator = enumerator_create_token(token, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + proposal = proposal_create_from_string(PROTO_IKE, token); + if (proposal) + { + ike_cfg->add_proposal(ike_cfg, proposal); + } + else + { + DBG1(DBG_CFG, "parsing proposal '%s' failed, skipped", token); + } + } + enumerator->destroy(enumerator); + } + else + { + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + } + return ike_cfg; +} +/** + * Load CHILD config for given section names + */ +static child_cfg_t *load_child_config(private_config_t *this, + settings_t *settings, char *config, char *child) +{ + child_cfg_t *child_cfg; + lifetime_cfg_t lifetime = {}; + enumerator_t *enumerator; + proposal_t *proposal; + traffic_selector_t *ts; + ipsec_mode_t mode = MODE_TUNNEL; + host_t *net; + char *token; + int bits; + u_int32_t tfc; + + if (settings->get_bool(settings, "configs.%s.%s.transport", + FALSE, config, child)) + { + mode = MODE_TRANSPORT; + } + tfc = settings->get_int(settings, "configs.%s.%s.tfc_padding", + 0, config, child); + child_cfg = child_cfg_create(child, &lifetime, NULL, FALSE, mode, + ACTION_NONE, ACTION_NONE, ACTION_NONE, + FALSE, 0, 0, NULL, NULL, tfc); + + token = settings->get_str(settings, "configs.%s.%s.proposal", + NULL, config, child); + if (token) + { + enumerator = enumerator_create_token(token, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + proposal = proposal_create_from_string(PROTO_ESP, token); + if (proposal) + { + child_cfg->add_proposal(child_cfg, proposal); + } + else + { + DBG1(DBG_CFG, "parsing proposal '%s' failed, skipped", token); + } + } + enumerator->destroy(enumerator); + } + else + { + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + } + + token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config); + if (token) + { + enumerator = enumerator_create_token(token, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + net = host_create_from_subnet(token, &bits); + if (net) + { + ts = traffic_selector_create_from_subnet(net, bits, 0, 0); + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); + } + else + { + DBG1(DBG_CFG, "invalid local ts: %s, skipped", token); + } + } + enumerator->destroy(enumerator); + } + else + { + ts = traffic_selector_create_dynamic(0, 0, 65535); + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); + } + + token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config); + if (token) + { + enumerator = enumerator_create_token(token, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + net = host_create_from_subnet(token, &bits); + if (net) + { + ts = traffic_selector_create_from_subnet(net, bits, 0, 0); + child_cfg->add_traffic_selector(child_cfg, FALSE, ts); + } + else + { + DBG1(DBG_CFG, "invalid remote ts: %s, skipped", token); + } + } + enumerator->destroy(enumerator); + } + else + { + ts = traffic_selector_create_dynamic(0, 0, 65535); + child_cfg->add_traffic_selector(child_cfg, FALSE, ts); + } + return child_cfg; +} + +/** + * Load peer config for a given section name + */ +static peer_cfg_t *load_peer_config(private_config_t *this, + settings_t *settings, char *config) +{ + ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; + auth_cfg_t *auth; + child_cfg_t *child_cfg; + enumerator_t *enumerator; + identification_t *lid, *rid; + char *child, *policy; + uintptr_t strength; + + ike_cfg = load_ike_config(this, settings, config); + peer_cfg = peer_cfg_create(config, 2, ike_cfg, CERT_ALWAYS_SEND, + UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, 0, + NULL, NULL, FALSE, NULL, NULL); + + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + lid = identification_create_from_string( + settings->get_str(settings, "configs.%s.lid", "%any", config)); + auth->add(auth, AUTH_RULE_IDENTITY, lid); + peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); + + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + rid = identification_create_from_string( + settings->get_str(settings, "configs.%s.rid", "%any", config)); + strength = settings->get_int(settings, "configs.%s.rsa_strength", 0); + if (strength) + { + auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength); + } + strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0); + if (strength) + { + auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength); + } + policy = settings->get_str(settings, "configs.%s.cert_policy", NULL, config); + if (policy) + { + auth->add(auth, AUTH_RULE_CERT_POLICY, strdup(policy)); + } + auth->add(auth, AUTH_RULE_IDENTITY, rid); + peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); + + DBG1(DBG_CFG, "loaded config %s: %Y - %Y", config, lid, rid); + + enumerator = settings->create_section_enumerator(settings, + "configs.%s", config); + while (enumerator->enumerate(enumerator, &child)) + { + child_cfg = load_child_config(this, settings, config, child); + peer_cfg->add_child_cfg(peer_cfg, child_cfg); + } + enumerator->destroy(enumerator); + return peer_cfg; +} + +METHOD(config_t, load, void, + private_config_t *this, settings_t *settings) +{ + enumerator_t *enumerator; + char *config; + + enumerator = settings->create_section_enumerator(settings, "configs"); + while (enumerator->enumerate(enumerator, &config)) + { + this->configs->insert_last(this->configs, + load_peer_config(this, settings, config)); + } + enumerator->destroy(enumerator); +} + +METHOD(config_t, destroy, void, + private_config_t *this) +{ + this->configs->destroy_offset(this->configs, offsetof(peer_cfg_t, destroy)); + free(this); +} + +/** + * See header + */ +config_t *config_create() +{ + private_config_t *this; + + INIT(this, + .public = { + .backend = { + .create_ike_cfg_enumerator = _create_ike_cfg_enumerator, + .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, + .get_peer_cfg_by_name = _get_peer_cfg_by_name, + }, + .load = _load, + .destroy = _destroy, + }, + .configs = linked_list_create(), + ); + + return &this->public; +} diff --git a/src/conftest/config.h b/src/conftest/config.h new file mode 100644 index 000000000..2a62b9ce0 --- /dev/null +++ b/src/conftest/config.h @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup config config + * @{ @ingroup conftest + */ + +#ifndef CONFIG_H_ +#define CONFIG_H_ + +typedef struct config_t config_t; + +#include + +/** + * Conftest IKE and CHILD config backend + */ +struct config_t { + + /** + * Implements the backend_t interface. + */ + backend_t backend; + + /** + * Load configurations from a settings file. + * + * @param settings settings file to load configs from + */ + void (*load)(config_t *this, settings_t *settings); + + /** + * Destroy a config_t. + */ + void (*destroy)(config_t *this); +}; + +/** + * Create a config instance. + */ +config_t *config_create(); + +#endif /** CONFIG_H_ @}*/ diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c new file mode 100644 index 000000000..fea88818e --- /dev/null +++ b/src/conftest/conftest.c @@ -0,0 +1,550 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include + +#include "conftest.h" +#include "config.h" +#include "hooks/hook.h" + +#include +#include + +/** + * Conftest globals struct + */ +conftest_t *conftest; + +/** + * Print usage information + */ +static void usage(FILE *out) +{ + fprintf(out, "Usage:\n"); + fprintf(out, " --help show usage information\n"); + fprintf(out, " --version show conftest version\n"); + fprintf(out, " --suite global testsuite configuration " + "(default: ./suite.conf)\n"); + fprintf(out, " --test test specific configuration\n"); +} + +/** + * Handle SIGSEGV/SIGILL signals raised by threads + */ +static void segv_handler(int signal) +{ + fprintf(stderr, "thread %u received %d\n", thread_current_id(), signal); + abort(); +} + +/** + * Load suite and test specific configurations + */ +static bool load_configs(char *suite_file, char *test_file) +{ + if (!test_file) + { + fprintf(stderr, "Missing test configuration file.\n"); + return FALSE; + } + if (access(suite_file, R_OK) != 0) + { + fprintf(stderr, "Reading suite configuration file '%s' failed: %s.\n", + suite_file, strerror(errno)); + return FALSE; + } + if (access(test_file, R_OK) != 0) + { + fprintf(stderr, "Reading test configuration file '%s' failed: %s.\n", + test_file, strerror(errno)); + return FALSE; + } + conftest->test = settings_create(suite_file); + conftest->test->load_files(conftest->test, test_file); + conftest->suite_dir = strdup(dirname(suite_file)); + return TRUE; +} + +/** + * Load trusted/untrusted certificates + */ +static bool load_cert(settings_t *settings, bool trusted) +{ + enumerator_t *enumerator; + char *key, *value; + + enumerator = settings->create_key_value_enumerator(settings, + trusted ? "certs.trusted" : "certs.untrusted"); + while (enumerator->enumerate(enumerator, &key, &value)) + { + certificate_t *cert = NULL; + + if (strncaseeq(key, "x509", strlen("x509"))) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509, BUILD_FROM_FILE, value, BUILD_END); + } + else if (strncaseeq(key, "crl", strlen("crl"))) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509_CRL, BUILD_FROM_FILE, value, BUILD_END); + } + else + { + fprintf(stderr, "certificate type '%s' not supported\n", key); + enumerator->destroy(enumerator); + return FALSE; + } + if (!cert) + { + fprintf(stderr, "loading %strusted certificate '%s' from '%s' " + "failed\n", trusted ? "" : "un", key, value); + enumerator->destroy(enumerator); + return FALSE; + } + conftest->creds->add_cert(conftest->creds, trusted, cert); + } + enumerator->destroy(enumerator); + return TRUE; +} + +/** + * Load certificates from the confiuguration file + */ +static bool load_certs(settings_t *settings, char *dir) +{ + char wd[PATH_MAX]; + + if (getcwd(wd, sizeof(wd)) == NULL) + { + fprintf(stderr, "getting cwd failed: %s\n", strerror(errno)); + return FALSE; + } + if (chdir(dir) != 0) + { + fprintf(stderr, "opening directory '%s' failed: %s\n", + dir, strerror(errno)); + return FALSE; + } + + if (!load_cert(settings, TRUE) || + !load_cert(settings, FALSE)) + { + return FALSE; + } + + if (chdir(wd) != 0) + { + fprintf(stderr, "opening directory '%s' failed: %s\n", + wd, strerror(errno)); + return FALSE; + } + return TRUE; +} + +/** + * Load private keys from the confiuguration file + */ +static bool load_keys(settings_t *settings, char *dir) +{ + enumerator_t *enumerator; + char *type, *value, wd[PATH_MAX]; + private_key_t *key; + key_type_t key_type; + + if (getcwd(wd, sizeof(wd)) == NULL) + { + fprintf(stderr, "getting cwd failed: %s\n", strerror(errno)); + return FALSE; + } + if (chdir(dir) != 0) + { + fprintf(stderr, "opening directory '%s' failed: %s\n", + dir, strerror(errno)); + return FALSE; + } + + enumerator = settings->create_key_value_enumerator(settings, "keys"); + while (enumerator->enumerate(enumerator, &type, &value)) + { + if (strncaseeq(type, "ecdsa", strlen("ecdsa"))) + { + key_type = KEY_ECDSA; + } + else if (strncaseeq(type, "rsa", strlen("rsa"))) + { + key_type = KEY_RSA; + } + else + { + fprintf(stderr, "unknown key type: '%s'\n", type); + enumerator->destroy(enumerator); + return FALSE; + } + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, + BUILD_FROM_FILE, value, BUILD_END); + if (!key) + { + fprintf(stderr, "loading %s key from '%s' failed\n", type, value); + enumerator->destroy(enumerator); + return FALSE; + } + conftest->creds->add_key(conftest->creds, key); + } + enumerator->destroy(enumerator); + + if (chdir(wd) != 0) + { + fprintf(stderr, "opening directory '%s' failed: %s\n", + wd, strerror(errno)); + return FALSE; + } + return TRUE; +} + +/** + * Load certificate distribution points + */ +static void load_cdps(settings_t *settings) +{ + enumerator_t *enumerator; + identification_t *id; + char *ca, *uri, *section; + certificate_type_t type; + x509_t *x509; + + enumerator = settings->create_section_enumerator(settings, "cdps"); + while (enumerator->enumerate(enumerator, §ion)) + { + if (strncaseeq(section, "crl", strlen("crl"))) + { + type = CERT_X509_CRL; + } + else if (strncaseeq(section, "ocsp", strlen("ocsp"))) + { + type = CERT_X509_OCSP_RESPONSE; + } + else + { + fprintf(stderr, "unknown cdp type '%s', ignored\n", section); + continue; + } + + uri = settings->get_str(settings, "cdps.%s.uri", NULL, section); + ca = settings->get_str(settings, "cdps.%s.ca", NULL, section); + if (!ca || !uri) + { + fprintf(stderr, "cdp '%s' misses ca/uri, ignored\n", section); + continue; + } + x509 = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509, BUILD_FROM_FILE, ca, BUILD_END); + if (!x509) + { + fprintf(stderr, "loading cdp '%s' ca failed, ignored\n", section); + continue; + } + id = identification_create_from_encoding(ID_KEY_ID, + x509->get_subjectKeyIdentifier(x509)); + conftest->creds->add_cdp(conftest->creds, type, id, uri); + DESTROY_IF((certificate_t*)x509); + id->destroy(id); + } + enumerator->destroy(enumerator); +} + +/** + * Load configured hooks + */ +static bool load_hooks() +{ + enumerator_t *enumerator; + char *name, *pos, buf[64]; + hook_t *(*create)(char*); + hook_t *hook; + + enumerator = conftest->test->create_section_enumerator(conftest->test, + "hooks"); + while (enumerator->enumerate(enumerator, &name)) + { + pos = strchr(name, '-'); + if (pos) + { + snprintf(buf, sizeof(buf), "%.*s_hook_create", pos - name, name); + } + else + { + snprintf(buf, sizeof(buf), "%s_hook_create", name); + } + create = dlsym(RTLD_DEFAULT, buf); + if (create) + { + hook = create(name); + if (hook) + { + conftest->hooks->insert_last(conftest->hooks, hook); + charon->bus->add_listener(charon->bus, &hook->listener); + } + } + else + { + fprintf(stderr, "dlsym() for hook '%s' failed: %s\n", name, dlerror()); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + return TRUE; +} + +/** + * atexit() cleanup handler + */ +static void cleanup() +{ + hook_t *hook; + + DESTROY_IF(conftest->test); + lib->credmgr->remove_set(lib->credmgr, &conftest->creds->set); + conftest->creds->destroy(conftest->creds); + DESTROY_IF(conftest->actions); + while (conftest->hooks->remove_last(conftest->hooks, + (void**)&hook) == SUCCESS) + { + charon->bus->remove_listener(charon->bus, &hook->listener); + hook->destroy(hook); + } + conftest->hooks->destroy(conftest->hooks); + if (conftest->config) + { + if (charon->backends) + { + charon->backends->remove_backend(charon->backends, + &conftest->config->backend); + } + conftest->config->destroy(conftest->config); + } + free(conftest->suite_dir); + free(conftest); + libcharon_deinit(); + libhydra_deinit(); + library_deinit(); +} + +/** + * Load log levels for a logger from section + */ +static void load_log_levels(file_logger_t *logger, char *section) +{ + debug_t group; + level_t def; + + def = conftest->test->get_int(conftest->test, "log.%s.default", 1, section); + for (group = 0; group < DBG_MAX; group++) + { + logger->set_level(logger, group, + conftest->test->get_int(conftest->test, "log.%s.%N", def, + section, debug_lower_names, group)); + } +} + +/** + * Load logger configuration + */ +static void load_loggers(file_logger_t *logger) +{ + enumerator_t *enumerator; + char *section; + FILE *file; + + load_log_levels(logger, "stdout"); + + enumerator = conftest->test->create_section_enumerator(conftest->test, "log"); + while (enumerator->enumerate(enumerator, §ion)) + { + if (!streq(section, "stdout")) + { + file = fopen(section, "w"); + if (file == NULL) + { + fprintf(stderr, "opening file %s for logging failed: %s", + section, strerror(errno)); + continue; + } + logger = file_logger_create(file, NULL, FALSE); + load_log_levels(logger, section); + charon->bus->add_listener(charon->bus, &logger->listener); + charon->file_loggers->insert_last(charon->file_loggers, logger); + } + } + enumerator->destroy(enumerator); +} + +/** + * Main function, starts the conftest daemon. + */ +int main(int argc, char *argv[]) +{ + struct sigaction action; + int status = 0; + sigset_t set; + int sig; + char *suite_file = "suite.conf", *test_file = NULL; + file_logger_t *logger; + + if (!library_init(NULL)) + { + library_deinit(); + return SS_RC_LIBSTRONGSWAN_INTEGRITY; + } + if (!libhydra_init("conftest")) + { + libhydra_deinit(); + library_deinit(); + return SS_RC_INITIALIZATION_FAILED; + } + if (!libcharon_init()) + { + libcharon_deinit(); + libhydra_deinit(); + library_deinit(); + return SS_RC_INITIALIZATION_FAILED; + } + + INIT(conftest, + .creds = mem_cred_create(), + ); + + logger = file_logger_create(stdout, NULL, FALSE); + logger->set_level(logger, DBG_ANY, LEVEL_CTRL); + charon->bus->add_listener(charon->bus, &logger->listener); + charon->file_loggers->insert_last(charon->file_loggers, logger); + + lib->credmgr->add_set(lib->credmgr, &conftest->creds->set); + conftest->hooks = linked_list_create(); + conftest->config = config_create(); + + atexit(cleanup); + + while (TRUE) + { + struct option long_opts[] = { + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'v' }, + { "suite", required_argument, NULL, 's' }, + { "test", required_argument, NULL, 't' }, + { 0,0,0,0 } + }; + switch (getopt_long(argc, argv, "", long_opts, NULL)) + { + case EOF: + break; + case 'h': + usage(stdout); + return 0; + case 'v': + printf("strongSwan %s conftest\n", VERSION); + return 0; + case 's': + suite_file = optarg; + continue; + case 't': + test_file = optarg; + continue; + default: + usage(stderr); + return 1; + } + break; + } + + if (!load_configs(suite_file, test_file)) + { + return 1; + } + load_loggers(logger); + + if (!lib->plugins->load(lib->plugins, NULL, + conftest->test->get_str(conftest->test, "preload", ""))) + { + return 1; + } + if (!charon->initialize(charon)) + { + return 1; + } + if (!load_certs(conftest->test, conftest->suite_dir)) + { + return 1; + } + if (!load_keys(conftest->test, conftest->suite_dir)) + { + return 1; + } + load_cdps(conftest->test); + if (!load_hooks()) + { + return 1; + } + charon->backends->add_backend(charon->backends, &conftest->config->backend); + conftest->config->load(conftest->config, conftest->test); + conftest->actions = actions_create(); + + /* set up thread specific handlers */ + action.sa_handler = segv_handler; + action.sa_flags = 0; + sigemptyset(&action.sa_mask); + sigaddset(&action.sa_mask, SIGINT); + sigaddset(&action.sa_mask, SIGTERM); + sigaddset(&action.sa_mask, SIGHUP); + sigaction(SIGSEGV, &action, NULL); + sigaction(SIGILL, &action, NULL); + sigaction(SIGBUS, &action, NULL); + action.sa_handler = SIG_IGN; + sigaction(SIGPIPE, &action, NULL); + pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL); + + /* start thread pool */ + charon->start(charon); + + /* handle SIGINT/SIGTERM in main thread */ + sigemptyset(&set); + sigaddset(&set, SIGINT); + sigaddset(&set, SIGHUP); + sigaddset(&set, SIGTERM); + sigprocmask(SIG_BLOCK, &set, NULL); + + while (sigwait(&set, &sig) == 0) + { + switch (sig) + { + case SIGINT: + case SIGTERM: + fprintf(stderr, "\nshutting down...\n"); + break; + default: + continue; + } + break; + } + return status; +} diff --git a/src/conftest/conftest.h b/src/conftest/conftest.h new file mode 100644 index 000000000..2caf9b3ce --- /dev/null +++ b/src/conftest/conftest.h @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup conftest conftest + */ + +#ifndef CONFTEST_H_ +#define CONFTEST_H_ + +#include +#include +#include +#include + +#include "config.h" +#include "actions.h" + +typedef struct conftest_t conftest_t; + +/** + * Global conftest variables. + */ +struct conftest_t { + + /** + * Merged suite/test configuration + */ + settings_t *test; + + /** + * Directory containing suite files + */ + char *suite_dir; + + /** + * Credentials loaded from configuration + */ + mem_cred_t *creds; + + /** + * Configurations loaded from config + */ + config_t *config; + + /** + * Loaded hooks + */ + linked_list_t *hooks; + + /** + * Action handling + */ + actions_t *actions; +}; + +/** + * Conftest globals + */ +extern conftest_t *conftest; + +#endif /** CONFTEST_H_ */ diff --git a/src/conftest/hooks/add_notify.c b/src/conftest/hooks/add_notify.c new file mode 100644 index 000000000..de46ca81f --- /dev/null +++ b/src/conftest/hooks/add_notify.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_add_notify_t private_add_notify_t; + +/** + * Private data of an add_notify_t object. + */ +struct private_add_notify_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Notify type + */ + char *type; + + /** + * Notify data + */ + char *data; + + /** + * SPI of notify + */ + int spi; + + /** + * TRUE for a ESP protocol notify, FALSE for IKE + */ + bool esp; +}; + +METHOD(listener_t, message, bool, + private_add_notify_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + notify_type_t type; + notify_payload_t *notify; + chunk_t data = chunk_empty; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(notify_type_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown notify: '%s', skipped", this->type); + return TRUE; + } + } + if (strncaseeq(this->data, "0x", 2)) + { + data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2); + data = chunk_from_hex(data, NULL); + } + else if (this->data && strlen(this->data)) + { + data = chunk_clone(chunk_create(this->data, strlen(this->data))); + } + notify = notify_payload_create_from_protocol_and_type( + this->esp ? PROTO_ESP : PROTO_IKE, type); + notify->set_spi(notify, this->spi); + if (data.len) + { + notify->set_notification_data(notify, data); + free(data.ptr); + } + message->add_payload(message, ¬ify->payload_interface); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_add_notify_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *add_notify_hook_create(char *name) +{ + private_add_notify_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .data = conftest->test->get_str(conftest->test, + "hooks.%s.data", "", name), + .spi = conftest->test->get_int(conftest->test, + "hooks.%s.spi", 0, name), + .esp = conftest->test->get_bool(conftest->test, + "hooks.%s.esp", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/add_payload.c b/src/conftest/hooks/add_payload.c new file mode 100644 index 000000000..03a47cc23 --- /dev/null +++ b/src/conftest/hooks/add_payload.c @@ -0,0 +1,151 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_add_payload_t private_add_payload_t; + +/** + * Private data of an add_payload_t object. + */ +struct private_add_payload_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Payload type + */ + char *type; + + /** + * Payload data + */ + char *data; + + /** + * Set critical bit of the payload + */ + bool critical; + + /** + * True to replace existing payload of this type + */ + bool replace; +}; + +METHOD(listener_t, message, bool, + private_add_payload_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + unknown_payload_t *unknown; + payload_t *payload; + enumerator_t *enumerator; + chunk_t data = chunk_empty; + payload_type_t type; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(payload_type_short_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown payload: '%s', skipped", this->type); + return TRUE; + } + } + if (this->replace) + { + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == type) + { + message->remove_payload_at(message, enumerator); + payload->destroy(payload); + break; + } + } + enumerator->destroy(enumerator); + } + if (strncaseeq(this->data, "0x", 2)) + { + data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2); + data = chunk_from_hex(data, NULL); + } + else if (this->data && strlen(this->data)) + { + data = chunk_clone(chunk_create(this->data, strlen(this->data))); + } + unknown = unknown_payload_create_data(type, this->critical, data); + message->add_payload(message, &unknown->payload_interface); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_add_payload_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *add_payload_hook_create(char *name) +{ + private_add_payload_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .data = conftest->test->get_str(conftest->test, + "hooks.%s.data", "", name), + .critical = conftest->test->get_bool(conftest->test, + "hooks.%s.critical", FALSE, name), + .replace = conftest->test->get_bool(conftest->test, + "hooks.%s.replace", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/custom_proposal.c b/src/conftest/hooks/custom_proposal.c new file mode 100644 index 000000000..e4acd841f --- /dev/null +++ b/src/conftest/hooks/custom_proposal.c @@ -0,0 +1,188 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +#include +#include +#include + +typedef struct private_custom_proposal_t private_custom_proposal_t; + +/** + * Private data of an custom_proposal_t object. + */ +struct private_custom_proposal_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * hook name + */ + char *name; +}; + +/** + * Load custom proposal configuration to proposal list + */ +static linked_list_t* load_proposals(private_custom_proposal_t *this, + protocol_id_t proto, u_int64_t spi) +{ + enumerator_t *props, *algs; + char *number, *key, *value; + linked_list_t *list; + + list = linked_list_create(); + props = conftest->test->create_section_enumerator(conftest->test, + "hooks.%s", this->name); + while (props->enumerate(props, &number)) + { + const proposal_token_t *token = NULL; + proposal_t *proposal; + u_int16_t type, alg, keysize = 0; + char *end; + + proposal = proposal_create(proto, atoi(number)); + proposal->set_spi(proposal, spi); + + algs = conftest->test->create_key_value_enumerator(conftest->test, + "hooks.%s.%s", this->name, number); + while (algs->enumerate(algs, &key, &value)) + { + errno = 0; + type = strtoul(key, &end, 10); + if (end == key || errno) + { + type = enum_from_name(transform_type_names, key); + if (type == -1) + { + DBG1(DBG_CFG, "unknown transform: '%s', skipped", key); + continue; + } + } + errno = 0; + alg = strtoul(value, &end, 10); + if (end == value || errno) + { + token = proposal_get_token(value, strlen(value)); + if (!token) + { + DBG1(DBG_CFG, "unknown algorithm: '%s', skipped", value); + continue; + } + keysize = token->keysize; + alg = token->algorithm; + } + proposal->add_algorithm(proposal, type, alg, keysize); + } + algs->destroy(algs); + list->insert_last(list, proposal); + } + props->destroy(props); + return list; +} + +METHOD(listener_t, message, bool, + private_custom_proposal_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *enumerator; + payload_t *payload; + sa_payload_t *new, *old = NULL; + linked_list_t *new_props, *old_props; + proposal_t *proposal; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + old = (sa_payload_t*)payload; + message->remove_payload_at(message, enumerator); + } + } + enumerator->destroy(enumerator); + + if (old) + { + old_props = old->get_proposals(old); + old->destroy(old); + enumerator = old_props->create_enumerator(old_props); + if (enumerator->enumerate(enumerator, &proposal)) + { + new_props = load_proposals(this, + proposal->get_protocol(proposal), + proposal->get_spi(proposal)); + DBG1(DBG_CFG, "injecting custom proposal: %#P", new_props); + new = sa_payload_create_from_proposal_list(new_props); + message->add_payload(message, (payload_t*)new); + new_props->destroy_offset(new_props, offsetof(proposal_t, destroy)); + } + enumerator->destroy(enumerator); + old_props->destroy_offset(old_props, offsetof(proposal_t, destroy)); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_custom_proposal_t *this) +{ + free(this->name); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *custom_proposal_hook_create(char *name) +{ + private_custom_proposal_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .name = strdup(name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/force_cookie.c b/src/conftest/hooks/force_cookie.c new file mode 100644 index 000000000..e34f82851 --- /dev/null +++ b/src/conftest/hooks/force_cookie.c @@ -0,0 +1,117 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_force_cookie_t private_force_cookie_t; + +/** + * Private data of an force_cookie_t object. + */ +struct private_force_cookie_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_force_cookie_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming && message->get_request(message) && + message->get_exchange_type(message) == IKE_SA_INIT) + { + enumerator_t *enumerator; + bool has_cookie = FALSE; + payload_t *payload; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == NOTIFY) + { + notify_payload_t *notify = (notify_payload_t*)payload; + chunk_t data; + + if (notify->get_notify_type(notify) == COOKIE) + { + data = notify->get_notification_data(notify); + DBG1(DBG_CFG, "received COOKIE: %#B", &data); + has_cookie = TRUE; + break; + } + } + } + enumerator->destroy(enumerator); + if (!has_cookie) + { + message_t *response; + host_t *src, *dst; + packet_t *packet; + ike_sa_id_t *ike_sa_id; + chunk_t data = chunk_from_thing("COOKIE test data"); + + DBG1(DBG_CFG, "sending COOKIE: %#B", &data); + response = message_create(); + dst = message->get_source(message); + src = message->get_destination(message); + response->set_source(response, src->clone(src)); + response->set_destination(response, dst->clone(dst)); + response->set_exchange_type(response, IKE_SA_INIT); + response->set_request(response, FALSE); + response->set_message_id(response, 0); + ike_sa_id = message->get_ike_sa_id(message); + ike_sa_id->switch_initiator(ike_sa_id); + response->set_ike_sa_id(response, ike_sa_id); + response->add_notify(response, FALSE, COOKIE, data); + if (response->generate(response, NULL, &packet) == SUCCESS) + { + charon->sender->send(charon->sender, packet); + response->destroy(response); + } + message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_force_cookie_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *force_cookie_hook_create(char *name) +{ + private_force_cookie_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/hook.h b/src/conftest/hooks/hook.h new file mode 100644 index 000000000..39a15f21b --- /dev/null +++ b/src/conftest/hooks/hook.h @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup hook hook + * @{ @ingroup hooks + */ + +#ifndef HOOK_H_ +#define HOOK_H_ + +typedef struct hook_t hook_t; + +#include +#include + +/** + * Hook providing interface. + */ +struct hook_t { + + /** + * Implements listener_t. + */ + listener_t listener; + + /** + * Destroy a hook_t. + */ + void (*destroy)(hook_t *this); +}; + +#endif /** HOOK_H_ @}*/ diff --git a/src/conftest/hooks/ignore_message.c b/src/conftest/hooks/ignore_message.c new file mode 100644 index 000000000..210f3ac50 --- /dev/null +++ b/src/conftest/hooks/ignore_message.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_ignore_message_t private_ignore_message_t; + +/** + * Private data of an ignore_message_t object. + */ +struct private_ignore_message_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Drop incoming or outgoing? + */ + bool in; + + /** + * Drop requests or responses? + */ + bool req; + + /** + * ID of message to drop. + */ + int id; +}; + +METHOD(listener_t, message, bool, + private_ignore_message_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming == this->in && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + DBG1(DBG_CFG, "ignoring message"); + message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_ignore_message_t *this) +{ + free(this); +} + +/** + * Create the ignore_message hook + */ +hook_t *ignore_message_hook_create(char *name) +{ + private_ignore_message_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .in = conftest->test->get_bool(conftest->test, + "hooks.%s.inbound", TRUE, name), + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/ike_auth_fill.c b/src/conftest/hooks/ike_auth_fill.c new file mode 100644 index 000000000..2843d60c1 --- /dev/null +++ b/src/conftest/hooks/ike_auth_fill.c @@ -0,0 +1,145 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include +#include + +#include +#include + +typedef struct private_ike_auth_fill_t private_ike_auth_fill_t; + +/** + * Private data of an ike_auth_fill_t object. + */ +struct private_ike_auth_fill_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Number of bytes to fill IKE_AUTH up + */ + int bytes; +}; + +/** size of non ESP-Marker */ +#define NON_ESP_MARKER_LEN 4 + +/** + * Calculate packet size on wire (without ethernet/IP header) + */ +static size_t calculate_wire_size(message_t *message, ike_sa_t *ike_sa) +{ + enumerator_t *enumerator; + payload_t *payload; + size_t size = 0; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + size += payload->get_length(payload); + } + enumerator->destroy(enumerator); + + if (message->get_exchange_type(message) != IKE_SA_INIT) + { + keymat_t *keymat; + aead_t *aead; + size_t bs; + + keymat = ike_sa->get_keymat(ike_sa); + aead = keymat->get_aead(keymat, FALSE); + if (aead) + { + bs = aead->get_block_size(aead); + size += ENCRYPTION_PAYLOAD_HEADER_LENGTH + NON_ESP_MARKER_LEN + + aead->get_icv_size(aead) + aead->get_iv_size(aead) + + (bs - (size % bs)); + } + } + return sizeof(struct udphdr) + IKE_HEADER_LENGTH + size; +} + +METHOD(listener_t, message, bool, + private_ike_auth_fill_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + cert_payload_t *pld; + size_t size, diff; + chunk_t data; + + size = calculate_wire_size(message, ike_sa); + if (size < this->bytes - CERT_PAYLOAD_HEADER_LENGTH) + { + diff = this->bytes - size - CERT_PAYLOAD_HEADER_LENGTH; + data = chunk_alloc(diff); + memset(data.ptr, 0x12, data.len); + pld = cert_payload_create_custom(201, data); + message->add_payload(message, &pld->payload_interface); + DBG1(DBG_CFG, "inserting %d dummy bytes certificate payload", diff); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_ike_auth_fill_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *ike_auth_fill_hook_create(char *name) +{ + private_ike_auth_fill_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 1, name), + .bytes = conftest->test->get_int(conftest->test, + "hooks.%s.bytes", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_id.c b/src/conftest/hooks/log_id.c new file mode 100644 index 000000000..ad14cea10 --- /dev/null +++ b/src/conftest/hooks/log_id.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_log_id_t private_log_id_t; + +/** + * Private data of an log_id_t object. + */ +struct private_log_id_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_id_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator; + payload_t *payload; + id_payload_t *id_payload; + identification_t *id; + chunk_t data; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == ID_INITIATOR || + payload->get_type(payload) == ID_RESPONDER) + { + id_payload = (id_payload_t*)payload; + id = id_payload->get_identification(id_payload); + data = id->get_encoding(id); + + DBG1(DBG_CFG, "%N: %N %B", + payload_type_short_names, payload->get_type(payload), + id_type_names, id->get_type(id), &data); + id->destroy(id); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_id_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_id_hook_create(char *name) +{ + private_log_id_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_ke.c b/src/conftest/hooks/log_ke.c new file mode 100644 index 000000000..231c0a8d8 --- /dev/null +++ b/src/conftest/hooks/log_ke.c @@ -0,0 +1,81 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_log_ke_t private_log_ke_t; + +/** + * Private data of an log_ke_t object. + */ +struct private_log_ke_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_ke_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator; + payload_t *payload; + ke_payload_t *ke; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == KEY_EXCHANGE) + { + ke = (ke_payload_t*)payload; + DBG1(DBG_CFG, "received DH group %N", + diffie_hellman_group_names, ke->get_dh_group_number(ke)); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_ke_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_ke_hook_create(char *name) +{ + private_log_ke_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_proposals.c b/src/conftest/hooks/log_proposals.c new file mode 100644 index 000000000..8c330ab3d --- /dev/null +++ b/src/conftest/hooks/log_proposals.c @@ -0,0 +1,98 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_log_proposals_t private_log_proposals_t; + +/** + * Private data of an log_proposals_t object. + */ +struct private_log_proposals_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_proposals_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator, *proposals; + payload_t *payload; + linked_list_t *list; + sa_payload_t *sa; + proposal_t *proposal; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + sa = (sa_payload_t*)payload; + list = sa->get_proposals(sa); + DBG1(DBG_CFG, "received %d proposal%s:", list->get_count(list), + list->get_count(list) == 1 ? "" : "s"); + proposals = list->create_enumerator(list); + while (proposals->enumerate(proposals, &proposal)) + { + u_int64_t spi = proposal->get_spi(proposal); + + if (proposal->get_protocol(proposal) != PROTO_IKE) + { + spi = htonl(spi); + } + DBG1(DBG_CFG, " %d (SPI 0x%llx): %P", + proposal->get_number(proposal), spi, proposal); + } + proposals->destroy(proposals); + list->destroy_offset(list, offsetof(proposal_t, destroy)); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_proposals_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_proposals_hook_create(char *name) +{ + private_log_proposals_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_ts.c b/src/conftest/hooks/log_ts.c new file mode 100644 index 000000000..dacc7a58c --- /dev/null +++ b/src/conftest/hooks/log_ts.c @@ -0,0 +1,86 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_log_ts_t private_log_ts_t; + +/** + * Private data of an log_ts_t object. + */ +struct private_log_ts_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_ts_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator; + payload_t *payload; + linked_list_t *list; + ts_payload_t *ts; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == TRAFFIC_SELECTOR_INITIATOR || + payload->get_type(payload) == TRAFFIC_SELECTOR_RESPONDER) + { + ts = (ts_payload_t*)payload; + list = ts->get_traffic_selectors(ts); + + DBG1(DBG_CFG, "received %N: %#R", + payload_type_short_names, payload->get_type(payload), list); + list->destroy_offset(list, offsetof(traffic_selector_t, destroy)); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_ts_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_ts_hook_create(char *name) +{ + private_log_ts_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c new file mode 100644 index 000000000..4b7168cac --- /dev/null +++ b/src/conftest/hooks/pretend_auth.c @@ -0,0 +1,386 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include +#include +#include +#include +#include +#include + +typedef struct private_pretend_auth_t private_pretend_auth_t; + +/** + * Private data of an pretend_auth_t object. + */ +struct private_pretend_auth_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * remote peer identity + */ + identification_t *id; + + /** + * reserved bytes of ID payload + */ + char reserved[3]; + + /** + * IKE_SA_INIT data for signature + */ + chunk_t ike_init; + + /** + * Nonce for signature + */ + chunk_t nonce; + + /** + * Selected CHILD_SA proposal + */ + proposal_t *proposal; + + /** + * List of initiators Traffic Selectors + */ + linked_list_t *tsi; + + /** + * List of responders Traffic Selectors + */ + linked_list_t *tsr; +}; + +/** + * Process IKE_SA_INIT request message, outgoing + */ +static void process_init_request(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + nonce_payload_t *nonce; + + nonce = (nonce_payload_t*)message->get_payload(message, NONCE); + if (nonce) + { + free(this->nonce.ptr); + this->nonce = nonce->get_nonce(nonce); + } +} + +/** + * Process IKE_AUTH request message, outgoing + */ +static void process_auth_request(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + id_payload_t *id; + sa_payload_t *sa; + ts_payload_t *tsi, *tsr; + linked_list_t *proposals; + + id = (id_payload_t*)message->get_payload(message, ID_RESPONDER); + if (id) + { + this->id->destroy(this->id); + this->id = id->get_identification(id); + } + sa = (sa_payload_t*)message->get_payload(message, SECURITY_ASSOCIATION); + if (sa) + { + proposals = sa->get_proposals(sa); + proposals->remove_first(proposals, (void**)&this->proposal); + if (this->proposal) + { + this->proposal->set_spi(this->proposal, htonl(0x12345678)); + } + proposals->destroy_offset(proposals, offsetof(proposal_t, destroy)); + } + tsi = (ts_payload_t*)message->get_payload(message, + TRAFFIC_SELECTOR_INITIATOR); + if (tsi) + { + this->tsi = tsi->get_traffic_selectors(tsi); + } + tsr = (ts_payload_t*)message->get_payload(message, + TRAFFIC_SELECTOR_RESPONDER); + if (tsr) + { + this->tsr = tsr->get_traffic_selectors(tsr); + } + +} + +/** + * Process IKE_SA_INIT response message, incoming + */ +static void process_init_response(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + this->ike_init = message->get_packet_data(message); +} + +/** + * Build CERT payloads + */ +static void build_certs(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message, auth_cfg_t *auth) +{ + enumerator_t *enumerator; + cert_payload_t *payload; + certificate_t *cert; + auth_rule_t type; + + /* get subject cert first, then issuing certificates */ + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (cert) + { + payload = cert_payload_create_from_cert(cert); + if (payload) + { + DBG1(DBG_IKE, "pretending end entity cert \"%Y\"", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &type, &cert)) + { + if (type == AUTH_RULE_IM_CERT) + { + payload = cert_payload_create_from_cert(cert); + if (payload) + { + DBG1(DBG_IKE, "pretending issuer cert \"%Y\"", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + } + enumerator->destroy(enumerator); +} + +/** + * Build faked AUTH payload + */ +static bool build_auth(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + chunk_t octets, auth_data; + private_key_t *private; + auth_cfg_t *auth; + auth_payload_t *auth_payload; + auth_method_t auth_method; + signature_scheme_t scheme; + keymat_t *keymat; + + auth = auth_cfg_create(); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->id, auth); + build_certs(this, ike_sa, message, auth); + auth->destroy(auth); + if (private == NULL) + { + DBG1(DBG_CFG, "no private key found for '%Y' to pretend AUTH", this->id); + return FALSE; + } + + switch (private->get_type(private)) + { + case KEY_RSA: + scheme = SIGN_RSA_EMSA_PKCS1_SHA1; + auth_method = AUTH_RSA; + break; + case KEY_ECDSA: + /* we try to deduct the signature scheme from the keysize */ + switch (private->get_keysize(private)) + { + case 256: + scheme = SIGN_ECDSA_256; + auth_method = AUTH_ECDSA_256; + break; + case 384: + scheme = SIGN_ECDSA_384; + auth_method = AUTH_ECDSA_384; + break; + case 521: + scheme = SIGN_ECDSA_521; + auth_method = AUTH_ECDSA_521; + break; + default: + DBG1(DBG_CFG, "%d bit ECDSA private key size not supported", + private->get_keysize(private)); + return FALSE; + } + break; + default: + DBG1(DBG_CFG, "private key of type %N not supported", + key_type_names, private->get_type(private)); + return FALSE; + } + keymat = ike_sa->get_keymat(ike_sa); + octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init, + this->nonce, this->id, this->reserved); + if (!private->sign(private, scheme, octets, &auth_data)) + { + chunk_free(&octets); + private->destroy(private); + return FALSE; + } + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, auth_method); + auth_payload->set_data(auth_payload, auth_data); + chunk_free(&auth_data); + chunk_free(&octets); + private->destroy(private); + message->add_payload(message, (payload_t*)auth_payload); + DBG1(DBG_CFG, "pretending AUTH payload for '%Y' with %N", + this->id, auth_method_names, auth_method); + return TRUE; +} + +/** + * Process IKE_AUTH response message, incoming + */ +static void process_auth_response(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + enumerator_t *enumerator; + payload_t *payload; + + /* check for, and remove AUTHENTICATION_FAILED notify */ + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + notify_payload_t *notify = (notify_payload_t*)payload; + + if (payload->get_type(payload) != NOTIFY || + notify->get_notify_type(notify) != AUTHENTICATION_FAILED) + { + DBG1(DBG_CFG, "no %N notify found, disabling AUTH pretending", + notify_type_names, AUTHENTICATION_FAILED); + enumerator->destroy(enumerator); + return; + } + message->remove_payload_at(message, enumerator); + payload->destroy(payload); + } + enumerator->destroy(enumerator); + + if (!build_auth(this, ike_sa, message)) + { + message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); + return; + } + message->add_payload(message, (payload_t*) + id_payload_create_from_identification(ID_RESPONDER, this->id)); + if (this->proposal) + { + message->add_payload(message, (payload_t*) + sa_payload_create_from_proposal(this->proposal)); + } + if (this->tsi) + { + message->add_payload(message, (payload_t*) + ts_payload_create_from_traffic_selectors(TRUE, this->tsi)); + } + if (this->tsr) + { + message->add_payload(message, (payload_t*) + ts_payload_create_from_traffic_selectors(FALSE, this->tsr)); + } +} + +METHOD(listener_t, message, bool, + private_pretend_auth_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + if (!message->get_request(message)) + { + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + process_init_response(this, ike_sa, message); + } + if (message->get_exchange_type(message) == IKE_AUTH && + message->get_message_id(message) == 1) + { + process_auth_response(this, ike_sa, message); + } + } + } + else + { + if (message->get_request(message)) + { + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + process_init_request(this, ike_sa, message); + } + if (message->get_exchange_type(message) == IKE_AUTH && + message->get_message_id(message) == 1) + { + process_auth_request(this, ike_sa, message); + } + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_pretend_auth_t *this) +{ + if (this->tsi) + { + this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); + } + if (this->tsr) + { + this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy)); + } + DESTROY_IF(this->proposal); + this->id->destroy(this->id); + free(this->ike_init.ptr); + free(this->nonce.ptr); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *pretend_auth_hook_create(char *name) +{ + private_pretend_auth_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .id = identification_create_from_string( + conftest->test->get_str(conftest->test, + "hooks.%s.peer", "%any", name)), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c new file mode 100644 index 000000000..993c952e0 --- /dev/null +++ b/src/conftest/hooks/rebuild_auth.c @@ -0,0 +1,243 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include +#include +#include +#include + +typedef struct private_rebuild_auth_t private_rebuild_auth_t; + +/** + * Private data of an rebuild_auth_t object. + */ +struct private_rebuild_auth_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Our IKE_SA_INIT data, required to rebuild AUTH + */ + chunk_t ike_init; + + /** + * Received NONCE, required to rebuild AUTH + */ + chunk_t nonce; + + /** + * ID to use for key lookup, if not from IDi + */ + identification_t *id; +}; + +/** + * Rebuild our AUTH data + */ +static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa, + message_t *message) +{ + enumerator_t *enumerator; + chunk_t octets, auth_data; + private_key_t *private; + auth_cfg_t *auth; + payload_t *payload; + auth_payload_t *auth_payload; + auth_method_t auth_method; + signature_scheme_t scheme; + keymat_t *keymat; + identification_t *id; + char reserved[3]; + generator_t *generator; + chunk_t data; + u_int32_t *lenpos; + + payload = message->get_payload(message, + message->get_request(message) ? ID_INITIATOR : ID_RESPONDER); + if (!payload) + { + DBG1(DBG_CFG, "ID payload not found to rebuild AUTH"); + return FALSE; + } + + generator = generator_create(); + generator->generate_payload(generator, payload); + data = generator->get_chunk(generator, &lenpos); + if (data.len < 8) + { + DBG1(DBG_CFG, "ID payload invalid to rebuild AUTH"); + generator->destroy(generator); + return FALSE; + } + memcpy(reserved, data.ptr + 5, 3); + id = identification_create_from_encoding(data.ptr[4], chunk_skip(data, 8)); + generator->destroy(generator); + + auth = auth_cfg_create(); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, + this->id ?: id, auth); + auth->destroy(auth); + if (private == NULL) + { + DBG1(DBG_CFG, "no private key found for '%Y' to rebuild AUTH", + this->id ?: id); + id->destroy(id); + return FALSE; + } + + switch (private->get_type(private)) + { + case KEY_RSA: + scheme = SIGN_RSA_EMSA_PKCS1_SHA1; + auth_method = AUTH_RSA; + break; + case KEY_ECDSA: + /* we try to deduct the signature scheme from the keysize */ + switch (private->get_keysize(private)) + { + case 256: + scheme = SIGN_ECDSA_256; + auth_method = AUTH_ECDSA_256; + break; + case 384: + scheme = SIGN_ECDSA_384; + auth_method = AUTH_ECDSA_384; + break; + case 521: + scheme = SIGN_ECDSA_521; + auth_method = AUTH_ECDSA_521; + break; + default: + DBG1(DBG_CFG, "%d bit ECDSA private key size not supported", + private->get_keysize(private)); + id->destroy(id); + return FALSE; + } + break; + default: + DBG1(DBG_CFG, "private key of type %N not supported", + key_type_names, private->get_type(private)); + id->destroy(id); + return FALSE; + } + keymat = ike_sa->get_keymat(ike_sa); + octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init, + this->nonce, id, reserved); + if (!private->sign(private, scheme, octets, &auth_data)) + { + chunk_free(&octets); + private->destroy(private); + id->destroy(id); + return FALSE; + } + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, auth_method); + auth_payload->set_data(auth_payload, auth_data); + chunk_free(&auth_data); + chunk_free(&octets); + private->destroy(private); + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == AUTHENTICATION) + { + message->remove_payload_at(message, enumerator); + payload->destroy(payload); + } + } + enumerator->destroy(enumerator); + + message->add_payload(message, (payload_t*)auth_payload); + DBG1(DBG_CFG, "rebuilding AUTH payload for '%Y' with %N", + id, auth_method_names, auth_method); + id->destroy(id); + return TRUE; +} + +METHOD(listener_t, message, bool, + private_rebuild_auth_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && message->get_message_id(message) == 1) + { + rebuild_auth(this, ike_sa, message); + } + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + if (incoming) + { + nonce_payload_t *nonce; + + nonce = (nonce_payload_t*)message->get_payload(message, NONCE); + if (nonce) + { + free(this->nonce.ptr); + this->nonce = nonce->get_nonce(nonce); + } + } + else + { + packet_t *packet; + + if (message->generate(message, NULL, &packet) == SUCCESS) + { + free(this->ike_init.ptr); + this->ike_init = chunk_clone(packet->get_data(packet)); + packet->destroy(packet); + } + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_rebuild_auth_t *this) +{ + free(this->ike_init.ptr); + free(this->nonce.ptr); + DESTROY_IF(this->id); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *rebuild_auth_hook_create(char *name) +{ + private_rebuild_auth_t *this; + char *id; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + id = conftest->test->get_str(conftest->test, "hooks.%s.key", NULL, name); + if (id) + { + this->id = identification_create_from_string(id); + } + + return &this->hook; +} diff --git a/src/conftest/hooks/reset_seq.c b/src/conftest/hooks/reset_seq.c new file mode 100644 index 000000000..ccf8e997d --- /dev/null +++ b/src/conftest/hooks/reset_seq.c @@ -0,0 +1,158 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include +#include +#include + +#include +#include + +#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x)))) + +typedef struct private_reset_seq_t private_reset_seq_t; + +/** + * Private data of an reset_seq_t object. + */ +struct private_reset_seq_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Delay for reset + */ + int delay; +}; + +/** + * Callback job + */ +static job_requeue_t reset_cb(struct xfrm_usersa_id *data) +{ + netlink_buf_t request; + struct nlmsghdr *hdr; + struct xfrm_aevent_id *id; + struct rtattr *rthdr; + struct xfrm_replay_state *replay; + struct sockaddr_nl addr; + int s, len; + + DBG1(DBG_CFG, "resetting sequence number of SPI 0x%x", htonl(data->spi)); + + memset(&request, 0, sizeof(request)); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_REPLACE; + hdr->nlmsg_seq = 201; + hdr->nlmsg_pid = getpid(); + hdr->nlmsg_type = XFRM_MSG_NEWAE; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); + + id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr); + id->sa_id = *data; + + rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id); + rthdr->rta_type = XFRMA_REPLAY_VAL; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state)); + hdr->nlmsg_len += rthdr->rta_len; + + replay = (struct xfrm_replay_state*)RTA_DATA(rthdr); + + s = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); + if (s == -1) + { + DBG1(DBG_CFG, "opening XFRM socket failed: %s", strerror(errno)); + return JOB_REQUEUE_NONE; + } + memset(&addr, 0, sizeof(addr)); + addr.nl_family = AF_NETLINK; + len = sendto(s, hdr, hdr->nlmsg_len, 0, + (struct sockaddr*)&addr, sizeof(addr)); + if (len != hdr->nlmsg_len) + { + DBG1(DBG_CFG, "sending XFRM aevent failed: %s", strerror(errno)); + } + close(s); + return JOB_REQUEUE_NONE; +} + +/** + * Schedule sequence number reset job + */ +static void schedule_reset_job(private_reset_seq_t *this, host_t *dst, + u_int32_t spi) +{ + struct xfrm_usersa_id *data; + chunk_t chunk; + + INIT(data, + .spi = spi, + .family = dst->get_family(dst), + .proto = IPPROTO_ESP, + ); + + chunk = dst->get_address(dst); + memcpy(&data->daddr, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); + + lib->scheduler->schedule_job(lib->scheduler, + (job_t*)callback_job_create( + (void*)reset_cb, data, (void*)free, NULL), + this->delay); +} + +METHOD(listener_t, child_updown, bool, + private_reset_seq_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool up) +{ + if (up) + { + schedule_reset_job(this, ike_sa->get_other_host(ike_sa), + child_sa->get_spi(child_sa, FALSE)); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_reset_seq_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *reset_seq_hook_create(char *name) +{ + private_reset_seq_t *this; + + INIT(this, + .hook = { + .listener = { + .child_updown = _child_updown, + }, + .destroy = _destroy, + }, + .delay = conftest->test->get_int(conftest->test, + "hooks.%s.delay", 10, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_critical.c b/src/conftest/hooks/set_critical.c new file mode 100644 index 000000000..caf2215c3 --- /dev/null +++ b/src/conftest/hooks/set_critical.c @@ -0,0 +1,123 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_critical_t private_set_critical_t; + +/** + * Private data of an set_critical_t object. + */ +struct private_set_critical_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Payload types, space separated + */ + char *payloads; +}; + +METHOD(listener_t, message, bool, + private_set_critical_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *msg, *types; + payload_t *payload; + payload_type_t type; + bool *critical; + char *name; + + types = enumerator_create_token(this->payloads, " ", ""); + while (types->enumerate(types, &name)) + { + type = atoi(name); + if (!type) + { + type = enum_from_name(payload_type_short_names, name); + if (type == -1) + { + DBG1(DBG_CFG, "invalid payload name '%s'", name); + break; + } + } + msg = message->create_payload_enumerator(message); + while (msg->enumerate(msg, &payload)) + { + if (type == payload->get_type(payload)) + { + critical = payload_get_field(payload, FLAG, 0); + if (critical) + { + *critical = TRUE; + } + } + } + msg->destroy(msg); + } + types->destroy(types); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_critical_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_critical_hook_create(char *name) +{ + private_set_critical_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .payloads = conftest->test->get_str(conftest->test, + "hooks.%s.payloads", "", name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_initiator.c b/src/conftest/hooks/set_ike_initiator.c new file mode 100644 index 000000000..6ba43eaca --- /dev/null +++ b/src/conftest/hooks/set_ike_initiator.c @@ -0,0 +1,87 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_ike_initiator_t private_set_ike_initiator_t; + +/** + * Private data of an set_ike_initiator_t object. + */ +struct private_set_ike_initiator_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; +}; + +METHOD(listener_t, message, bool, + private_set_ike_initiator_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + ike_sa_id_t *id; + + DBG1(DBG_CFG, "toggling IKE message initiator flag"); + id = message->get_ike_sa_id(message); + id->switch_initiator(id); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_initiator_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_initiator_hook_create(char *name) +{ + private_set_ike_initiator_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_request.c b/src/conftest/hooks/set_ike_request.c new file mode 100644 index 000000000..baabea66a --- /dev/null +++ b/src/conftest/hooks/set_ike_request.c @@ -0,0 +1,84 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_ike_request_t private_set_ike_request_t; + +/** + * Private data of an set_ike_request_t object. + */ +struct private_set_ike_request_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; +}; + +METHOD(listener_t, message, bool, + private_set_ike_request_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + DBG1(DBG_CFG, "toggling IKE message request flag"); + message->set_request(message, !this->req); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_request_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_request_hook_create(char *name) +{ + private_set_ike_request_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_spi.c b/src/conftest/hooks/set_ike_spi.c new file mode 100644 index 000000000..14a0da9cd --- /dev/null +++ b/src/conftest/hooks/set_ike_spi.c @@ -0,0 +1,104 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_ike_spi_t private_set_ike_spi_t; + +/** + * Private data of an set_ike_spi_t object. + */ +struct private_set_ike_spi_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Initiator SPI + */ + u_int64_t spii; + + /** + * Responder SPI + */ + u_int64_t spir; +}; + +METHOD(listener_t, message, bool, + private_set_ike_spi_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + ike_sa_id_t *id; + + DBG1(DBG_CFG, "setting IKE SPIs to: 0x%llx/0x%llx", + this->spii, this->spir); + + id = message->get_ike_sa_id(message); + id->set_initiator_spi(id, this->spii); + id->set_responder_spi(id, this->spir); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_spi_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_spi_hook_create(char *name) +{ + private_set_ike_spi_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .spii = strtoull(conftest->test->get_str(conftest->test, + "hooks.%s.spii", "0", name), NULL, 16), + .spir = strtoull(conftest->test->get_str(conftest->test, + "hooks.%s.spir", "0", name), NULL, 16), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_version.c b/src/conftest/hooks/set_ike_version.c new file mode 100644 index 000000000..d2de9dc81 --- /dev/null +++ b/src/conftest/hooks/set_ike_version.c @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_ike_version_t private_set_ike_version_t; + +/** + * Private data of an set_ike_version_t object. + */ +struct private_set_ike_version_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Major version to set + */ + int major; + + /** + * Minor version to set + */ + int minor; + + /** + * Higher version supported? + */ + bool higher; +}; + +METHOD(listener_t, message, bool, + private_set_ike_version_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + DBG1(DBG_CFG, "setting IKE version of message ID %d to %d.%d", + this->id, this->major, this->minor); + message->set_major_version(message, this->major); + message->set_minor_version(message, this->minor); + if (this->higher) + { + message->set_version_flag(message); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_version_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_version_hook_create(char *name) +{ + private_set_ike_version_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .major = conftest->test->get_int(conftest->test, + "hooks.%s.major", 2, name), + .minor = conftest->test->get_int(conftest->test, + "hooks.%s.minor", 0, name), + .higher = conftest->test->get_bool(conftest->test, + "hooks.%s.higher", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_length.c b/src/conftest/hooks/set_length.c new file mode 100644 index 000000000..0379dcb7c --- /dev/null +++ b/src/conftest/hooks/set_length.c @@ -0,0 +1,133 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_set_length_t private_set_length_t; + +/** + * Private data of an set_length_t object. + */ +struct private_set_length_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Payload type + */ + char *type; + + /** + * Difference to correct length + */ + int diff; +}; + +METHOD(listener_t, message, bool, + private_set_length_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + payload_t *payload; + enumerator_t *enumerator; + payload_type_t type; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(payload_type_short_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown payload: '%s', skipped", this->type); + return TRUE; + } + } + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (type == payload->get_type(payload)) + { + encoding_rule_t *rules; + size_t count; + u_int16_t *len; + int i; + + payload->get_encoding_rules(payload, &rules, &count); + for (i = 0; i < count; i++) + { + if (rules[i].type == PAYLOAD_LENGTH) + { + len = (u_int16_t*)(((void*)payload) + rules[i].offset); + DBG1(DBG_CFG, "adjusting length of %N payload " + "from %d to %d", payload_type_short_names, type, + *len, *len + this->diff); + *len = *len + this->diff; + } + } + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_length_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_length_hook_create(char *name) +{ + private_set_length_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .diff = conftest->test->get_int(conftest->test, + "hooks.%s.diff", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_proposal_number.c b/src/conftest/hooks/set_proposal_number.c new file mode 100644 index 000000000..a59d96b6d --- /dev/null +++ b/src/conftest/hooks/set_proposal_number.c @@ -0,0 +1,163 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_proposal_number_t private_set_proposal_number_t; + +/** + * Private data of an set_proposal_number_t object. + */ +struct private_set_proposal_number_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Proposal number to modify + */ + int from; + + /** + * Proposal number to set + */ + int to; +}; + +/** + * Copy all algs from given type from one proposal to another + */ +static void copy_proposal_algs(proposal_t *from, proposal_t *to, + transform_type_t type) +{ + enumerator_t *enumerator; + u_int16_t alg, key_size; + + enumerator = from->create_enumerator(from, type); + while (enumerator->enumerate(enumerator, &alg, &key_size)) + { + to->add_algorithm(to, type, alg, key_size); + } + enumerator->destroy(enumerator); +} + +METHOD(listener_t, message, bool, + private_set_proposal_number_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *enumerator; + payload_t *payload; + linked_list_t *list = NULL, *updated; + sa_payload_t *sa; + proposal_t *proposal, *new; + + updated = linked_list_create(); + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + sa = (sa_payload_t*)payload; + list = sa->get_proposals(sa); + message->remove_payload_at(message, enumerator); + sa->destroy(sa); + } + } + enumerator->destroy(enumerator); + + if (list) + { + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &proposal)) + { + if (proposal->get_number(proposal) == this->from) + { + DBG1(DBG_CFG, "setting proposal number from %d to %d", + this->from, this->to); + new = proposal_create(proposal->get_protocol(proposal), + this->to); + copy_proposal_algs(proposal, new, ENCRYPTION_ALGORITHM); + copy_proposal_algs(proposal, new, INTEGRITY_ALGORITHM); + copy_proposal_algs(proposal, new, PSEUDO_RANDOM_FUNCTION); + copy_proposal_algs(proposal, new, DIFFIE_HELLMAN_GROUP); + copy_proposal_algs(proposal, new, EXTENDED_SEQUENCE_NUMBERS); + updated->insert_last(updated, new); + } + else + { + list->remove_at(list, enumerator); + updated->insert_last(updated, proposal); + } + } + enumerator->destroy(enumerator); + } + sa = sa_payload_create_from_proposal_list(updated); + list->destroy_offset(list, offsetof(proposal_t, destroy)); + updated->destroy_offset(updated, offsetof(proposal_t, destroy)); + message->add_payload(message, (payload_t*)sa); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_proposal_number_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_proposal_number_hook_create(char *name) +{ + private_set_proposal_number_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .from = conftest->test->get_int(conftest->test, + "hooks.%s.from", 0, name), + .to = conftest->test->get_int(conftest->test, + "hooks.%s.to", 1, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_reserved.c b/src/conftest/hooks/set_reserved.c new file mode 100644 index 000000000..77a605d2a --- /dev/null +++ b/src/conftest/hooks/set_reserved.c @@ -0,0 +1,245 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_reserved_t private_set_reserved_t; + +/** + * Private data of an set_reserved_t object. + */ +struct private_set_reserved_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Hook name + */ + char *name; +}; + +/** + * Set reserved bit of a payload + */ +static void set_bit(private_set_reserved_t *this, message_t *message, + payload_type_t type, u_int nr) +{ + enumerator_t *payloads; + payload_t *payload; + bool *bit; + + if (type == HEADER) + { + message->set_reserved_header_bit(message, nr); + DBG1(DBG_CFG, "setting reserved bit %d of %N", + nr, payload_type_short_names, type); + } + else + { + payloads = message->create_payload_enumerator(message); + while (payloads->enumerate(payloads, &payload)) + { + if (payload->get_type(payload) == type) + { + bit = payload_get_field(payload, RESERVED_BIT, nr); + if (bit) + { + DBG1(DBG_CFG, "setting reserved bit %d of %N", + nr, payload_type_short_names, type); + *bit = TRUE; + } + } + } + payloads->destroy(payloads); + } +} + +/** + * Set reserved byte of a payload + */ +static void set_byte(private_set_reserved_t *this, message_t *message, + payload_type_t type, u_int nr, u_int8_t byteval) +{ + enumerator_t *payloads; + payload_t *payload; + u_int8_t *byte; + + if (type == TRANSFORM_SUBSTRUCTURE || type == PROPOSAL_SUBSTRUCTURE) + { + enumerator_t *transforms, *proposals; + transform_substructure_t *transform; + proposal_substructure_t *proposal; + sa_payload_t *sa; + + payloads = message->create_payload_enumerator(message); + while (payloads->enumerate(payloads, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + sa = (sa_payload_t*)payload; + proposals = sa->create_substructure_enumerator(sa); + while (proposals->enumerate(proposals, &proposal)) + { + if (type == PROPOSAL_SUBSTRUCTURE) + { + byte = payload_get_field(&proposal->payload_interface, + RESERVED_BYTE, nr); + if (byte) + { + DBG1(DBG_CFG, "setting reserved byte %d of %N to %d", + nr, payload_type_short_names, type, byteval); + *byte = byteval; + } + } + else if (type == TRANSFORM_SUBSTRUCTURE) + { + transforms = proposal->create_substructure_enumerator( + proposal); + while (transforms->enumerate(transforms, &transform)) + { + byte = payload_get_field(&transform->payload_interface, + RESERVED_BYTE, nr); + if (byte) + { + DBG1(DBG_CFG, "setting reserved byte %d of %N to %d", + nr, payload_type_short_names, type, byteval); + *byte = byteval; + } + } + transforms->destroy(transforms); + } + } + proposals->destroy(proposals); + } + } + payloads->destroy(payloads); + } + else + { + payloads = message->create_payload_enumerator(message); + while (payloads->enumerate(payloads, &payload)) + { + if (payload->get_type(payload) == type) + { + byte = payload_get_field(payload, RESERVED_BYTE, nr); + if (byte) + { + DBG1(DBG_CFG, "setting reserved byte %d of %N to %d", + nr, payload_type_short_names, type, byteval); + *byte = byteval; + } + } + } + payloads->destroy(payloads); + } +} + +METHOD(listener_t, message, bool, + private_set_reserved_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *bits, *bytes, *types; + payload_type_t type; + char *nr, *name; + u_int8_t byteval; + + types = conftest->test->create_section_enumerator(conftest->test, + "hooks.%s", this->name); + while (types->enumerate(types, &name)) + { + type = atoi(name); + if (!type) + { + type = enum_from_name(payload_type_short_names, name); + if (type == -1) + { + DBG1(DBG_CFG, "invalid payload name '%s'", name); + break; + } + } + nr = conftest->test->get_str(conftest->test, + "hooks.%s.%s.bits", "", this->name, name); + bits = enumerator_create_token(nr, ",", " "); + while (bits->enumerate(bits, &nr)) + { + set_bit(this, message, type, atoi(nr)); + } + bits->destroy(bits); + + nr = conftest->test->get_str(conftest->test, + "hooks.%s.%s.bytes", "", this->name, name); + byteval = conftest->test->get_int(conftest->test, + "hooks.%s.%s.byteval", 255, this->name, name); + bytes = enumerator_create_token(nr, ",", " "); + while (bytes->enumerate(bytes, &nr)) + { + set_byte(this, message, type, atoi(nr), byteval); + } + bytes->destroy(bytes); + } + types->destroy(types); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_reserved_t *this) +{ + free(this->name); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_reserved_hook_create(char *name) +{ + private_set_reserved_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .name = strdup(name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/unencrypted_notify.c b/src/conftest/hooks/unencrypted_notify.c new file mode 100644 index 000000000..80bdc64b7 --- /dev/null +++ b/src/conftest/hooks/unencrypted_notify.c @@ -0,0 +1,153 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_unencrypted_notify_t private_unencrypted_notify_t; + +/** + * Private data of an unencrypted_notify_t object. + */ +struct private_unencrypted_notify_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * ID of message send. + */ + int id; + + /** + * Notify type + */ + char *type; + + /** + * Notify data + */ + char *data; + + /** + * SPI of notify + */ + int spi; + + /** + * TRUE for a ESP protocol notify, FALSE for IKE + */ + bool esp; +}; + +METHOD(listener_t, ike_updown, bool, + private_unencrypted_notify_t *this, ike_sa_t *ike_sa, bool up) +{ + if (up) + { + message_t *message; + host_t *host; + notify_type_t type; + notify_payload_t *notify; + chunk_t data = chunk_empty; + packet_t *packet; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(notify_type_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown notify: '%s', skipped", this->type); + return TRUE; + } + } + if (strncaseeq(this->data, "0x", 2)) + { + data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2); + data = chunk_from_hex(data, NULL); + } + else if (this->data && strlen(this->data)) + { + data = chunk_clone(chunk_create(this->data, strlen(this->data))); + } + notify = notify_payload_create_from_protocol_and_type( + this->esp ? PROTO_ESP : PROTO_IKE, type); + notify->set_spi(notify, this->spi); + if (data.len) + { + notify->set_notification_data(notify, data); + free(data.ptr); + } + + DBG1(DBG_CFG, "injecting unencrypted INFORMATIONAL message"); + + message = message_create(); + message->set_message_id(message, this->id); + message->set_ike_sa_id(message, ike_sa->get_id(ike_sa)); + message->set_exchange_type(message, INFORMATIONAL); + message->set_request(message, TRUE); + host = ike_sa->get_my_host(ike_sa); + message->set_source(message, host->clone(host)); + host = ike_sa->get_other_host(ike_sa); + message->set_destination(message, host->clone(host)); + message->add_payload(message, ¬ify->payload_interface); + if (message->generate(message, NULL, &packet) != SUCCESS) + { + DBG1(DBG_CFG, "generating message failed"); + message->destroy(message); + return TRUE; + } + message->destroy(message); + charon->sender->send(charon->sender, packet); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_unencrypted_notify_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *unencrypted_notify_hook_create(char *name) +{ + private_unencrypted_notify_t *this; + + INIT(this, + .hook = { + .listener = { + .ike_updown = _ike_updown, + }, + .destroy = _destroy, + }, + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 2, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .data = conftest->test->get_str(conftest->test, + "hooks.%s.data", "", name), + .spi = conftest->test->get_int(conftest->test, + "hooks.%s.spi", 0, name), + .esp = conftest->test->get_bool(conftest->test, + "hooks.%s.esp", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/unsort_message.c b/src/conftest/hooks/unsort_message.c new file mode 100644 index 000000000..b37b261a4 --- /dev/null +++ b/src/conftest/hooks/unsort_message.c @@ -0,0 +1,133 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_unsort_message_t private_unsort_message_t; + +/** + * Private data of an unsort_message_t object. + */ +struct private_unsort_message_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Order of payloads we want + */ + char *order; +}; + +METHOD(listener_t, message, bool, + private_unsort_message_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *enumerator, *order; + linked_list_t *list; + payload_type_t type; + payload_t *payload; + char *name; + + list = linked_list_create(); + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + message->remove_payload_at(message, enumerator); + list->insert_last(list, payload); + } + enumerator->destroy(enumerator); + + order = enumerator_create_token(this->order, ", ", " "); + while (order->enumerate(order, &name)) + { + type = enum_from_name(payload_type_short_names, name); + if (type != -1) + { + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == type) + { + list->remove_at(list, enumerator); + message->add_payload(message, payload); + } + } + enumerator->destroy(enumerator); + } + else + { + DBG1(DBG_CFG, "unknown payload to sort: '%s', skipped", name); + } + } + order->destroy(order); + + while (list->remove_first(list, (void**)&payload) == SUCCESS) + { + message->add_payload(message, payload); + } + list->destroy(list); + + message->disable_sort(message); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_unsort_message_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *unsort_message_hook_create(char *name) +{ + private_unsort_message_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .order = conftest->test->get_str(conftest->test, + "hooks.%s.order", "", name), + ); + + return &this->hook; +} diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index 7c22f5ec5..79961b916 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -226,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 498fb17f1..b9b758193 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -172,9 +172,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -213,6 +211,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h index b971e3848..930fdd2de 100644 --- a/src/include/linux/xfrm.h +++ b/src/include/linux/xfrm.h @@ -283,6 +283,7 @@ enum xfrm_attr_type_t { XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */ XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */ XFRMA_MARK, /* struct xfrm_mark */ + XFRMA_TFCPAD, /* __u32 */ __XFRMA_MAX #define XFRMA_MAX (__XFRMA_MAX - 1) diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 276d9f36d..0b4870e94 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -200,9 +200,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -241,6 +239,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8 index f995119aa..6f4117be7 100644 --- a/src/ipsec/ipsec.8 +++ b/src/ipsec/ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2010-05-30" "4.5.0rc1" "strongSwan" +.TH IPSEC 8 "2010-05-30" "4.5.1" "strongSwan" .SH NAME ipsec \- invoke IPsec utilities .SH SYNOPSIS diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in index 0bddc201a..2ea0ef798 100755 --- a/src/ipsec/ipsec.in +++ b/src/ipsec/ipsec.in @@ -65,7 +65,7 @@ case "$1" in echo " rereadsecrets|rereadgroups" echo " rereadcacerts|rereadaacerts|rereadocspcerts" echo " rereadacerts|rereadcrls|rereadall" - echo " purgeocsp|purgeike" + echo " purgeocsp|purgecrls|purgecerts|purgeike" echo " scencrypt|scdecrypt [--inbase ] [--outbase ] [--keyid ]" echo " openac" echo " pluto" @@ -191,11 +191,11 @@ rereadall|purgeocsp) fi exit "$rc" ;; -purgeike) +purgeike|purgecrls|purgecerts) rc=7 if [ -e $IPSEC_CHARON_PID ] then - $IPSEC_STROKE purgeike + $IPSEC_STROKE "$1" rc="$?" fi exit "$rc" diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 2b7646327..1e78c9d79 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -53,6 +53,7 @@ processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \ processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \ processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \ +processing/jobs/start_action_job.c processing/jobs/start_action_job.h \ processing/jobs/roam_job.c processing/jobs/roam_job.h \ processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \ @@ -87,8 +88,12 @@ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \ sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \ sa/tasks/task.c sa/tasks/task.h \ -tnccs/tnccs.c tnccs/tnccs.h \ -tnccs/tnccs_manager.h tnccs/tnccs_manager.c +tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \ +tnc/imc/imc.h tnc/imc/imc_manager.h \ +tnc/imv/imv.h tnc/imv/imv_manager.h \ +tnc/imv/imv_recommendations.c tnc/imv/imv_recommendations.h \ +tnc/tnccs/tnccs.c tnc/tnccs/tnccs.h \ +tnc/tnccs/tnccs_manager.c tnc/tnccs/tnccs_manager.h daemon.lo : $(top_builddir)/config.status @@ -317,14 +322,14 @@ endif if USE_TNC_IMC SUBDIRS += plugins/tnc_imc if MONOLITHIC - libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc_imc.la + libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc-imc.la endif endif if USE_TNC_IMV SUBDIRS += plugins/tnc_imv if MONOLITHIC - libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc_imv.la + libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la endif endif @@ -342,6 +347,13 @@ if MONOLITHIC endif endif +if USE_TNCCS_DYNAMIC + SUBDIRS += plugins/tnccs_dynamic +if MONOLITHIC + libcharon_la_LIBADD += plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la +endif +endif + if USE_MEDSRV SUBDIRS += plugins/medsrv if MONOLITHIC diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index 8a7a99ddd..6ec4c6ca5 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -96,35 +96,37 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_51 = plugins/eap_tnc/libstrongswan-eap-tnc.la @MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_52 = $(top_builddir)/src/libtls/libtls.la @USE_TNC_IMC_TRUE@am__append_53 = plugins/tnc_imc -@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc_imc.la +@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc-imc.la @USE_TNC_IMV_TRUE@am__append_55 = plugins/tnc_imv -@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc_imv.la +@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc-imv.la @USE_TNCCS_11_TRUE@am__append_57 = plugins/tnccs_11 @MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_58 = plugins/tnccs_11/libstrongswan-tnccs-11.la @USE_TNCCS_20_TRUE@am__append_59 = plugins/tnccs_20 @MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_60 = plugins/tnccs_20/libstrongswan-tnccs-20.la -@USE_MEDSRV_TRUE@am__append_61 = plugins/medsrv -@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_62 = plugins/medsrv/libstrongswan-medsrv.la -@USE_MEDCLI_TRUE@am__append_63 = plugins/medcli -@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_64 = plugins/medcli/libstrongswan-medcli.la -@USE_NM_TRUE@am__append_65 = plugins/nm -@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_66 = plugins/nm/libstrongswan-nm.la -@USE_DHCP_TRUE@am__append_67 = plugins/dhcp -@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_68 = plugins/dhcp/libstrongswan-dhcp.la -@USE_ANDROID_TRUE@am__append_69 = plugins/android -@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_70 = plugins/android/libstrongswan-android.la -@USE_MAEMO_TRUE@am__append_71 = plugins/maemo -@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_72 = plugins/maemo/libstrongswan-maemo.la -@USE_HA_TRUE@am__append_73 = plugins/ha -@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_74 = plugins/ha/libstrongswan-ha.la -@USE_LED_TRUE@am__append_75 = plugins/led -@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_76 = plugins/led/libstrongswan-led.la -@USE_UCI_TRUE@am__append_77 = plugins/uci -@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_78 = plugins/uci/libstrongswan-uci.la -@USE_ADDRBLOCK_TRUE@am__append_79 = plugins/addrblock -@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_80 = plugins/uci/libstrongswan-addrblock.la -@USE_UNIT_TESTS_TRUE@am__append_81 = plugins/unit_tester -@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_82 = plugins/unit_tester/libstrongswan-unit-tester.la +@USE_TNCCS_DYNAMIC_TRUE@am__append_61 = plugins/tnccs_dynamic +@MONOLITHIC_TRUE@@USE_TNCCS_DYNAMIC_TRUE@am__append_62 = plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la +@USE_MEDSRV_TRUE@am__append_63 = plugins/medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_64 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_65 = plugins/medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_66 = plugins/medcli/libstrongswan-medcli.la +@USE_NM_TRUE@am__append_67 = plugins/nm +@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_68 = plugins/nm/libstrongswan-nm.la +@USE_DHCP_TRUE@am__append_69 = plugins/dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_70 = plugins/dhcp/libstrongswan-dhcp.la +@USE_ANDROID_TRUE@am__append_71 = plugins/android +@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_72 = plugins/android/libstrongswan-android.la +@USE_MAEMO_TRUE@am__append_73 = plugins/maemo +@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_74 = plugins/maemo/libstrongswan-maemo.la +@USE_HA_TRUE@am__append_75 = plugins/ha +@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_76 = plugins/ha/libstrongswan-ha.la +@USE_LED_TRUE@am__append_77 = plugins/led +@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_78 = plugins/led/libstrongswan-led.la +@USE_UCI_TRUE@am__append_79 = plugins/uci +@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_80 = plugins/uci/libstrongswan-uci.la +@USE_ADDRBLOCK_TRUE@am__append_81 = plugins/addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_82 = plugins/uci/libstrongswan-addrblock.la +@USE_UNIT_TESTS_TRUE@am__append_83 = plugins/unit_tester +@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_84 = plugins/unit_tester/libstrongswan-unit-tester.la subdir = src/libcharon DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -181,7 +183,8 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_60) $(am__append_62) $(am__append_64) \ $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) \ - $(am__append_78) $(am__append_80) $(am__append_82) + $(am__append_78) $(am__append_80) $(am__append_82) \ + $(am__append_84) am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ bus/listeners/listener.h bus/listeners/file_logger.c \ bus/listeners/file_logger.h bus/listeners/sys_logger.c \ @@ -251,8 +254,9 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ processing/jobs/send_keepalive_job.c \ processing/jobs/send_keepalive_job.h \ - processing/jobs/roam_job.c processing/jobs/roam_job.h \ - processing/jobs/update_sa_job.c \ + processing/jobs/start_action_job.c \ + processing/jobs/start_action_job.h processing/jobs/roam_job.c \ + processing/jobs/roam_job.h processing/jobs/update_sa_job.c \ processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c \ processing/jobs/inactivity_job.h \ @@ -288,8 +292,12 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ - tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \ - tnccs/tnccs_manager.c encoding/payloads/endpoint_notify.c \ + tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \ + tnc/imc/imc.h tnc/imc/imc_manager.h tnc/imv/imv.h \ + tnc/imv/imv_manager.h tnc/imv/imv_recommendations.c \ + tnc/imv/imv_recommendations.h tnc/tnccs/tnccs.c \ + tnc/tnccs/tnccs.h tnc/tnccs/tnccs_manager.c \ + tnc/tnccs/tnccs_manager.h encoding/payloads/endpoint_notify.c \ encoding/payloads/endpoint_notify.h \ processing/jobs/initiate_mediation_job.c \ processing/jobs/initiate_mediation_job.h \ @@ -315,16 +323,17 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \ acquire_job.lo delete_child_sa_job.lo delete_ike_sa_job.lo \ migrate_job.lo process_message_job.lo rekey_child_sa_job.lo \ rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \ - send_keepalive_job.lo roam_job.lo update_sa_job.lo \ - inactivity_job.lo authenticator.lo eap_authenticator.lo \ - eap_method.lo eap_manager.lo sim_manager.lo \ - psk_authenticator.lo pubkey_authenticator.lo child_sa.lo \ - ike_sa.lo ike_sa_id.lo ike_sa_manager.lo task_manager.lo \ - keymat.lo trap_manager.lo child_create.lo child_delete.lo \ - child_rekey.lo ike_auth.lo ike_cert_pre.lo ike_cert_post.lo \ - ike_config.lo ike_delete.lo ike_dpd.lo ike_init.lo ike_natd.lo \ - ike_mobike.lo ike_rekey.lo ike_reauth.lo ike_auth_lifetime.lo \ - ike_vendor.lo task.lo tnccs.lo tnccs_manager.lo \ + send_keepalive_job.lo start_action_job.lo roam_job.lo \ + update_sa_job.lo inactivity_job.lo authenticator.lo \ + eap_authenticator.lo eap_method.lo eap_manager.lo \ + sim_manager.lo psk_authenticator.lo pubkey_authenticator.lo \ + child_sa.lo ike_sa.lo ike_sa_id.lo ike_sa_manager.lo \ + task_manager.lo keymat.lo trap_manager.lo child_create.lo \ + child_delete.lo child_rekey.lo ike_auth.lo ike_cert_pre.lo \ + ike_cert_post.lo ike_config.lo ike_delete.lo ike_dpd.lo \ + ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \ + ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \ + tncifimv.lo imv_recommendations.lo tnccs.lo tnccs_manager.lo \ $(am__objects_1) libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ @@ -366,9 +375,9 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \ plugins/eap_mschapv2 plugins/eap_radius plugins/eap_tls \ plugins/eap_ttls plugins/eap_tnc plugins/tnc_imc \ plugins/tnc_imv plugins/tnccs_11 plugins/tnccs_20 \ - plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \ - plugins/android plugins/maemo plugins/ha plugins/led \ - plugins/uci plugins/addrblock plugins/unit_tester + plugins/tnccs_dynamic plugins/medsrv plugins/medcli plugins/nm \ + plugins/dhcp plugins/android plugins/maemo plugins/ha \ + plugins/led plugins/uci plugins/addrblock plugins/unit_tester DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -514,9 +523,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -555,6 +562,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -635,8 +644,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ processing/jobs/send_keepalive_job.c \ processing/jobs/send_keepalive_job.h \ - processing/jobs/roam_job.c processing/jobs/roam_job.h \ - processing/jobs/update_sa_job.c \ + processing/jobs/start_action_job.c \ + processing/jobs/start_action_job.h processing/jobs/roam_job.c \ + processing/jobs/roam_job.h processing/jobs/update_sa_job.c \ processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c \ processing/jobs/inactivity_job.h \ @@ -672,8 +682,12 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ - tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \ - tnccs/tnccs_manager.c $(am__append_1) + tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \ + tnc/imc/imc.h tnc/imc/imc_manager.h tnc/imv/imv.h \ + tnc/imv/imv_manager.h tnc/imv/imv_recommendations.c \ + tnc/imv/imv_recommendations.h tnc/tnccs/tnccs.c \ + tnc/tnccs/tnccs.h tnc/tnccs/tnccs_manager.c \ + tnc/tnccs/tnccs_manager.h $(am__append_1) INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ @@ -699,7 +713,8 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \ $(am__append_60) $(am__append_62) $(am__append_64) \ $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) \ - $(am__append_78) $(am__append_80) $(am__append_82) + $(am__append_78) $(am__append_80) $(am__append_82) \ + $(am__append_84) EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_5) \ @MONOLITHIC_FALSE@ $(am__append_7) $(am__append_9) \ @@ -720,7 +735,7 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_69) $(am__append_71) \ @MONOLITHIC_FALSE@ $(am__append_73) $(am__append_75) \ @MONOLITHIC_FALSE@ $(am__append_77) $(am__append_79) \ -@MONOLITHIC_FALSE@ $(am__append_81) +@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) # build optional plugins ######################## @@ -743,7 +758,7 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_69) $(am__append_71) \ @MONOLITHIC_TRUE@ $(am__append_73) $(am__append_75) \ @MONOLITHIC_TRUE@ $(am__append_77) $(am__append_79) \ -@MONOLITHIC_TRUE@ $(am__append_81) +@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) all: all-recursive .SUFFIXES: @@ -867,6 +882,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_vendor.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_recommendations.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Plo@am__quote@ @@ -898,11 +914,13 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sim_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_manager.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/start_action_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_manager.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncifimv.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Plo@am__quote@ @@ -1283,6 +1301,13 @@ send_keepalive_job.lo: processing/jobs/send_keepalive_job.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c +start_action_job.lo: processing/jobs/start_action_job.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT start_action_job.lo -MD -MP -MF $(DEPDIR)/start_action_job.Tpo -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/start_action_job.Tpo $(DEPDIR)/start_action_job.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/start_action_job.c' object='start_action_job.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c + roam_job.lo: processing/jobs/roam_job.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.lo -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Plo @@ -1521,19 +1546,33 @@ task.lo: sa/tasks/task.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c -tnccs.lo: tnccs/tnccs.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c +tncifimv.lo: tnc/tncifimv.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tncifimv.lo -MD -MP -MF $(DEPDIR)/tncifimv.Tpo -c -o tncifimv.lo `test -f 'tnc/tncifimv.c' || echo '$(srcdir)/'`tnc/tncifimv.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tncifimv.Tpo $(DEPDIR)/tncifimv.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnc/tncifimv.c' object='tncifimv.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tncifimv.lo `test -f 'tnc/tncifimv.c' || echo '$(srcdir)/'`tnc/tncifimv.c + +imv_recommendations.lo: tnc/imv/imv_recommendations.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_recommendations.lo -MD -MP -MF $(DEPDIR)/imv_recommendations.Tpo -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/imv_recommendations.Tpo $(DEPDIR)/imv_recommendations.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnc/imv/imv_recommendations.c' object='imv_recommendations.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c + +tnccs.lo: tnc/tnccs/tnccs.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnc/tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c -tnccs_manager.lo: tnccs/tnccs_manager.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c +tnccs_manager.lo: tnc/tnccs/tnccs_manager.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnc/tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c endpoint_notify.lo: encoding/payloads/endpoint_notify.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index ab8d0fc48..23931c47d 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -227,13 +227,13 @@ static bool log_cb(entry_t *entry, log_data_t *data) { entry->blocker = FALSE; entry->condvar->signal(entry->condvar); + entry->calling--; } else { entry_destroy(entry); } va_end(args); - entry->calling--; return TRUE; } va_end(args); diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c index 90ef58563..e78cb702d 100644 --- a/src/libcharon/config/backend_manager.c +++ b/src/libcharon/config/backend_manager.c @@ -96,6 +96,11 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { match += MATCH_ANY; } + else + { + me_cand->destroy(me_cand); + return MATCH_NONE; + } me_cand->destroy(me_cand); } else @@ -119,6 +124,11 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { match += MATCH_ANY; } + else + { + other_cand->destroy(other_cand); + return MATCH_NONE; + } other_cand->destroy(other_cand); } else @@ -128,11 +138,8 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) return match; } -/** - * implements backend_manager_t.get_ike_cfg. - */ -static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, - host_t *me, host_t *other) +METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*, + private_backend_manager_t *this, host_t *me, host_t *other) { ike_cfg_t *current, *found = NULL; enumerator_t *enumerator; @@ -308,12 +315,9 @@ static void insert_sorted(match_entry_t *entry, linked_list_t *list, } } -/** - * Implements backend_manager_t.create_peer_cfg_enumerator. - */ -static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this, - host_t *me, host_t *other, identification_t *my_id, - identification_t *other_id) +METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*, + private_backend_manager_t *this, host_t *me, host_t *other, + identification_t *my_id, identification_t *other_id) { enumerator_t *enumerator; peer_data_t *data; @@ -372,10 +376,8 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this, (void*)peer_enum_filter_destroy); } -/** - * implements backend_manager_t.get_peer_cfg_by_name. - */ -static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *name) +METHOD(backend_manager_t, get_peer_cfg_by_name, peer_cfg_t*, + private_backend_manager_t *this, char *name) { backend_t *backend; peer_cfg_t *config = NULL; @@ -392,30 +394,24 @@ static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *n return config; } -/** - * Implementation of backend_manager_t.remove_backend. - */ -static void remove_backend(private_backend_manager_t *this, backend_t *backend) +METHOD(backend_manager_t, remove_backend, void, + private_backend_manager_t *this, backend_t *backend) { this->lock->write_lock(this->lock); this->backends->remove(this->backends, backend, NULL); this->lock->unlock(this->lock); } -/** - * Implementation of backend_manager_t.add_backend. - */ -static void add_backend(private_backend_manager_t *this, backend_t *backend) +METHOD(backend_manager_t, add_backend, void, + private_backend_manager_t *this, backend_t *backend) { this->lock->write_lock(this->lock); this->backends->insert_last(this->backends, backend); this->lock->unlock(this->lock); } -/** - * Implementation of backend_manager_t.destroy. - */ -static void destroy(private_backend_manager_t *this) +METHOD(backend_manager_t, destroy, void, + private_backend_manager_t *this) { this->backends->destroy(this->backends); this->lock->destroy(this->lock); @@ -424,20 +420,24 @@ static void destroy(private_backend_manager_t *this) /* * Described in header-file + */ backend_manager_t *backend_manager_create() { - private_backend_manager_t *this = malloc_thing(private_backend_manager_t); - - this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg; - this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name; - this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator; - this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend; - this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend; - this->public.destroy = (void (*)(backend_manager_t*))destroy; + private_backend_manager_t *this; - this->backends = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + INIT(this, + .public = { + .get_ike_cfg = _get_ike_cfg, + .get_peer_cfg_by_name = _get_peer_cfg_by_name, + .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, + .add_backend = _add_backend, + .remove_backend = _remove_backend, + .destroy = _destroy, + }, + .backends = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); return &this->public; } diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 1cdfd5949..74949be3c 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -79,6 +79,11 @@ struct private_child_cfg_t { */ ipsec_mode_t mode; + /** + * action to take to start CHILD_SA + */ + action_t start_action; + /** * action to take on DPD */ @@ -118,6 +123,12 @@ struct private_child_cfg_t { * Optional mark to install outbound CHILD_SA with */ mark_t mark_out; + + /** + * Traffic Flow Confidentiality padding, if enabled + */ + u_int32_t tfc; + /** * set up IPsec transport SA in MIPv6 proxy mode */ @@ -129,26 +140,20 @@ struct private_child_cfg_t { bool install_policy; }; -/** - * Implementation of child_cfg_t.get_name. - */ -static char *get_name(private_child_cfg_t *this) +METHOD(child_cfg_t, get_name, char*, + private_child_cfg_t *this) { return this->name; } -/** - * Implementation of child_cfg_t.add_proposal. - */ -static void add_proposal(private_child_cfg_t *this, proposal_t *proposal) +METHOD(child_cfg_t, add_proposal, void, + private_child_cfg_t *this, proposal_t *proposal) { this->proposals->insert_last(this->proposals, proposal); } -/** - * Implementation of child_cfg_t.get_proposals. - */ -static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh) +METHOD(child_cfg_t, get_proposals, linked_list_t*, + private_child_cfg_t *this, bool strip_dh) { enumerator_t *enumerator; proposal_t *current; @@ -169,12 +174,9 @@ static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh) return proposals; } -/** - * Implementation of child_cfg_t.select_proposal. - */ -static proposal_t* select_proposal(private_child_cfg_t*this, - linked_list_t *proposals, bool strip_dh, - bool private) +METHOD(child_cfg_t, select_proposal, proposal_t*, + private_child_cfg_t*this, linked_list_t *proposals, bool strip_dh, + bool private) { enumerator_t *stored_enum, *supplied_enum; proposal_t *stored, *supplied, *selected = NULL; @@ -219,11 +221,8 @@ static proposal_t* select_proposal(private_child_cfg_t*this, return selected; } -/** - * Implementation of child_cfg_t.add_traffic_selector. - */ -static void add_traffic_selector(private_child_cfg_t *this, bool local, - traffic_selector_t *ts) +METHOD(child_cfg_t, add_traffic_selector, void, + private_child_cfg_t *this, bool local, traffic_selector_t *ts) { if (local) { @@ -235,12 +234,8 @@ static void add_traffic_selector(private_child_cfg_t *this, bool local, } } -/** - * Implementation of child_cfg_t.get_traffic_selectors. - */ -static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool local, - linked_list_t *supplied, - host_t *host) +METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, + private_child_cfg_t *this, bool local, linked_list_t *supplied, host_t *host) { enumerator_t *e1, *e2; traffic_selector_t *ts1, *ts2, *selected; @@ -346,18 +341,14 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca return result; } -/** - * Implementation of child_cfg_t.get_updown. - */ -static char* get_updown(private_child_cfg_t *this) +METHOD(child_cfg_t, get_updown, char*, + private_child_cfg_t *this) { return this->updown; } -/** - * Implementation of child_cfg_t.get_hostaccess. - */ -static bool get_hostaccess(private_child_cfg_t *this) +METHOD(child_cfg_t, get_hostaccess, bool, + private_child_cfg_t *this) { return this->hostaccess; } @@ -378,10 +369,8 @@ static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter) } #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter) -/** - * Implementation of child_cfg_t.get_lifetime. - */ -static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this) +METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*, + private_child_cfg_t *this) { lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t); memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t)); @@ -391,34 +380,32 @@ static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this) return lft; } -/** - * Implementation of child_cfg_t.get_mode. - */ -static ipsec_mode_t get_mode(private_child_cfg_t *this) +METHOD(child_cfg_t, get_mode, ipsec_mode_t, + private_child_cfg_t *this) { return this->mode; } -/** - * Implementation of child_cfg_t.get_dpd_action. - */ -static action_t get_dpd_action(private_child_cfg_t *this) +METHOD(child_cfg_t, get_start_action, action_t, + private_child_cfg_t *this) +{ + return this->start_action; +} + +METHOD(child_cfg_t, get_dpd_action, action_t, + private_child_cfg_t *this) { return this->dpd_action; } -/** - * Implementation of child_cfg_t.get_close_action. - */ -static action_t get_close_action(private_child_cfg_t *this) +METHOD(child_cfg_t, get_close_action, action_t, + private_child_cfg_t *this) { return this->close_action; } -/** - * Implementation of child_cfg_t.get_dh_group. - */ -static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this) +METHOD(child_cfg_t, get_dh_group, diffie_hellman_group_t, + private_child_cfg_t *this) { enumerator_t *enumerator; proposal_t *proposal; @@ -436,77 +423,64 @@ static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this) return dh_group; } -/** - * Implementation of child_cfg_t.use_ipcomp. - */ -static bool use_ipcomp(private_child_cfg_t *this) +METHOD(child_cfg_t, use_ipcomp, bool, + private_child_cfg_t *this) { return this->use_ipcomp; } -/** - * Implementation of child_cfg_t.get_inactivity. - */ -static u_int32_t get_inactivity(private_child_cfg_t *this) +METHOD(child_cfg_t, get_inactivity, u_int32_t, + private_child_cfg_t *this) { return this->inactivity; } -/** - * Implementation of child_cfg_t.get_reqid. - */ -static u_int32_t get_reqid(private_child_cfg_t *this) +METHOD(child_cfg_t, get_reqid, u_int32_t, + private_child_cfg_t *this) { return this->reqid; } -/** - * Implementation of child_cfg_t.get_mark. - */ -static mark_t get_mark(private_child_cfg_t *this, bool inbound) +METHOD(child_cfg_t, get_mark, mark_t, + private_child_cfg_t *this, bool inbound) { return inbound ? this->mark_in : this->mark_out; } -/** - * Implementation of child_cfg_t.set_mipv6_options. - */ -static void set_mipv6_options(private_child_cfg_t *this, bool proxy_mode, - bool install_policy) +METHOD(child_cfg_t, get_tfc, u_int32_t, + private_child_cfg_t *this) +{ + return this->tfc; +} + +METHOD(child_cfg_t, set_mipv6_options, void, + private_child_cfg_t *this, bool proxy_mode, bool install_policy) { this->proxy_mode = proxy_mode; this->install_policy = install_policy; } -/** - * Implementation of child_cfg_t.use_proxy_mode. - */ -static bool use_proxy_mode(private_child_cfg_t *this) +METHOD(child_cfg_t, use_proxy_mode, bool, + private_child_cfg_t *this) { return this->proxy_mode; } -/** - * Implementation of child_cfg_t.install_policy. - */ -static bool install_policy(private_child_cfg_t *this) +METHOD(child_cfg_t, install_policy, bool, + private_child_cfg_t *this) { return this->install_policy; } -/** - * Implementation of child_cfg_t.get_ref. - */ -static child_cfg_t* get_ref(private_child_cfg_t *this) +METHOD(child_cfg_t, get_ref, child_cfg_t*, + private_child_cfg_t *this) { ref_get(&this->refcount); return &this->public; } -/** - * Implements child_cfg_t.destroy. - */ -static void destroy(private_child_cfg_t *this) +METHOD(child_cfg_t, destroy, void, + private_child_cfg_t *this) { if (ref_put(&this->refcount)) { @@ -527,71 +501,67 @@ static void destroy(private_child_cfg_t *this) */ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, char *updown, bool hostaccess, - ipsec_mode_t mode, action_t dpd_action, - action_t close_action, bool ipcomp, - u_int32_t inactivity, u_int32_t reqid, - mark_t *mark_in, mark_t *mark_out) + ipsec_mode_t mode, action_t start_action, + action_t dpd_action, action_t close_action, + bool ipcomp, u_int32_t inactivity, u_int32_t reqid, + mark_t *mark_in, mark_t *mark_out, u_int32_t tfc) { - private_child_cfg_t *this = malloc_thing(private_child_cfg_t); - - this->public.get_name = (char* (*) (child_cfg_t*))get_name; - this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector; - this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors; - this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal; - this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals; - this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool,bool))select_proposal; - this->public.get_updown = (char* (*) (child_cfg_t*))get_updown; - this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess; - this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode; - this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action; - this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action; - this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime; - this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group; - this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options; - this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp; - this->public.get_inactivity = (u_int32_t (*) (child_cfg_t *))get_inactivity; - this->public.get_reqid = (u_int32_t (*) (child_cfg_t *))get_reqid; - this->public.get_mark = (mark_t (*) (child_cfg_t *,bool))get_mark; - this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode; - this->public.install_policy = (bool (*) (child_cfg_t *))install_policy; - this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref; - this->public.destroy = (void (*) (child_cfg_t*))destroy; - - this->name = strdup(name); - this->updown = updown ? strdup(updown) : NULL; - this->hostaccess = hostaccess; - this->mode = mode; - this->dpd_action = dpd_action; - this->close_action = close_action; - this->use_ipcomp = ipcomp; - this->inactivity = inactivity; - this->reqid = reqid; + private_child_cfg_t *this; + + INIT(this, + .public = { + .get_name = _get_name, + .add_traffic_selector = _add_traffic_selector, + .get_traffic_selectors = _get_traffic_selectors, + .add_proposal = _add_proposal, + .get_proposals = _get_proposals, + .select_proposal = _select_proposal, + .get_updown = _get_updown, + .get_hostaccess = _get_hostaccess, + .get_mode = _get_mode, + .get_start_action = _get_start_action, + .get_dpd_action = _get_dpd_action, + .get_close_action = _get_close_action, + .get_lifetime = _get_lifetime, + .get_dh_group = _get_dh_group, + .set_mipv6_options = _set_mipv6_options, + .use_ipcomp = _use_ipcomp, + .get_inactivity = _get_inactivity, + .get_reqid = _get_reqid, + .get_mark = _get_mark, + .get_tfc = _get_tfc, + .use_proxy_mode = _use_proxy_mode, + .install_policy = _install_policy, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .name = strdup(name), + .updown = strdupnull(updown), + .hostaccess = hostaccess, + .mode = mode, + .start_action = start_action, + .dpd_action = dpd_action, + .close_action = close_action, + .use_ipcomp = ipcomp, + .inactivity = inactivity, + .reqid = reqid, + .proxy_mode = FALSE, + .install_policy = TRUE, + .refcount = 1, + .proposals = linked_list_create(), + .my_ts = linked_list_create(), + .other_ts = linked_list_create(), + .tfc = tfc, + ); if (mark_in) { this->mark_in = *mark_in; } - else - { - this->mark_in.value = 0; - this->mark_in.mask = 0; - } if (mark_out) { this->mark_out = *mark_out; } - else - { - this->mark_out.value = 0; - this->mark_out.mask = 0; - } - - this->proxy_mode = FALSE; - this->install_policy = TRUE; - this->refcount = 1; - this->proposals = linked_list_create(); - this->my_ts = linked_list_create(); - this->other_ts = linked_list_create(); memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t)); return &this->public; diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index 1e6fe3fe9..175ced76c 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -32,14 +32,15 @@ typedef struct child_cfg_t child_cfg_t; #include /** - * Action to take when DPD detected/connection gets closed by peer. + * Action to take when connection is loaded, DPD is detected or + * connection gets closed by peer. */ enum action_t { /** No action */ ACTION_NONE, - /** Route config to reestablish on demand */ + /** Route config to establish or reestablish on demand */ ACTION_ROUTE, - /** Restart config immediately */ + /** Start or restart config immediately */ ACTION_RESTART, }; @@ -168,6 +169,13 @@ struct child_cfg_t { */ ipsec_mode_t (*get_mode) (child_cfg_t *this); + /** + * Action to take to start CHILD_SA. + * + * @return start action + */ + action_t (*get_start_action) (child_cfg_t *this); + /** * Action to take on DPD. * @@ -219,6 +227,13 @@ struct child_cfg_t { */ mark_t (*get_mark)(child_cfg_t *this, bool inbound); + /** + * Get the TFC padding value to use for CHILD_SA. + * + * @return TFC padding, 0 to disable, -1 for MTU + */ + u_int32_t (*get_tfc)(child_cfg_t *this); + /** * Sets two options needed for Mobile IPv6 interoperability * @@ -276,6 +291,7 @@ struct child_cfg_t { * @param updown updown script to execute on up/down event * @param hostaccess TRUE to allow access to the local host * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET + * @param start_action start action * @param dpd_action DPD action * @param close_action close action * @param ipcomp use IPComp, if peer supports it @@ -283,13 +299,14 @@ struct child_cfg_t { * @param reqid specific reqid to use for CHILD_SA, 0 for auto assign * @param mark_in optional inbound mark (can be NULL) * @param mark_out optional outbound mark (can be NULL) + * @param tfc TFC padding size, 0 to disable, -1 to pad to PMTU * @return child_cfg_t object */ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, char *updown, bool hostaccess, - ipsec_mode_t mode, action_t dpd_action, - action_t close_action, bool ipcomp, - u_int32_t inactivity, u_int32_t reqid, - mark_t *mark_in, mark_t *mark_out); + ipsec_mode_t mode, action_t start_action, + action_t dpd_action, action_t close_action, + bool ipcomp, u_int32_t inactivity, u_int32_t reqid, + mark_t *mark_in, mark_t *mark_out, u_int32_t tfc); #endif /** CHILD_CFG_H_ @}*/ diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c index 9df14c9ae..6f0c87279 100644 --- a/src/libcharon/config/peer_cfg.c +++ b/src/libcharon/config/peer_cfg.c @@ -682,7 +682,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->use_mobike = mobike; this->dpd = dpd; this->virtual_ip = virtual_ip; - this->pool = pool ? strdup(pool) : NULL; + this->pool = strdupnull(pool); this->local_auth = linked_list_create(); this->remote_auth = linked_list_create(); this->refcount = 1; diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index 5b8294599..86a59bc1b 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -560,6 +560,7 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) if (token == NULL) { + DBG1(DBG_CFG, "algorithm '%.*s' not recognized", alg.len, alg.ptr); return FAILED; } @@ -740,9 +741,10 @@ static void proposal_add_supported_ike(private_proposal_t *this) integrity_algorithm_t integrity; pseudo_random_function_t prf; diffie_hellman_group_t group; + const char *plugin_name; enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption)) + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { switch (encryption) { @@ -777,7 +779,7 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator->destroy(enumerator); enumerator = lib->crypto->create_signer_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &integrity)) + while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) { switch (integrity) { @@ -796,7 +798,7 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator->destroy(enumerator); enumerator = lib->crypto->create_prf_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &prf)) + while (enumerator->enumerate(enumerator, &prf, &plugin_name)) { switch (prf) { @@ -815,7 +817,7 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator->destroy(enumerator); enumerator = lib->crypto->create_dh_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &group)) + while (enumerator->enumerate(enumerator, &group, &plugin_name)) { switch (group) { diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index 4b8e1fadd..4f2831e42 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -19,14 +19,14 @@ #include #include #include -#include #include -#include #ifdef CAPABILITIES -#ifdef HAVE_SYS_CAPABILITY_H -#include -#endif /* HAVE_SYS_CAPABILITY_H */ +# ifdef HAVE_SYS_CAPABILITY_H +# include +# elif defined(CAPABILITIES_NATIVE) +# include +# endif /* CAPABILITIES_NATIVE */ #endif /* CAPABILITIES */ #include "daemon.h" @@ -34,10 +34,7 @@ #include #include #include - -#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ -#define LOG_AUTHPRIV LOG_AUTH -#endif +#include typedef struct private_daemon_t private_daemon_t; @@ -62,7 +59,7 @@ struct private_daemon_t { cap_t caps; #endif /* CAPABILITIES_LIBCAP */ #ifdef CAPABILITIES_NATIVE - struct __user_cap_data_struct caps; + struct __user_cap_data_struct caps[2]; #endif /* CAPABILITIES_NATIVE */ }; @@ -147,9 +144,16 @@ METHOD(daemon_t, keep_cap, void, cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET); #endif /* CAPABILITIES_LIBCAP */ #ifdef CAPABILITIES_NATIVE - this->caps.effective |= 1 << cap; - this->caps.permitted |= 1 << cap; - this->caps.inheritable |= 1 << cap; + int i = 0; + + if (cap >= 32) + { + i++; + cap -= 32; + } + this->caps[i].effective |= 1 << cap; + this->caps[i].permitted |= 1 << cap; + this->caps[i].inheritable |= 1 << cap; #endif /* CAPABILITIES_NATIVE */ } @@ -164,9 +168,15 @@ METHOD(daemon_t, drop_capabilities, bool, #endif /* CAPABILITIES_LIBCAP */ #ifdef CAPABILITIES_NATIVE struct __user_cap_header_struct header = { - .version = _LINUX_CAPABILITY_VERSION, +#if defined(_LINUX_CAPABILITY_VERSION_3) + .version = _LINUX_CAPABILITY_VERSION_3, +#elif defined(_LINUX_CAPABILITY_VERSION_2) + .version = _LINUX_CAPABILITY_VERSION_2, +#else + .version = _LINUX_CAPABILITY_VERSION_1, +#endif }; - if (capset(&header, &this->caps) != 0) + if (capset(&header, this->caps) != 0) { return FALSE; } @@ -202,155 +212,9 @@ static void print_plugins() DBG1(DBG_DMN, "loaded plugins: %s", buf); } -/** - * Initialize logging - */ -static void initialize_loggers(private_daemon_t *this, bool use_stderr, - level_t levels[]) -{ - sys_logger_t *sys_logger; - file_logger_t *file_logger; - enumerator_t *enumerator; - char *facility, *filename; - int loggers_defined = 0; - debug_t group; - level_t def; - bool append, ike_name; - FILE *file; - - /* setup sysloggers */ - enumerator = lib->settings->create_section_enumerator(lib->settings, - "charon.syslog"); - while (enumerator->enumerate(enumerator, &facility)) - { - loggers_defined++; - - ike_name = lib->settings->get_bool(lib->settings, - "charon.syslog.%s.ike_name", FALSE, facility); - if (streq(facility, "daemon")) - { - sys_logger = sys_logger_create(LOG_DAEMON, ike_name); - } - else if (streq(facility, "auth")) - { - sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name); - } - else - { - continue; - } - def = lib->settings->get_int(lib->settings, - "charon.syslog.%s.default", 1, facility); - for (group = 0; group < DBG_MAX; group++) - { - sys_logger->set_level(sys_logger, group, - lib->settings->get_int(lib->settings, - "charon.syslog.%s.%N", def, - facility, debug_lower_names, group)); - } - this->public.sys_loggers->insert_last(this->public.sys_loggers, - sys_logger); - this->public.bus->add_listener(this->public.bus, &sys_logger->listener); - } - enumerator->destroy(enumerator); - - /* and file loggers */ - enumerator = lib->settings->create_section_enumerator(lib->settings, - "charon.filelog"); - while (enumerator->enumerate(enumerator, &filename)) - { - loggers_defined++; - if (streq(filename, "stderr")) - { - file = stderr; - } - else if (streq(filename, "stdout")) - { - file = stdout; - } - else - { - append = lib->settings->get_bool(lib->settings, - "charon.filelog.%s.append", TRUE, filename); - file = fopen(filename, append ? "a" : "w"); - if (file == NULL) - { - DBG1(DBG_DMN, "opening file %s for logging failed: %s", - filename, strerror(errno)); - continue; - } - if (lib->settings->get_bool(lib->settings, - "charon.filelog.%s.flush_line", FALSE, filename)) - { - setlinebuf(file); - } - } - file_logger = file_logger_create(file, - lib->settings->get_str(lib->settings, - "charon.filelog.%s.time_format", NULL, filename), - lib->settings->get_bool(lib->settings, - "charon.filelog.%s.ike_name", FALSE, filename)); - def = lib->settings->get_int(lib->settings, - "charon.filelog.%s.default", 1, filename); - for (group = 0; group < DBG_MAX; group++) - { - file_logger->set_level(file_logger, group, - lib->settings->get_int(lib->settings, - "charon.filelog.%s.%N", def, - filename, debug_lower_names, group)); - } - this->public.file_loggers->insert_last(this->public.file_loggers, - file_logger); - this->public.bus->add_listener(this->public.bus, &file_logger->listener); - - } - enumerator->destroy(enumerator); - - /* set up legacy style default loggers provided via command-line */ - if (!loggers_defined) - { - /* set up default stdout file_logger */ - file_logger = file_logger_create(stdout, NULL, FALSE); - this->public.bus->add_listener(this->public.bus, &file_logger->listener); - this->public.file_loggers->insert_last(this->public.file_loggers, - file_logger); - /* set up default daemon sys_logger */ - sys_logger = sys_logger_create(LOG_DAEMON, FALSE); - this->public.bus->add_listener(this->public.bus, &sys_logger->listener); - this->public.sys_loggers->insert_last(this->public.sys_loggers, - sys_logger); - for (group = 0; group < DBG_MAX; group++) - { - sys_logger->set_level(sys_logger, group, levels[group]); - if (use_stderr) - { - file_logger->set_level(file_logger, group, levels[group]); - } - } - - /* set up default auth sys_logger */ - sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE); - this->public.bus->add_listener(this->public.bus, &sys_logger->listener); - this->public.sys_loggers->insert_last(this->public.sys_loggers, - sys_logger); - sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT); - } -} - METHOD(daemon_t, initialize, bool, - private_daemon_t *this, bool syslog, level_t levels[]) + private_daemon_t *this) { - /* for uncritical pseudo random numbers */ - srandom(time(NULL) + getpid()); - - /* setup bus and it's listeners first to enable log output */ - this->public.bus = bus_create(); - /* set up hook to log dbg message in library via charons message bus */ - dbg_old = dbg; - dbg = dbg_bus; - - initialize_loggers(this, !syslog, levels); - DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")"); if (lib->integrity) @@ -362,16 +226,6 @@ METHOD(daemon_t, initialize, bool, DBG1(DBG_DMN, "daemon 'charon': passed file integrity test"); } - /* load secrets, ca certificates and crls */ - this->public.controller = controller_create(); - this->public.eap = eap_manager_create(); - this->public.sim = sim_manager_create(); - this->public.tnccs = tnccs_manager_create(); - this->public.backends = backend_manager_create(); - this->public.socket = socket_manager_create(); - this->public.traps = trap_manager_create(); - this->kernel_handler = kernel_handler_create(); - /* load plugins, further infrastructure may need it */ if (!lib->plugins->load(lib->plugins, NULL, lib->settings->get_str(lib->settings, "charon.load", PLUGINS))) @@ -393,6 +247,9 @@ METHOD(daemon_t, initialize, bool, return FALSE; } + /* Queue start_action job */ + lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create()); + #ifdef ME this->public.connect_manager = connect_manager_create(); if (this->public.connect_manager == NULL) @@ -418,10 +275,20 @@ private_daemon_t *daemon_create() .drop_capabilities = _drop_capabilities, .initialize = _initialize, .start = _start, + .bus = bus_create(), .file_loggers = linked_list_create(), .sys_loggers = linked_list_create(), }, ); + charon = &this->public; + this->public.controller = controller_create(); + this->public.eap = eap_manager_create(); + this->public.sim = sim_manager_create(); + this->public.tnccs = tnccs_manager_create(); + this->public.backends = backend_manager_create(); + this->public.socket = socket_manager_create(); + this->public.traps = trap_manager_create(); + this->kernel_handler = kernel_handler_create(); #ifdef CAPABILITIES #ifdef CAPABILITIES_LIBCAP @@ -442,7 +309,6 @@ private_daemon_t *daemon_create() */ void libcharon_deinit() { - destroy((private_daemon_t*)charon); charon = NULL; } @@ -455,7 +321,13 @@ bool libcharon_init() private_daemon_t *this; this = daemon_create(); - charon = &this->public; + + /* for uncritical pseudo random numbers */ + srandom(time(NULL) + getpid()); + + /* set up hook to log dbg message in library via charons message bus */ + dbg_old = dbg; + dbg = dbg_bus; lib->printf_hook->add_handler(lib->printf_hook, 'P', proposal_printf_hook, diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h index c0c834b43..04f1fc249 100644 --- a/src/libcharon/daemon.h +++ b/src/libcharon/daemon.h @@ -149,7 +149,9 @@ typedef struct daemon_t daemon_t; #include #include #include -#include +#include +#include +#include #ifdef ME #include @@ -236,6 +238,16 @@ struct daemon_t { */ sim_manager_t *sim; + /** + * TNC IMC manager controlling Integrity Measurement Collectors + */ + imc_manager_t *imcs; + + /** + * TNC IMV manager controlling Integrity Measurement Verifiers + */ + imv_manager_t *imvs; + /** * TNCCS manager to maintain registered TNCCS protocols */ @@ -286,7 +298,7 @@ struct daemon_t { /** * Initialize the daemon. */ - bool (*initialize)(daemon_t *this, bool syslog, level_t levels[]); + bool (*initialize)(daemon_t *this); /** * Starts the daemon, i.e. spawns the threads of the thread pool. @@ -305,6 +317,9 @@ extern daemon_t *charon; /** * Initialize libcharon and create the "charon" instance of daemon_t. * + * This function initializes the bus, listeners can be registered before + * calling initialize(). + * * @return FALSE if integrity check failed */ bool libcharon_init(); diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c index 224f76fce..ce3844361 100644 --- a/src/libcharon/encoding/generator.c +++ b/src/libcharon/encoding/generator.c @@ -41,6 +41,7 @@ #include #include #include +#include /** * Generating is done in a data buffer. @@ -89,20 +90,10 @@ struct private_generator_t { */ void *data_struct; - /* - * Last payload length position offset in the buffer. - */ - u_int32_t last_payload_length_position_offset; - /** * Offset of the header length field in the buffer. */ - u_int32_t header_length_position_offset; - - /** - * Last SPI size. - */ - u_int8_t last_spi_size; + u_int32_t header_length_offset; /** * Attribute format of the last generated transform attribute. @@ -192,33 +183,6 @@ static void write_bytes_to_buffer(private_generator_t *this, void *bytes, } } -/** - * Writes a specific amount of byte into the buffer at a specific offset. - */ -static void write_bytes_to_buffer_at_offset(private_generator_t *this, - void *bytes, int number_of_bytes, u_int32_t offset) -{ - int i; - u_int8_t *read_position = (u_int8_t *)bytes; - u_int8_t *write_position; - u_int32_t free_space_after_offset = get_size(this) - offset; - - /* check first if enough space for new data is available */ - if (number_of_bytes > free_space_after_offset) - { - make_space_available(this, - (number_of_bytes - free_space_after_offset) * 8); - } - - write_position = this->buffer + offset; - for (i = 0; i < number_of_bytes; i++) - { - *write_position = *read_position; - read_position++; - write_position++; - } -} - /** * Generates a U_INT-Field type and writes it to buffer. */ @@ -234,10 +198,13 @@ static void generate_u_int_type(private_generator_t *this, number_of_bits = 4; break; case TS_TYPE: + case RESERVED_BYTE: + case SPI_SIZE: case U_INT_8: number_of_bits = 8; break; case U_INT_16: + case PAYLOAD_LENGTH: case CONFIGURATION_ATTRIBUTE_LENGTH: number_of_bits = 16; break; @@ -301,6 +268,8 @@ static void generate_u_int_type(private_generator_t *this, break; } case TS_TYPE: + case RESERVED_BYTE: + case SPI_SIZE: case U_INT_8: { /* 8 bit values are written as they are */ @@ -338,6 +307,7 @@ static void generate_u_int_type(private_generator_t *this, } case U_INT_16: + case PAYLOAD_LENGTH: case CONFIGURATION_ATTRIBUTE_LENGTH: { u_int16_t val = htons(*((u_int16_t*)(this->data_struct + offset))); @@ -370,49 +340,6 @@ static void generate_u_int_type(private_generator_t *this, } } -/** - * Generate a reserved bit or byte - */ -static void generate_reserved_field(private_generator_t *this, int bits) -{ - /* only one bit or 8 bit fields are supported */ - if (bits != 1 && bits != 8) - { - DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits); - return ; - } - make_space_available(this, bits); - - if (bits == 1) - { - u_int8_t reserved_bit = ~(1 << (7 - this->current_bit)); - - *(this->out_position) = *(this->out_position) & reserved_bit; - if (this->current_bit == 0) - { - /* memory must be zero */ - *(this->out_position) = 0x00; - } - this->current_bit++; - if (this->current_bit >= 8) - { - this->current_bit = this->current_bit % 8; - this->out_position++; - } - } - else - { - if (this->current_bit > 0) - { - DBG1(DBG_ENC, "reserved field cannot be written cause " - "alignement of current bit is %d", this->current_bit); - return; - } - *(this->out_position) = 0x00; - this->out_position++; - } -} - /** * Generate a FLAG filed */ @@ -468,7 +395,7 @@ METHOD(generator_t, get_chunk, chunk_t, { chunk_t data; - *lenpos = (u_int32_t*)(this->buffer + this->header_length_position_offset); + *lenpos = (u_int32_t*)(this->buffer + this->header_length_offset); data = chunk_create(this->buffer, get_length(this)); DBG3(DBG_ENC, "generated data of this generator %B", &data); return data; @@ -484,8 +411,6 @@ METHOD(generator_t, generate_payload, void, this->data_struct = payload; payload_type = payload->get_type(payload); - /* spi size has to get reseted */ - this->last_spi_size = 0; offset_start = this->out_position - this->buffer; @@ -505,56 +430,25 @@ METHOD(generator_t, generate_payload, void, case U_INT_8: case U_INT_16: case U_INT_32: + case PAYLOAD_LENGTH: case IKE_SPI: + case RESERVED_BYTE: + case SPI_SIZE: case TS_TYPE: case ATTRIBUTE_TYPE: case CONFIGURATION_ATTRIBUTE_LENGTH: - { generate_u_int_type(this, rules[i].type, rules[i].offset); break; - } case RESERVED_BIT: - { - generate_reserved_field(this, 1); - break; - } - case RESERVED_BYTE: - { - generate_reserved_field(this, 8); - break; - } case FLAG: - { generate_flag(this, rules[i].offset); break; - } - case PAYLOAD_LENGTH: - { - this->last_payload_length_position_offset = get_offset(this); - generate_u_int_type(this, U_INT_16,rules[i].offset); - break; - } case HEADER_LENGTH: - { - this->header_length_position_offset = get_offset(this); - generate_u_int_type(this ,U_INT_32, rules[i].offset); - break; - } - case SPI_SIZE: - generate_u_int_type(this, U_INT_8, rules[i].offset); - this->last_spi_size = *((u_int8_t *)(this->data_struct + - rules[i].offset)); + this->header_length_offset = get_offset(this); + generate_u_int_type(this, U_INT_32, rules[i].offset); break; case ADDRESS: - { - generate_from_chunk(this, rules[i].offset); - break; - } case SPI: - { - generate_from_chunk(this, rules[i].offset); - break; - } case KEY_EXCHANGE_DATA: case NOTIFICATION_DATA: case NONCE_DATA: @@ -566,221 +460,52 @@ METHOD(generator_t, generate_payload, void, case CONFIGURATION_ATTRIBUTE_VALUE: case VID_DATA: case EAP_DATA: - { - u_int32_t payload_length_position_offset; - u_int16_t length_of_payload; - u_int16_t header_length = 0; - u_int16_t length_in_network_order; - - switch(rules[i].type) - { - case KEY_EXCHANGE_DATA: - header_length = KE_PAYLOAD_HEADER_LENGTH; - break; - case NOTIFICATION_DATA: - header_length = NOTIFY_PAYLOAD_HEADER_LENGTH + - this->last_spi_size; - break; - case NONCE_DATA: - header_length = NONCE_PAYLOAD_HEADER_LENGTH; - break; - case ID_DATA: - header_length = ID_PAYLOAD_HEADER_LENGTH; - break; - case AUTH_DATA: - header_length = AUTH_PAYLOAD_HEADER_LENGTH; - break; - case CERT_DATA: - header_length = CERT_PAYLOAD_HEADER_LENGTH; - break; - case CERTREQ_DATA: - header_length = CERTREQ_PAYLOAD_HEADER_LENGTH; - break; - case SPIS: - header_length = DELETE_PAYLOAD_HEADER_LENGTH; - break; - case VID_DATA: - header_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH; - break; - case CONFIGURATION_ATTRIBUTE_VALUE: - header_length = CONFIGURATION_ATTRIBUTE_HEADER_LENGTH; - break; - case EAP_DATA: - header_length = EAP_PAYLOAD_HEADER_LENGTH; - break; - default: - break; - } + case ENCRYPTED_DATA: + case UNKNOWN_DATA: generate_from_chunk(this, rules[i].offset); - - payload_length_position_offset = - this->last_payload_length_position_offset; - - length_of_payload = header_length + - ((chunk_t *)(this->data_struct + rules[i].offset))->len; - - length_in_network_order = htons(length_of_payload); - write_bytes_to_buffer_at_offset(this, &length_in_network_order, - sizeof(u_int16_t), payload_length_position_offset); break; - } case PROPOSALS: - { - u_int32_t payload_length_position_offset = - this->last_payload_length_position_offset; - /* Length of SA_PAYLOAD is calculated */ - u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH; - u_int16_t int16_val; - linked_list_t *proposals = *((linked_list_t **) - (this->data_struct + rules[i].offset)); - iterator_t *iterator; - payload_t *current_proposal; - - iterator = proposals->create_iterator(proposals,TRUE); - while (iterator->iterate(iterator, (void**)¤t_proposal)) - { - u_int32_t before_generate_position_offset; - u_int32_t after_generate_position_offset; - - before_generate_position_offset = get_offset(this); - generate_payload(this, current_proposal); - after_generate_position_offset = get_offset(this); - length_of_sa_payload += (after_generate_position_offset - - before_generate_position_offset); - } - iterator->destroy(iterator); - - int16_val = htons(length_of_sa_payload); - write_bytes_to_buffer_at_offset(this, &int16_val, - sizeof(u_int16_t),payload_length_position_offset); - break; - } case TRANSFORMS: - { - u_int32_t payload_length_position_offset = - this->last_payload_length_position_offset; - u_int16_t length_of_proposal = - PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size; - u_int16_t int16_val; - linked_list_t *transforms = *((linked_list_t **) - (this->data_struct + rules[i].offset)); - iterator_t *iterator; - payload_t *current_transform; - - iterator = transforms->create_iterator(transforms,TRUE); - while (iterator->iterate(iterator, (void**)¤t_transform)) - { - u_int32_t before_generate_position_offset; - u_int32_t after_generate_position_offset; - - before_generate_position_offset = get_offset(this); - generate_payload(this, current_transform); - after_generate_position_offset = get_offset(this); - - length_of_proposal += (after_generate_position_offset - - before_generate_position_offset); - } - iterator->destroy(iterator); - - int16_val = htons(length_of_proposal); - write_bytes_to_buffer_at_offset(this, &int16_val, - sizeof(u_int16_t), payload_length_position_offset); - break; - } case TRANSFORM_ATTRIBUTES: - { - u_int32_t transform_length_position_offset = - this->last_payload_length_position_offset; - u_int16_t length_of_transform = - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; - u_int16_t int16_val; - linked_list_t *transform_attributes =*((linked_list_t **) - (this->data_struct + rules[i].offset)); - iterator_t *iterator; - payload_t *current_attribute; - - iterator = transform_attributes->create_iterator( - transform_attributes, TRUE); - while (iterator->iterate(iterator, (void**)¤t_attribute)) - { - u_int32_t before_generate_position_offset; - u_int32_t after_generate_position_offset; - - before_generate_position_offset = get_offset(this); - generate_payload(this, current_attribute); - after_generate_position_offset = get_offset(this); - - length_of_transform += (after_generate_position_offset - - before_generate_position_offset); - } - - iterator->destroy(iterator); - - int16_val = htons(length_of_transform); - write_bytes_to_buffer_at_offset(this, &int16_val, - sizeof(u_int16_t),transform_length_position_offset); - break; - } case CONFIGURATION_ATTRIBUTES: + case TRAFFIC_SELECTORS: { - u_int32_t configurations_length_position_offset = - this->last_payload_length_position_offset; - u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH; - u_int16_t int16_val; - linked_list_t *configuration_attributes = *((linked_list_t **) - (this->data_struct + rules[i].offset)); - iterator_t *iterator; - payload_t *current_attribute; + linked_list_t *proposals; + enumerator_t *enumerator; + payload_t *proposal; - iterator = configuration_attributes->create_iterator( - configuration_attributes,TRUE); - while (iterator->iterate(iterator, (void**)¤t_attribute)) + proposals = *((linked_list_t **) + (this->data_struct + rules[i].offset)); + enumerator = proposals->create_enumerator(proposals); + while (enumerator->enumerate(enumerator, &proposal)) { - u_int32_t before_generate_position_offset; - u_int32_t after_generate_position_offset; - - before_generate_position_offset = get_offset(this); - generate_payload(this, current_attribute); - after_generate_position_offset = get_offset(this); - - length_of_configurations += after_generate_position_offset - - before_generate_position_offset; + generate_payload(this, proposal); } - - iterator->destroy(iterator); - - int16_val = htons(length_of_configurations); - write_bytes_to_buffer_at_offset(this, &int16_val, - sizeof(u_int16_t),configurations_length_position_offset); + enumerator->destroy(enumerator); break; } case ATTRIBUTE_FORMAT: - { generate_flag(this, rules[i].offset); /* Attribute format is a flag which is stored in context*/ this->attribute_format = *((bool *)(this->data_struct + rules[i].offset)); break; - } - case ATTRIBUTE_LENGTH_OR_VALUE: - { - if (this->attribute_format == FALSE) + if (this->attribute_format) { generate_u_int_type(this, U_INT_16, rules[i].offset); - /* this field hold the length of the attribute */ - this->attribute_length = - *((u_int16_t *)(this->data_struct + rules[i].offset)); } else { generate_u_int_type(this, U_INT_16, rules[i].offset); + /* this field hold the length of the attribute */ + this->attribute_length = + *((u_int16_t *)(this->data_struct + rules[i].offset)); } break; - } case ATTRIBUTE_VALUE: { - if (this->attribute_format == FALSE) + if (!this->attribute_format) { DBG2(DBG_ENC, "attribute value has not fixed size"); /* the attribute value is generated */ @@ -788,44 +513,6 @@ METHOD(generator_t, generate_payload, void, } break; } - case TRAFFIC_SELECTORS: - { - u_int32_t payload_length_position_offset = - this->last_payload_length_position_offset; - u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH; - u_int16_t int16_val; - linked_list_t *traffic_selectors = *((linked_list_t **) - (this->data_struct + rules[i].offset)); - iterator_t *iterator; - payload_t *current_tss; - - iterator = traffic_selectors->create_iterator( - traffic_selectors,TRUE); - while (iterator->iterate(iterator, (void **)¤t_tss)) - { - u_int32_t before_generate_position_offset; - u_int32_t after_generate_position_offset; - - before_generate_position_offset = get_offset(this); - generate_payload(this, current_tss); - after_generate_position_offset = get_offset(this); - - length_of_ts_payload += (after_generate_position_offset - - before_generate_position_offset); - } - iterator->destroy(iterator); - - int16_val = htons(length_of_ts_payload); - write_bytes_to_buffer_at_offset(this, &int16_val, - sizeof(u_int16_t),payload_length_position_offset); - break; - } - - case ENCRYPTED_DATA: - { - generate_from_chunk(this, rules[i].offset); - break; - } default: DBG1(DBG_ENC, "field type %N is not supported", encoding_type_names, rules[i].type); diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index d41ad4697..dbef340ab 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -131,6 +131,7 @@ static payload_rule_t ike_sa_init_r_rules[] = { {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE}, {KEY_EXCHANGE, 1, 1, FALSE, FALSE}, {NONCE, 1, 1, FALSE, FALSE}, + {CERTIFICATE_REQUEST, 1, 1, FALSE, FALSE}, {VENDOR_ID, 0, 10, FALSE, FALSE}, }; @@ -489,6 +490,21 @@ struct private_message_t { */ bool is_request; + /** + * Higher version supported? + */ + bool version_flag; + + /** + * Reserved bits in IKE header + */ + bool reserved[5]; + + /** + * Sorting of message disabled? + */ + bool sort_disabled; + /** * Message ID of this message. */ @@ -647,18 +663,35 @@ METHOD(message_t, get_request, bool, return this->is_request; } -/** - * Is this message in an encoded form? - */ -static bool is_encoded(private_message_t *this) +METHOD(message_t, set_version_flag, void, + private_message_t *this) { - chunk_t data = this->packet->get_data(this->packet); + this->version_flag = TRUE; +} - if (data.ptr == NULL) +METHOD(message_t, get_reserved_header_bit, bool, + private_message_t *this, u_int nr) +{ + if (nr < countof(this->reserved)) { - return FALSE; + return this->reserved[nr]; } - return TRUE; + return FALSE; +} + +METHOD(message_t, set_reserved_header_bit, void, + private_message_t *this, u_int nr) +{ + if (nr < countof(this->reserved)) + { + this->reserved[nr] = TRUE; + } +} + +METHOD(message_t, is_encoded, bool, + private_message_t *this) +{ + return this->packet->get_data(this->packet).ptr != NULL; } METHOD(message_t, add_payload, void, @@ -732,6 +765,12 @@ METHOD(message_t, create_payload_enumerator, enumerator_t*, return this->payloads->create_enumerator(this->payloads); } +METHOD(message_t, remove_payload_at, void, + private_message_t *this, enumerator_t *enumerator) +{ + this->payloads->remove_at(this->payloads, enumerator); +} + METHOD(message_t, get_payload, payload_t*, private_message_t *this, payload_type_t type) { @@ -1001,6 +1040,12 @@ static encryption_payload_t* wrap_payloads(private_message_t *this) return encryption; } +METHOD(message_t, disable_sort, void, + private_message_t *this) +{ + this->sort_disabled = TRUE; +} + METHOD(message_t, generate, status_t, private_message_t *this, aead_t *aead, packet_t **packet) { @@ -1012,12 +1057,8 @@ METHOD(message_t, generate, status_t, chunk_t chunk; char str[256]; u_int32_t *lenpos; - - if (is_encoded(this)) - { /* already generated, return a new packet clone */ - *packet = this->packet->clone(this->packet); - return SUCCESS; - } + bool *reserved; + int i; if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED) { @@ -1039,7 +1080,10 @@ METHOD(message_t, generate, status_t, return NOT_SUPPORTED; } - order_payloads(this); + if (!this->sort_disabled) + { + order_payloads(this); + } DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str))); @@ -1053,9 +1097,12 @@ METHOD(message_t, generate, status_t, } ike_header = ike_header_create(); + ike_header->set_maj_version(ike_header, this->major_version); + ike_header->set_min_version(ike_header, this->minor_version); ike_header->set_exchange_type(ike_header, this->exchange_type); ike_header->set_message_id(ike_header, this->message_id); ike_header->set_response_flag(ike_header, !this->is_request); + ike_header->set_version_flag(ike_header, this->version_flag); ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id)); ike_header->set_initiator_spi(ike_header, @@ -1063,6 +1110,16 @@ METHOD(message_t, generate, status_t, ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id)); + for (i = 0; i < countof(this->reserved); i++) + { + reserved = payload_get_field(&ike_header->payload_interface, + RESERVED_BIT, i); + if (reserved) + { + *reserved = this->reserved[i]; + } + } + generator = generator_create(); /* generate all payloads with proper next type */ @@ -1131,6 +1188,8 @@ METHOD(message_t, parse_header, status_t, { ike_header_t *ike_header; status_t status; + bool *reserved; + int i; DBG2(DBG_ENC, "parsing header of message"); @@ -1165,7 +1224,15 @@ METHOD(message_t, parse_header, status_t, this->minor_version = ike_header->get_min_version(ike_header); this->first_payload = ike_header->payload_interface.get_next_type( &ike_header->payload_interface); - + for (i = 0; i < countof(this->reserved); i++) + { + reserved = payload_get_field(&ike_header->payload_interface, + RESERVED_BIT, i); + if (reserved) + { + this->reserved[i] = *reserved; + } + } DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type, this->is_request ? "request" : "response"); @@ -1181,6 +1248,31 @@ METHOD(message_t, parse_header, status_t, return status; } +/** + * Check if a payload is for a mediation extension connectivity check + */ +static bool is_connectivity_check(private_message_t *this, payload_t *payload) +{ +#ifdef ME + if (this->exchange_type == INFORMATIONAL && + payload->get_type(payload) == NOTIFY) + { + notify_payload_t *notify = (notify_payload_t*)payload; + + switch (notify->get_notify_type(notify)) + { + case ME_CONNECTID: + case ME_ENDPOINT: + case ME_CONNECTAUTH: + return TRUE; + default: + break; + } + } +#endif /* !ME */ + return FALSE; +} + /** * Decrypt payload from the encryption payload */ @@ -1252,14 +1344,15 @@ static status_t decrypt_payloads(private_message_t *this, aead_t *aead) } encryption->destroy(encryption); } - if (type != UNKNOWN_PAYLOAD && !was_encrypted) + if (payload_is_known(type) && !was_encrypted && + !is_connectivity_check(this, payload)) { rule = get_payload_rule(this, type); if (!rule || rule->encrypted) { DBG1(DBG_ENC, "payload type %N was not encrypted", payload_type_names, type); - status = VERIFY_ERROR; + status = FAILED; break; } } @@ -1274,6 +1367,7 @@ static status_t decrypt_payloads(private_message_t *this, aead_t *aead) */ static status_t verify(private_message_t *this) { + bool complete = FALSE; int i; DBG2(DBG_ENC, "verifying message structure"); @@ -1291,22 +1385,9 @@ static status_t verify(private_message_t *this) while (enumerator->enumerate(enumerator, &payload)) { payload_type_t type; - unknown_payload_t *unknown; type = payload->get_type(payload); - if (type == UNKNOWN_PAYLOAD) - { - /* unknown payloads are ignored if they are not critical */ - unknown = (unknown_payload_t*)payload; - if (unknown->is_critical(unknown)) - { - DBG1(DBG_ENC, "%N is not supported, but its critical!", - payload_type_names, type); - enumerator->destroy(enumerator); - return NOT_SUPPORTED; - } - } - else if (type == rule->type) + if (type == rule->type) { found++; DBG2(DBG_ENC, "found payload of type %N", @@ -1323,15 +1404,15 @@ static status_t verify(private_message_t *this) } enumerator->destroy(enumerator); - if (found < rule->min_occurence) + if (!complete && found < rule->min_occurence) { DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)", payload_type_names, rule->type, rule->min_occurence, found); return VERIFY_ERROR; } - if (rule->sufficient) + if (found && rule->sufficient) { - return SUCCESS; + complete = TRUE; } } return SUCCESS; @@ -1360,7 +1441,7 @@ METHOD(message_t, parse_body, status_t, { DBG1(DBG_ENC, "payload type %N could not be parsed", payload_type_names, type); - return PARSE_ERROR; + return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED; } DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type); @@ -1370,7 +1451,7 @@ METHOD(message_t, parse_body, status_t, DBG1(DBG_ENC, "%N payload verification failed", payload_type_names, type); payload->destroy(payload); - return VERIFY_ERROR; + return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED; } DBG2(DBG_ENC, "%N payload verified. Adding to payload list", @@ -1388,14 +1469,11 @@ METHOD(message_t, parse_body, status_t, type = payload->get_next_type(payload); } - if (type == ENCRYPTED) + status = decrypt_payloads(this, aead); + if (status != SUCCESS) { - status = decrypt_payloads(this, aead); - if (status != SUCCESS) - { - DBG1(DBG_ENC, "could not decrypt payloads"); - return status; - } + DBG1(DBG_ENC, "could not decrypt payloads"); + return status; } status = verify(this); @@ -1443,14 +1521,20 @@ message_t *message_create_from_packet(packet_t *packet) .get_first_payload_type = _get_first_payload_type, .set_request = _set_request, .get_request = _get_request, + .set_version_flag = _set_version_flag, + .get_reserved_header_bit = _get_reserved_header_bit, + .set_reserved_header_bit = _set_reserved_header_bit, .add_payload = _add_payload, .add_notify = _add_notify, + .disable_sort = _disable_sort, .generate = _generate, + .is_encoded = _is_encoded, .set_source = _set_source, .get_source = _get_source, .set_destination = _set_destination, .get_destination = _get_destination, .create_payload_enumerator = _create_payload_enumerator, + .remove_payload_at = _remove_payload_at, .get_payload = _get_payload, .get_notify = _get_notify, .parse_header = _parse_header, @@ -1459,6 +1543,8 @@ message_t *message_create_from_packet(packet_t *packet) .get_packet_data = _get_packet_data, .destroy = _destroy, }, + .major_version = IKE_MAJOR_VERSION, + .minor_version = IKE_MINOR_VERSION, .exchange_type = EXCHANGE_TYPE_UNDEFINED, .is_request = TRUE, .first_payload = NO_PAYLOAD, diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h index 8c1cbcd09..51197308c 100644 --- a/src/libcharon/encoding/message.h +++ b/src/libcharon/encoding/message.h @@ -153,6 +153,26 @@ struct message_t { */ bool (*get_request) (message_t *this); + /** + * Set the version flag in the IKE header. + */ + void (*set_version_flag)(message_t *this); + + /** + * Get a reserved bit in the IKE header. + * + * @param nr reserved bit to get in IKE header, 0-4 + * @return TRUE if bit is set + */ + bool (*get_reserved_header_bit)(message_t *this, u_int nr); + + /** + * Set a reserved bit in the IKE header. + * + * @param nr reserved bit to set in IKE header, 0-4 + */ + void (*set_reserved_header_bit)(message_t *this, u_int nr); + /** * Append a payload to the message. * @@ -180,6 +200,11 @@ struct message_t { void (*add_notify) (message_t *this, bool flush, notify_type_t type, chunk_t data); + /** + * Disable automatic payload sorting for this message. + */ + void (*disable_sort)(message_t *this); + /** * Parses header of message. * @@ -206,8 +231,6 @@ struct message_t { * @param aead aead transform to verify/decrypt message * @return * - SUCCESS if parsing successful - * - NOT_SUPPORTED if ciritcal unknown payloads found - * - NOT_SUPPORTED if message type is not supported! * - PARSE_ERROR if message parsing failed * - VERIFY_ERROR if message verification failed (bad syntax) * - FAILED if integrity check failed @@ -234,6 +257,13 @@ struct message_t { */ status_t (*generate) (message_t *this, aead_t *aead, packet_t **packet); + /** + * Check if the message has already been encoded using generate(). + * + * @return TRUE if message has been encoded + */ + bool (*is_encoded)(message_t *this); + /** * Gets the source host informations. * @@ -281,6 +311,13 @@ struct message_t { */ enumerator_t * (*create_payload_enumerator) (message_t *this); + /** + * Remove the payload at the current enumerator position. + * + * @param enumerator enumerator created by create_payload_enumerator() + */ + void (*remove_payload_at)(message_t *this, enumerator_t *enumerator); + /** * Find a payload of a specific type. * diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c index 9aa34b1bc..32cefb9e7 100644 --- a/src/libcharon/encoding/parser.c +++ b/src/libcharon/encoding/parser.c @@ -387,12 +387,6 @@ static status_t parse_payload(private_parser_t *this, DBG3(DBG_ENC, "parsing payload from %b", this->byte_pos, this->input_roof - this->byte_pos); - if (pld->get_type(pld) == UNKNOWN_PAYLOAD) - { - DBG1(DBG_ENC, " payload type %d is unknown, handling as %N", - payload_type, payload_type_names, UNKNOWN_PAYLOAD); - } - /* base pointer for output, avoids casting in every rule */ output = pld; @@ -415,6 +409,7 @@ static status_t parse_payload(private_parser_t *this, break; } case U_INT_8: + case RESERVED_BYTE: { if (!parse_uint8(this, rule_number, output + rule->offset)) { @@ -433,6 +428,7 @@ static status_t parse_payload(private_parser_t *this, break; } case U_INT_32: + case HEADER_LENGTH: { if (!parse_uint32(this, rule_number, output + rule->offset)) { @@ -451,23 +447,6 @@ static status_t parse_payload(private_parser_t *this, break; } case RESERVED_BIT: - { - if (!parse_bit(this, rule_number, NULL)) - { - pld->destroy(pld); - return PARSE_ERROR; - } - break; - } - case RESERVED_BYTE: - { - if (!parse_uint8(this, rule_number, NULL)) - { - pld->destroy(pld); - return PARSE_ERROR; - } - break; - } case FLAG: { if (!parse_bit(this, rule_number, output + rule->offset)) @@ -493,15 +472,6 @@ static status_t parse_payload(private_parser_t *this, } break; } - case HEADER_LENGTH: - { - if (!parse_uint32(this, rule_number, output + rule->offset)) - { - pld->destroy(pld); - return PARSE_ERROR; - } - break; - } case SPI_SIZE: { if (!parse_uint8(this, rule_number, output + rule->offset)) diff --git a/src/libcharon/encoding/payloads/auth_payload.c b/src/libcharon/encoding/payloads/auth_payload.c index d31208abb..cb44a997c 100644 --- a/src/libcharon/encoding/payloads/auth_payload.c +++ b/src/libcharon/encoding/payloads/auth_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -18,7 +19,6 @@ #include - typedef struct private_auth_payload_t private_auth_payload_t; /** @@ -42,6 +42,16 @@ struct private_auth_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved_bit[7]; + + /** + * Reserved bytes + */ + u_int8_t reserved_byte[3]; + /** * Length of this payload. */ @@ -66,27 +76,27 @@ struct private_auth_payload_t { */ encoding_rule_t auth_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_auth_payload_t, next_payload) }, + { U_INT_8, offsetof(private_auth_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_auth_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_auth_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[0]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[1]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[2]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[3]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[4]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[5]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[6]) }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_auth_payload_t, payload_length)}, + { PAYLOAD_LENGTH, offsetof(private_auth_payload_t, payload_length) }, /* 1 Byte AUTH type*/ - { U_INT_8, offsetof(private_auth_payload_t, auth_method) }, + { U_INT_8, offsetof(private_auth_payload_t, auth_method) }, /* 3 reserved bytes */ - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, offsetof(private_auth_payload_t, reserved_byte[0]) }, + { RESERVED_BYTE, offsetof(private_auth_payload_t, reserved_byte[1]) }, + { RESERVED_BYTE, offsetof(private_auth_payload_t, reserved_byte[2]) }, /* some auth data bytes, length is defined in PAYLOAD_LENGTH */ - { AUTH_DATA, offsetof(private_auth_payload_t, auth_data) } + { AUTH_DATA, offsetof(private_auth_payload_t, auth_data) } }; /* @@ -103,125 +113,73 @@ encoding_rule_t auth_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_auth_payload_t *this) +METHOD(payload_t, verify, status_t, + private_auth_payload_t *this) { - if (this->auth_method == 0 || - (this->auth_method >= 4 && this->auth_method <= 8) || - (this->auth_method >= 12 && this->auth_method <= 200)) - { - /* reserved IDs */ - return FAILED; - } return SUCCESS; } -/** - * Implementation of auth_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = auth_payload_encodings; - *rule_count = sizeof(auth_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(auth_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_auth_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_auth_payload_t *this) { return AUTHENTICATION; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_auth_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_auth_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_auth_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_auth_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_auth_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_auth_payload_t *this) { return this->payload_length; } -/** - * Implementation of auth_payload_t.set_auth_method. - */ -static void set_auth_method (private_auth_payload_t *this, auth_method_t method) +METHOD(auth_payload_t, set_auth_method, void, + private_auth_payload_t *this, auth_method_t method) { this->auth_method = method; } -/** - * Implementation of auth_payload_t.get_auth_method. - */ -static auth_method_t get_auth_method (private_auth_payload_t *this) +METHOD(auth_payload_t, get_auth_method, auth_method_t, + private_auth_payload_t *this) { - return (this->auth_method); + return this->auth_method; } -/** - * Implementation of auth_payload_t.set_data. - */ -static void set_data (private_auth_payload_t *this, chunk_t data) +METHOD(auth_payload_t, set_data, void, + private_auth_payload_t *this, chunk_t data) { - if (this->auth_data.ptr != NULL) - { - chunk_free(&(this->auth_data)); - } - this->auth_data.ptr = clalloc(data.ptr,data.len); - this->auth_data.len = data.len; + free(this->auth_data.ptr); + this->auth_data = chunk_clone(data); this->payload_length = AUTH_PAYLOAD_HEADER_LENGTH + this->auth_data.len; } -/** - * Implementation of auth_payload_t.get_data. - */ -static chunk_t get_data (private_auth_payload_t *this) +METHOD(auth_payload_t, get_data, chunk_t, + private_auth_payload_t *this) { - return (this->auth_data); + return this->auth_data; } -/** - * Implementation of auth_payload_t.get_data_clone. - */ -static chunk_t get_data_clone (private_auth_payload_t *this) +METHOD2(payload_t, auth_payload_t, destroy, void, + private_auth_payload_t *this) { - chunk_t cloned_data; - if (this->auth_data.ptr == NULL) - { - return (this->auth_data); - } - cloned_data.ptr = clalloc(this->auth_data.ptr,this->auth_data.len); - cloned_data.len = this->auth_data.len; - return cloned_data; -} - -/** - * Implementation of payload_t.destroy and auth_payload_t.destroy. - */ -static void destroy(private_auth_payload_t *this) -{ - if (this->auth_data.ptr != NULL) - { - chunk_free(&(this->auth_data)); - } - + free(this->auth_data.ptr); free(this); } @@ -230,30 +188,27 @@ static void destroy(private_auth_payload_t *this) */ auth_payload_t *auth_payload_create() { - private_auth_payload_t *this = malloc_thing(private_auth_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (auth_payload_t *)) destroy; - this->public.set_auth_method = (void (*) (auth_payload_t *,auth_method_t)) set_auth_method; - this->public.get_auth_method = (auth_method_t (*) (auth_payload_t *)) get_auth_method; - this->public.set_data = (void (*) (auth_payload_t *,chunk_t)) set_data; - this->public.get_data_clone = (chunk_t (*) (auth_payload_t *)) get_data_clone; - this->public.get_data = (chunk_t (*) (auth_payload_t *)) get_data; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length =AUTH_PAYLOAD_HEADER_LENGTH; - this->auth_data = chunk_empty; - - return (&(this->public)); + private_auth_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .set_auth_method = _set_auth_method, + .get_auth_method = _get_auth_method, + .set_data = _set_data, + .get_data = _get_data, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = AUTH_PAYLOAD_HEADER_LENGTH, + ); + return &this->public; } diff --git a/src/libcharon/encoding/payloads/auth_payload.h b/src/libcharon/encoding/payloads/auth_payload.h index 37ee149db..e4c4e6ae3 100644 --- a/src/libcharon/encoding/payloads/auth_payload.h +++ b/src/libcharon/encoding/payloads/auth_payload.h @@ -62,29 +62,31 @@ struct auth_payload_t { /** * Set the AUTH data. * - * Data gets cloned. - * - * @param data AUTH data as chunk_t + * @param data AUTH data as chunk_t, gets cloned */ void (*set_data) (auth_payload_t *this, chunk_t data); /** * Get the AUTH data. * - * Returned data are a copy of the internal one. - * - * @return AUTH data as chunk_t + * @return AUTH data as chunk_t, internal data */ - chunk_t (*get_data_clone) (auth_payload_t *this); + chunk_t (*get_data) (auth_payload_t *this); /** - * Get the AUTH data. + * Get the value of a reserved bit. * - * Returned data are NOT copied + * @param nr number of the reserved bit, 0-6 + * @return TRUE if bit was set, FALSE to clear + */ + bool (*get_reserved_bit)(auth_payload_t *this, u_int nr); + + /** + * Set one of the reserved bits. * - * @return AUTH data as chunk_t + * @param nr number of the reserved bit, 0-6 */ - chunk_t (*get_data) (auth_payload_t *this); + void (*set_reserved_bit)(auth_payload_t *this, u_int nr); /** * Destroys an auth_payload_t object. diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c index 80239f654..c42cec680 100644 --- a/src/libcharon/encoding/payloads/cert_payload.c +++ b/src/libcharon/encoding/payloads/cert_payload.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -43,9 +44,9 @@ typedef struct private_cert_payload_t private_cert_payload_t; /** * Private data of an cert_payload_t object. - * */ struct private_cert_payload_t { + /** * Public cert_payload_t interface. */ @@ -61,6 +62,11 @@ struct private_cert_payload_t { */ bool critical; + /** + * reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -91,23 +97,23 @@ struct private_cert_payload_t { */ encoding_rule_t cert_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_cert_payload_t, next_payload) }, + { U_INT_8, offsetof(private_cert_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_cert_payload_t, critical) }, + { FLAG, offsetof(private_cert_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_cert_payload_t, payload_length)}, /* 1 Byte CERT type*/ { U_INT_8, offsetof(private_cert_payload_t, encoding) }, /* some cert data bytes, length is defined in PAYLOAD_LENGTH */ - { CERT_DATA, offsetof(private_cert_payload_t, data) } + { CERT_DATA, offsetof(private_cert_payload_t, data) } }; /* @@ -123,25 +129,23 @@ encoding_rule_t cert_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_cert_payload_t *this) +METHOD(payload_t, verify, status_t, + private_cert_payload_t *this) { if (this->encoding == ENC_X509_HASH_AND_URL || this->encoding == ENC_X509_HASH_AND_URL_BUNDLE) { + int i; + /* coarse verification of "Hash and URL" encoded certificates */ if (this->data.len <= 20) { DBG1(DBG_ENC, "invalid payload length for hash-and-url (%d), ignore", - this->data.len); + this->data.len); this->invalid_hash_and_url = TRUE; return SUCCESS; } - - int i = 20; /* skipping the hash */ - for (; i < this->data.len; ++i) + for (i = 20; i < this->data.len; ++i) { if (this->data.ptr[i] == '\0') { @@ -151,94 +155,81 @@ static status_t verify(private_cert_payload_t *this) else if (!isprint(this->data.ptr[i])) { DBG1(DBG_ENC, "non printable characters in url of hash-and-url" - " encoded certificate payload, ignore"); + " encoded certificate payload, ignore"); this->invalid_hash_and_url = TRUE; return SUCCESS; } } - /* URL is not null terminated, correct that */ - chunk_t data = chunk_alloc(this->data.len + 1); - memcpy(data.ptr, this->data.ptr, this->data.len); - data.ptr[this->data.len] = '\0'; - chunk_free(&this->data); - this->data = data; + this->data = chunk_cat("mc", this->data, chunk_from_chars(0)); } return SUCCESS; } -/** - * Implementation of cert_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_cert_payload_t *this, - encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = cert_payload_encodings; - *rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(cert_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_cert_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_cert_payload_t *this) { return CERTIFICATE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_cert_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_cert_payload_t *this) { return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_cert_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_cert_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_cert_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_cert_payload_t *this) { return this->payload_length; } -/** - * Implementation of cert_payload_t.get_cert_encoding. - */ -static cert_encoding_t get_cert_encoding(private_cert_payload_t *this) +METHOD(cert_payload_t, get_cert_encoding, cert_encoding_t, + private_cert_payload_t *this) { return this->encoding; } -/** - * Implementation of cert_payload_t.get_cert. - */ -static certificate_t *get_cert(private_cert_payload_t *this) +METHOD(cert_payload_t, get_cert, certificate_t*, + private_cert_payload_t *this) { - if (this->encoding != ENC_X509_SIGNATURE) + int type; + + switch (this->encoding) { - return NULL; + case ENC_X509_SIGNATURE: + type = CERT_X509; + break; + case ENC_CRL: + type = CERT_X509_CRL; + break; + default: + return NULL; } - return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, this->data, - BUILD_END); + return lib->creds->create(lib->creds, CRED_CERTIFICATE, type, + BUILD_BLOB_ASN1_DER, this->data, BUILD_END); } -/** - * Implementation of cert_payload_t.get_hash. - */ -static chunk_t get_hash(private_cert_payload_t *this) +METHOD(cert_payload_t, get_hash, chunk_t, + private_cert_payload_t *this) { chunk_t hash = chunk_empty; + if ((this->encoding != ENC_X509_HASH_AND_URL && - this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || + this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || this->invalid_hash_and_url) { return hash; @@ -248,13 +239,11 @@ static chunk_t get_hash(private_cert_payload_t *this) return hash; } -/** - * Implementation of cert_payload_t.get_url. - */ -static char *get_url(private_cert_payload_t *this) +METHOD(cert_payload_t, get_url, char*, + private_cert_payload_t *this) { if ((this->encoding != ENC_X509_HASH_AND_URL && - this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || + this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || this->invalid_hash_and_url) { return NULL; @@ -262,12 +251,10 @@ static char *get_url(private_cert_payload_t *this) return (char*)this->data.ptr + 20; } -/** - * Implementation of payload_t.destroy and cert_payload_t.destroy. - */ -static void destroy(private_cert_payload_t *this) +METHOD2(payload_t, cert_payload_t, destroy, void, + private_cert_payload_t *this) { - chunk_free(&this->data); + free(this->data.ptr); free(this); } @@ -276,29 +263,28 @@ static void destroy(private_cert_payload_t *this) */ cert_payload_t *cert_payload_create() { - private_cert_payload_t *this = malloc_thing(private_cert_payload_t); - - this->public.payload_interface.verify = (status_t (*) (payload_t*))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**, size_t*))get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t*))destroy; - - this->public.destroy = (void (*) (cert_payload_t*))destroy; - this->public.get_cert = (certificate_t* (*) (cert_payload_t*))get_cert; - this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t*))get_cert_encoding; - this->public.get_hash = (chunk_t (*) (cert_payload_t*))get_hash; - this->public.get_url = (char* (*) (cert_payload_t*))get_url; - - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = CERT_PAYLOAD_HEADER_LENGTH; - this->data = chunk_empty; - this->encoding = 0; - this->invalid_hash_and_url = FALSE; - + private_cert_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_cert = _get_cert, + .get_cert_encoding = _get_cert_encoding, + .get_hash = _get_hash, + .get_url = _get_url, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = CERT_PAYLOAD_HEADER_LENGTH, + ); return &this->public; } @@ -343,3 +329,15 @@ cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url) return &this->public; } +/* + * Described in header + */ +cert_payload_t *cert_payload_create_custom(cert_encoding_t type, chunk_t data) +{ + private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create(); + + this->encoding = type; + this->data = data; + this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len; + return &this->public; +} diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h index aa1c7bf5a..21b503a40 100644 --- a/src/libcharon/encoding/payloads/cert_payload.h +++ b/src/libcharon/encoding/payloads/cert_payload.h @@ -134,4 +134,13 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert); */ cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url); +/** + * Creates a custom certificate payload using type and associated data. + * + * @param type encoding type of certificate + * @param data associated data (gets owned) + * @return cert_payload_t object + */ +cert_payload_t *cert_payload_create_custom(cert_encoding_t type, chunk_t data); + #endif /** CERT_PAYLOAD_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/certreq_payload.c b/src/libcharon/encoding/payloads/certreq_payload.c index 9ff0bdde0..8e0836f0e 100644 --- a/src/libcharon/encoding/payloads/certreq_payload.c +++ b/src/libcharon/encoding/payloads/certreq_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -22,14 +23,13 @@ #include "certreq_payload.h" - typedef struct private_certreq_payload_t private_certreq_payload_t; /** * Private data of an certreq_payload_t object. - * */ struct private_certreq_payload_t { + /** * Public certreq_payload_t interface. */ @@ -45,6 +45,11 @@ struct private_certreq_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -66,21 +71,20 @@ struct private_certreq_payload_t { * * The defined offsets are the positions in a object of type * private_certreq_payload_t. - * */ encoding_rule_t certreq_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_certreq_payload_t, next_payload) }, + { U_INT_8, offsetof(private_certreq_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_certreq_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_certreq_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_certreq_payload_t, payload_length) }, /* 1 Byte CERTREQ type*/ @@ -102,10 +106,8 @@ encoding_rule_t certreq_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_certreq_payload_t *this) +METHOD(payload_t, verify, status_t, + private_certreq_payload_t *this) { if (this->encoding == ENC_X509_SIGNATURE) { @@ -120,51 +122,39 @@ static status_t verify(private_certreq_payload_t *this) return SUCCESS; } -/** - * Implementation of certreq_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = certreq_payload_encodings; - *rule_count = sizeof(certreq_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(certreq_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_certreq_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_certreq_payload_t *this) { return CERTIFICATE_REQUEST; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_certreq_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_certreq_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_certreq_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_certreq_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_certreq_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_certreq_payload_t *this) { return this->payload_length; } -/** - * Implementation of certreq_payload_t.add_keyid. - */ -static void add_keyid(private_certreq_payload_t *this, chunk_t keyid) +METHOD(certreq_payload_t, add_keyid, void, + private_certreq_payload_t *this, chunk_t keyid) { this->data = chunk_cat("mc", this->data, keyid); this->payload_length += keyid.len; @@ -181,10 +171,8 @@ struct keyid_enumerator_t { u_char *pos; }; -/** - * enumerate function for keyid_enumerator - */ -static bool keyid_enumerate(keyid_enumerator_t *this, chunk_t *chunk) +METHOD(enumerator_t, keyid_enumerate, bool, + keyid_enumerator_t *this, chunk_t *chunk) { if (this->pos == NULL) { @@ -207,23 +195,23 @@ static bool keyid_enumerate(keyid_enumerator_t *this, chunk_t *chunk) return FALSE; } -/** - * Implementation of certreq_payload_t.create_keyid_enumerator. - */ -static enumerator_t* create_keyid_enumerator(private_certreq_payload_t *this) +METHOD(certreq_payload_t, create_keyid_enumerator, enumerator_t*, + private_certreq_payload_t *this) { - keyid_enumerator_t *enumerator = malloc_thing(keyid_enumerator_t); - enumerator->public.enumerate = (void*)keyid_enumerate; - enumerator->public.destroy = (void*)free; - enumerator->full = this->data; - enumerator->pos = NULL; + keyid_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_keyid_enumerate, + .destroy = (void*)free, + }, + .full = this->data, + ); return &enumerator->public; } -/** - * Implementation of certreq_payload_t.get_cert_type. - */ -static certificate_type_t get_cert_type(private_certreq_payload_t *this) +METHOD(certreq_payload_t, get_cert_type, certificate_type_t, + private_certreq_payload_t *this) { switch (this->encoding) { @@ -234,10 +222,8 @@ static certificate_type_t get_cert_type(private_certreq_payload_t *this) } } -/** - * Implementation of payload_t.destroy and certreq_payload_t.destroy. - */ -static void destroy(private_certreq_payload_t *this) +METHOD2(payload_t, certreq_payload_t, destroy, void, + private_certreq_payload_t *this) { chunk_free(&this->data); free(this); @@ -248,30 +234,27 @@ static void destroy(private_certreq_payload_t *this) */ certreq_payload_t *certreq_payload_create() { - private_certreq_payload_t *this = malloc_thing(private_certreq_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t*))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**,size_t*))get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t*))destroy; - - /* public functions */ - this->public.destroy = (void (*) (certreq_payload_t*)) destroy; - this->public.create_keyid_enumerator = (enumerator_t*(*)(certreq_payload_t*))create_keyid_enumerator; - this->public.get_cert_type = (certificate_type_t(*)(certreq_payload_t*))get_cert_type; - this->public.add_keyid = (void(*)(certreq_payload_t*, chunk_t keyid))add_keyid; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH; - this->data = chunk_empty; - this->encoding = 0; - + private_certreq_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .create_keyid_enumerator = _create_keyid_enumerator, + .get_cert_type = _get_cert_type, + .add_keyid = _add_keyid, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH, + ); return &this->public; } diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c index 9094fd44d..e608497bd 100644 --- a/src/libcharon/encoding/payloads/configuration_attribute.c +++ b/src/libcharon/encoding/payloads/configuration_attribute.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2009 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -22,19 +23,23 @@ #include #include - typedef struct private_configuration_attribute_t private_configuration_attribute_t; /** * Private data of an configuration_attribute_t object. - * */ struct private_configuration_attribute_t { + /** * Public configuration_attribute_t interface. */ configuration_attribute_t public; + /** + * Reserved bit + */ + bool reserved; + /** * Type of the attribute. */ @@ -58,8 +63,8 @@ struct private_configuration_attribute_t { * private_configuration_attribute_t. */ encoding_rule_t configuration_attribute_encodings[] = { - - { RESERVED_BIT, 0 }, + /* 1 reserved bit */ + { RESERVED_BIT, offsetof(private_configuration_attribute_t, reserved)}, /* type of the attribute as 15 bit unsigned integer */ { ATTRIBUTE_TYPE, offsetof(private_configuration_attribute_t, type) }, /* Length of attribute value */ @@ -80,10 +85,8 @@ encoding_rule_t configuration_attribute_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_configuration_attribute_t *this) +METHOD(payload_t, verify, status_t, + private_configuration_attribute_t *this) { bool failed = FALSE; @@ -151,69 +154,51 @@ static status_t verify(private_configuration_attribute_t *this) return SUCCESS; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_configuration_attribute_t *this, - encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_configuration_attribute_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = configuration_attribute_encodings; - *rule_count = sizeof(configuration_attribute_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(configuration_attribute_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_configuration_attribute_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_configuration_attribute_t *this) { return CONFIGURATION_ATTRIBUTE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_configuration_attribute_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_configuration_attribute_t *this) { return NO_PAYLOAD; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_configuration_attribute_t *this, - payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_configuration_attribute_t *this, payload_type_t type) { } -/** - * Implementation of configuration_attribute_t.get_length. - */ -static size_t get_length(private_configuration_attribute_t *this) +METHOD(payload_t, get_length, size_t, + private_configuration_attribute_t *this) { return this->value.len + CONFIGURATION_ATTRIBUTE_HEADER_LENGTH; } -/** - * Implementation of configuration_attribute_t.get_type. - */ -static configuration_attribute_type_t get_configuration_attribute_type( - private_configuration_attribute_t *this) +METHOD(configuration_attribute_t, get_cattr_type, configuration_attribute_type_t, + private_configuration_attribute_t *this) { return this->type; } -/** - * Implementation of configuration_attribute_t.get_value. - */ -static chunk_t get_value(private_configuration_attribute_t *this) +METHOD(configuration_attribute_t, get_value, chunk_t, + private_configuration_attribute_t *this) { return this->value; } -/** - * Implementation of configuration_attribute_t.destroy and payload_t.destroy. - */ -static void destroy(private_configuration_attribute_t *this) +METHOD2(payload_t, configuration_attribute_t, destroy, void, + private_configuration_attribute_t *this) { free(this->value.ptr); free(this); @@ -226,23 +211,22 @@ configuration_attribute_t *configuration_attribute_create() { private_configuration_attribute_t *this; - this = malloc_thing(private_configuration_attribute_t); - this->public.payload_interface.verify = (status_t(*)(payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void(*)(payload_t *, encoding_rule_t **, size_t *) )get_encoding_rules; - this->public.payload_interface.get_length = (size_t(*)(payload_t *))get_length; - this->public.payload_interface.get_next_type = (payload_type_t(*)(payload_t *))get_next_type; - this->public.payload_interface.set_next_type = (void(*)(payload_t *,payload_type_t))set_next_type; - this->public.payload_interface.get_type = (payload_type_t(*)(payload_t *))get_type; - this->public.payload_interface.destroy = (void(*)(payload_t*))destroy; - - this->public.get_value = (chunk_t(*)(configuration_attribute_t *))get_value; - this->public.get_type = (configuration_attribute_type_t(*)(configuration_attribute_t *))get_configuration_attribute_type; - this->public.destroy = (void (*)(configuration_attribute_t*))destroy; - - this->type = 0; - this->value = chunk_empty; - this->length = 0; - + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_value = _get_value, + .get_type = _get_cattr_type, + .destroy = _destroy, + }, + ); return &this->public; } diff --git a/src/libcharon/encoding/payloads/cp_payload.c b/src/libcharon/encoding/payloads/cp_payload.c index f0a26eee2..82e9e51b7 100644 --- a/src/libcharon/encoding/payloads/cp_payload.c +++ b/src/libcharon/encoding/payloads/cp_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2009 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -32,9 +33,9 @@ typedef struct private_cp_payload_t private_cp_payload_t; /** * Private data of an cp_payload_t object. - * */ struct private_cp_payload_t { + /** * Public cp_payload_t interface. */ @@ -50,6 +51,16 @@ struct private_cp_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved_bit[7]; + + /** + * Reserved bytes + */ + u_int8_t reserved_byte[3]; + /** * Length of this payload. */ @@ -71,30 +82,30 @@ struct private_cp_payload_t { * * The defined offsets are the positions in a object of type * private_cp_payload_t. - * */ encoding_rule_t cp_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_cp_payload_t, next_payload) }, + { U_INT_8, offsetof(private_cp_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_cp_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_cp_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[0]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[1]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[2]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[3]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[4]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[5]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[6]) }, /* Length of the whole CP payload*/ - { PAYLOAD_LENGTH, offsetof(private_cp_payload_t, payload_length) }, + { PAYLOAD_LENGTH, offsetof(private_cp_payload_t, payload_length) }, /* Proposals are stored in a proposal substructure, offset points to a linked_list_t pointer */ - { U_INT_8, offsetof(private_cp_payload_t, type) }, - { RESERVED_BYTE,0 }, - { RESERVED_BYTE,0 }, - { RESERVED_BYTE,0 }, - { CONFIGURATION_ATTRIBUTES, offsetof(private_cp_payload_t, attributes) } + { U_INT_8, offsetof(private_cp_payload_t, type) }, + /* 3 reserved bytes */ + { RESERVED_BYTE, offsetof(private_cp_payload_t, reserved_byte[0])}, + { RESERVED_BYTE, offsetof(private_cp_payload_t, reserved_byte[1])}, + { RESERVED_BYTE, offsetof(private_cp_payload_t, reserved_byte[2])}, + { CONFIGURATION_ATTRIBUTES, offsetof(private_cp_payload_t, attributes) } }; /* @@ -111,10 +122,8 @@ encoding_rule_t cp_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_cp_payload_t *this) +METHOD(payload_t, verify, status_t, + private_cp_payload_t *this) { status_t status = SUCCESS; enumerator_t *enumerator; @@ -133,36 +142,27 @@ static status_t verify(private_cp_payload_t *this) return status; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_cp_payload_t *this, - encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_cp_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = cp_payload_encodings; - *rule_count = sizeof(cp_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(cp_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_cp_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_cp_payload_t *this) { return CONFIGURATION; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_cp_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_cp_payload_t *this) { return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_cp_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_cp_payload_t *this,payload_type_t type) { this->next_payload = type; } @@ -185,44 +185,33 @@ static void compute_length(private_cp_payload_t *this) enumerator->destroy(enumerator); } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_cp_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_cp_payload_t *this) { return this->payload_length; } -/** - * Implementation of cp_payload_t.create_attribute_enumerator. - */ -static enumerator_t *create_attribute_enumerator(private_cp_payload_t *this) +METHOD(cp_payload_t, create_attribute_enumerator, enumerator_t*, + private_cp_payload_t *this) { return this->attributes->create_enumerator(this->attributes); } -/** - * Implementation of cp_payload_t.add_attribute. - */ -static void add_attribute(private_cp_payload_t *this, - configuration_attribute_t *attribute) +METHOD(cp_payload_t, add_attribute, void, + private_cp_payload_t *this, configuration_attribute_t *attribute) { this->attributes->insert_last(this->attributes, attribute); compute_length(this); } -/** - * Implementation of cp_payload_t.get_type. - */ -static config_type_t get_config_type(private_cp_payload_t *this) +METHOD(cp_payload_t, get_config_type, config_type_t, + private_cp_payload_t *this) { return this->type; } -/** - * Implementation of payload_t.destroy and cp_payload_t.destroy. - */ -static void destroy(private_cp_payload_t *this) +METHOD2(payload_t, cp_payload_t, destroy, void, + private_cp_payload_t *this) { this->attributes->destroy_offset(this->attributes, offsetof(configuration_attribute_t, destroy)); @@ -232,42 +221,38 @@ static void destroy(private_cp_payload_t *this) /* * Described in header. */ -cp_payload_t *cp_payload_create() +cp_payload_t *cp_payload_create_type(config_type_t type) { - private_cp_payload_t *this = malloc_thing(private_cp_payload_t); - - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - this->public.create_attribute_enumerator = (enumerator_t*(*)(cp_payload_t *))create_attribute_enumerator; - this->public.add_attribute = (void (*) (cp_payload_t *,configuration_attribute_t*))add_attribute; - this->public.get_type = (config_type_t (*) (cp_payload_t *))get_config_type; - this->public.destroy = (void (*)(cp_payload_t *))destroy; - - /* set default values of the fields */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = CP_PAYLOAD_HEADER_LENGTH; - this->attributes = linked_list_create(); - this->type = CFG_REQUEST; - + private_cp_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .create_attribute_enumerator = _create_attribute_enumerator, + .add_attribute = _add_attribute, + .get_type = _get_config_type, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = CP_PAYLOAD_HEADER_LENGTH, + .attributes = linked_list_create(), + .type = type, + ); return &this->public; } /* * Described in header. */ -cp_payload_t *cp_payload_create_type(config_type_t type) +cp_payload_t *cp_payload_create() { - private_cp_payload_t *this = (private_cp_payload_t*)cp_payload_create(); - - this->type = type; - - return &this->public; + return cp_payload_create_type(CFG_REQUEST); } - diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c index 5fc3b7c88..e6ee07d39 100644 --- a/src/libcharon/encoding/payloads/delete_payload.c +++ b/src/libcharon/encoding/payloads/delete_payload.c @@ -42,6 +42,11 @@ struct private_delete_payload_t { */ bool critical; + /** + * reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -79,14 +84,14 @@ encoding_rule_t delete_payload_encodings[] = { { U_INT_8, offsetof(private_delete_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_delete_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_delete_payload_t, payload_length) }, { U_INT_8, offsetof(private_delete_payload_t, protocol_id) }, diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c index 21f34a642..eafb668b6 100644 --- a/src/libcharon/encoding/payloads/eap_payload.c +++ b/src/libcharon/encoding/payloads/eap_payload.c @@ -42,6 +42,11 @@ struct private_eap_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -66,13 +71,13 @@ static encoding_rule_t eap_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_eap_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_eap_payload_t, payload_length) }, /* chunt to data, starting at "code" */ diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c index 4158c3e07..3befadfe2 100644 --- a/src/libcharon/encoding/payloads/id_payload.c +++ b/src/libcharon/encoding/payloads/id_payload.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2007 Tobias Brunner - * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * * Hochschule fuer Technik Rapperswil @@ -50,6 +51,16 @@ struct private_id_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved_bit[7]; + + /** + * Reserved bytes + */ + u_int8_t reserved_byte[3]; + /** * Length of this payload. */ @@ -71,31 +82,30 @@ struct private_id_payload_t { * * The defined offsets are the positions in a object of type * private_id_payload_t. - * */ encoding_rule_t id_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ { U_INT_8, offsetof(private_id_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_id_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[0]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[1]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[2]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[3]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[4]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[5]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_id_payload_t, payload_length) }, /* 1 Byte ID type*/ { U_INT_8, offsetof(private_id_payload_t, id_type) }, /* 3 reserved bytes */ - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, offsetof(private_id_payload_t, reserved_byte[0])}, + { RESERVED_BYTE, offsetof(private_id_payload_t, reserved_byte[1])}, + { RESERVED_BYTE, offsetof(private_id_payload_t, reserved_byte[2])}, /* some id data bytes, length is defined in PAYLOAD_LENGTH */ - { ID_DATA, offsetof(private_id_payload_t, id_data) } + { ID_DATA, offsetof(private_id_payload_t, id_data) } }; /* @@ -112,136 +122,59 @@ encoding_rule_t id_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_id_payload_t *this) +METHOD(payload_t, verify, status_t, + private_id_payload_t *this) { - if ((this->id_type == 0) || - (this->id_type == 4) || - ((this->id_type >= 6) && (this->id_type <= 8)) || - ((this->id_type >= 12) && (this->id_type <= 200))) + if (this->id_type == 0 || this->id_type == 4) { /* reserved IDs */ DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type); return FAILED; } - return SUCCESS; } -/** - * Implementation of id_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = id_payload_encodings; - *rule_count = sizeof(id_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(id_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_id_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_id_payload_t *this) { return this->payload_type; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_id_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_id_payload_t *this) { return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_id_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_id_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_id_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_id_payload_t *this) { return this->payload_length; } -/** - * Implementation of id_payload_t.set_type. - */ -static void set_id_type (private_id_payload_t *this, id_type_t type) -{ - this->id_type = type; -} - -/** - * Implementation of id_payload_t.get_id_type. - */ -static id_type_t get_id_type (private_id_payload_t *this) +METHOD(id_payload_t, get_identification, identification_t*, + private_id_payload_t *this) { - return (this->id_type); + return identification_create_from_encoding(this->id_type, this->id_data); } -/** - * Implementation of id_payload_t.set_data. - */ -static void set_data (private_id_payload_t *this, chunk_t data) +METHOD2(payload_t, id_payload_t, destroy, void, + private_id_payload_t *this) { - if (this->id_data.ptr != NULL) - { - chunk_free(&(this->id_data)); - } - this->id_data.ptr = clalloc(data.ptr,data.len); - this->id_data.len = data.len; - this->payload_length = ID_PAYLOAD_HEADER_LENGTH + this->id_data.len; -} - - -/** - * Implementation of id_payload_t.get_data_clone. - */ -static chunk_t get_data (private_id_payload_t *this) -{ - return (this->id_data); -} - -/** - * Implementation of id_payload_t.get_data_clone. - */ -static chunk_t get_data_clone (private_id_payload_t *this) -{ - chunk_t cloned_data; - if (this->id_data.ptr == NULL) - { - return (this->id_data); - } - cloned_data.ptr = clalloc(this->id_data.ptr,this->id_data.len); - cloned_data.len = this->id_data.len; - return cloned_data; -} - -/** - * Implementation of id_payload_t.get_identification. - */ -static identification_t *get_identification (private_id_payload_t *this) -{ - return identification_create_from_encoding(this->id_type,this->id_data); -} - -/** - * Implementation of payload_t.destroy and id_payload_t.destroy. - */ -static void destroy(private_id_payload_t *this) -{ - if (this->id_data.ptr != NULL) - { - chunk_free(&(this->id_data)); - } + free(this->id_data.ptr); free(this); } @@ -250,44 +183,41 @@ static void destroy(private_id_payload_t *this) */ id_payload_t *id_payload_create(payload_type_t payload_type) { - private_id_payload_t *this = malloc_thing(private_id_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (id_payload_t *)) destroy; - this->public.set_id_type = (void (*) (id_payload_t *,id_type_t)) set_id_type; - this->public.get_id_type = (id_type_t (*) (id_payload_t *)) get_id_type; - this->public.set_data = (void (*) (id_payload_t *,chunk_t)) set_data; - this->public.get_data = (chunk_t (*) (id_payload_t *)) get_data; - this->public.get_data_clone = (chunk_t (*) (id_payload_t *)) get_data_clone; - - this->public.get_identification = (identification_t * (*) (id_payload_t *this)) get_identification; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length =ID_PAYLOAD_HEADER_LENGTH; - this->id_data = chunk_empty; - this->payload_type = payload_type; - - return (&(this->public)); + private_id_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_identification = _get_identification, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = ID_PAYLOAD_HEADER_LENGTH, + .payload_type = payload_type, + ); + return &this->public; } /* * Described in header. */ -id_payload_t *id_payload_create_from_identification(payload_type_t payload_type, identification_t *identification) +id_payload_t *id_payload_create_from_identification(payload_type_t payload_type, + identification_t *id) { - id_payload_t *this= id_payload_create(payload_type); - this->set_data(this,identification->get_encoding(identification)); - this->set_id_type(this,identification->get_type(identification)); - return this; + private_id_payload_t *this; + + this = (private_id_payload_t*)id_payload_create(payload_type); + this->id_data = chunk_clone(id->get_encoding(id)); + this->id_type = id->get_type(id); + this->payload_length += this->id_data.len; + + return &this->public; } diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h index 5502dc961..99831f85f 100644 --- a/src/libcharon/encoding/payloads/id_payload.h +++ b/src/libcharon/encoding/payloads/id_payload.h @@ -40,57 +40,15 @@ typedef struct id_payload_t id_payload_t; * The ID payload format is described in RFC section 3.5. */ struct id_payload_t { + /** * The payload_t interface. */ payload_t payload_interface; - /** - * Set the ID type. - * - * @param type Type of ID - */ - void (*set_id_type) (id_payload_t *this, id_type_t type); - - /** - * Get the ID type. - * - * @return type of the ID - */ - id_type_t (*get_id_type) (id_payload_t *this); - - /** - * Set the ID data. - * - * Data are getting cloned. - * - * @param data ID data as chunk_t - */ - void (*set_data) (id_payload_t *this, chunk_t data); - - /** - * Get the ID data. - * - * Returned data are a copy of the internal one - * - * @return ID data as chunk_t - */ - chunk_t (*get_data_clone) (id_payload_t *this); - - /** - * Get the ID data. - * - * Returned data are NOT copied. - * - * @return ID data as chunk_t - */ - chunk_t (*get_data) (id_payload_t *this); - /** * Creates an identification object of this id payload. * - * Returned object has to get destroyed by the caller. - * * @return identification_t object */ identification_t *(*get_identification) (id_payload_t *this); diff --git a/src/libcharon/encoding/payloads/ike_header.c b/src/libcharon/encoding/payloads/ike_header.c index 735f01304..80dcee0cb 100644 --- a/src/libcharon/encoding/payloads/ike_header.c +++ b/src/libcharon/encoding/payloads/ike_header.c @@ -83,6 +83,11 @@ struct private_ike_header_t { bool response; } flags; + /** + * Reserved bits of IKE header + */ + bool reserved[5]; + /** * Associated Message-ID. */ @@ -119,30 +124,30 @@ encoding_rule_t ike_header_encodings[] = { /* 8 Byte SPI, stored in the field initiator_spi */ { IKE_SPI, offsetof(private_ike_header_t, initiator_spi) }, /* 8 Byte SPI, stored in the field responder_spi */ - { IKE_SPI, offsetof(private_ike_header_t, responder_spi) }, + { IKE_SPI, offsetof(private_ike_header_t, responder_spi) }, /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_ike_header_t, next_payload) }, + { U_INT_8, offsetof(private_ike_header_t, next_payload) }, /* 4 Bit major version, stored in the field maj_version */ - { U_INT_4, offsetof(private_ike_header_t, maj_version) }, + { U_INT_4, offsetof(private_ike_header_t, maj_version) }, /* 4 Bit minor version, stored in the field min_version */ - { U_INT_4, offsetof(private_ike_header_t, min_version) }, + { U_INT_4, offsetof(private_ike_header_t, min_version) }, /* 8 Bit for the exchange type */ - { U_INT_8, offsetof(private_ike_header_t, exchange_type) }, - /* 2 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { U_INT_8, offsetof(private_ike_header_t, exchange_type) }, + /* 2 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_ike_header_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_ike_header_t, reserved[1]) }, /* 3 Bit flags, stored in the fields response, version and initiator */ - { FLAG, offsetof(private_ike_header_t, flags.response) }, - { FLAG, offsetof(private_ike_header_t, flags.version) }, - { FLAG, offsetof(private_ike_header_t, flags.initiator) }, - /* 3 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_ike_header_t, flags.response) }, + { FLAG, offsetof(private_ike_header_t, flags.version) }, + { FLAG, offsetof(private_ike_header_t, flags.initiator) }, + /* 3 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_ike_header_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_ike_header_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_ike_header_t, reserved[4]) }, /* 4 Byte message id, stored in the field message_id */ - { U_INT_32, offsetof(private_ike_header_t, message_id) }, + { U_INT_32, offsetof(private_ike_header_t, message_id) }, /* 4 Byte length fied, stored in the field length */ - { HEADER_LENGTH, offsetof(private_ike_header_t, length) } + { HEADER_LENGTH,offsetof(private_ike_header_t, length) }, }; @@ -163,11 +168,8 @@ encoding_rule_t ike_header_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ - -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_ike_header_t *this) +METHOD(payload_t, verify, status_t, + private_ike_header_t *this) { if ((this->exchange_type < IKE_SA_INIT) || ((this->exchange_type > INFORMATIONAL) @@ -179,7 +181,6 @@ static status_t verify(private_ike_header_t *this) /* unsupported exchange type */ return FAILED; } - if (this->initiator_spi == 0 #ifdef ME /* we allow zero spi for INFORMATIONAL exchanges, @@ -191,225 +192,201 @@ static status_t verify(private_ike_header_t *this) /* initiator spi not set */ return FAILED; } + return SUCCESS; +} - /* verification of version is not done in here */ +METHOD(payload_t, get_encoding_rules, void, + private_ike_header_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = ike_header_encodings; + *rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t); +} - return SUCCESS; +METHOD(payload_t, get_type, payload_type_t, + private_ike_header_t *this) +{ + return HEADER; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(payload_t *this,payload_type_t type) +METHOD(payload_t, get_next_type, payload_type_t, + private_ike_header_t *this) { - ((private_ike_header_t *)this)->next_payload = type; + return this->next_payload; } -/** - * Implementation of ike_header_t.get_initiator_spi. - */ -static u_int64_t get_initiator_spi(private_ike_header_t *this) + +METHOD(payload_t, set_next_type, void, + private_ike_header_t *this, payload_type_t type) +{ + this->next_payload = type; +} + +METHOD(payload_t, get_length, size_t, + private_ike_header_t *this) +{ + return this->length; +} + +METHOD(ike_header_t, get_initiator_spi, u_int64_t, + private_ike_header_t *this) { return this->initiator_spi; } -/** - * Implementation of ike_header_t.set_initiator_spi. - */ -static void set_initiator_spi(private_ike_header_t *this, u_int64_t initiator_spi) +METHOD(ike_header_t, set_initiator_spi, void, + private_ike_header_t *this, u_int64_t initiator_spi) { this->initiator_spi = initiator_spi; } -/** - * Implementation of ike_header_t.get_responder_spi. - */ -static u_int64_t get_responder_spi(private_ike_header_t *this) +METHOD(ike_header_t, get_responder_spi, u_int64_t, + private_ike_header_t *this) { return this->responder_spi; } -/** - * Implementation of ike_header_t.set_responder_spi. - */ -static void set_responder_spi(private_ike_header_t *this, u_int64_t responder_spi) +METHOD(ike_header_t, set_responder_spi, void, + private_ike_header_t *this, u_int64_t responder_spi) { this->responder_spi = responder_spi; } -/** - * Implementation of ike_header_t.get_maj_version. - */ -static u_int8_t get_maj_version(private_ike_header_t *this) +METHOD(ike_header_t, get_maj_version, u_int8_t, + private_ike_header_t *this) { return this->maj_version; } -/** - * Implementation of ike_header_t.get_min_version. - */ -static u_int8_t get_min_version(private_ike_header_t *this) +METHOD(ike_header_t, set_maj_version, void, + private_ike_header_t *this, u_int8_t major) +{ + this->maj_version = major; +} + +METHOD(ike_header_t, get_min_version, u_int8_t, + private_ike_header_t *this) { return this->min_version; } -/** - * Implementation of ike_header_t.get_response_flag. - */ -static bool get_response_flag(private_ike_header_t *this) +METHOD(ike_header_t, set_min_version, void, + private_ike_header_t *this, u_int8_t minor) +{ + this->min_version = minor; +} + +METHOD(ike_header_t, get_response_flag, bool, + private_ike_header_t *this) { return this->flags.response; } -/** - * Implementation of ike_header_t.set_response_flag. - */ -static void set_response_flag(private_ike_header_t *this, bool response) +METHOD(ike_header_t, set_response_flag, void, + private_ike_header_t *this, bool response) { this->flags.response = response; } -/** - * Implementation of ike_header_t.get_version_flag. - */ -static bool get_version_flag(private_ike_header_t *this) +METHOD(ike_header_t, get_version_flag, bool, + private_ike_header_t *this) { return this->flags.version; } -/** - * Implementation of ike_header_t.get_initiator_flag. - */ -static bool get_initiator_flag(private_ike_header_t *this) +METHOD(ike_header_t, set_version_flag, void, + private_ike_header_t *this, bool version) +{ + this->flags.version = version; +} + +METHOD(ike_header_t, get_initiator_flag, bool, + private_ike_header_t *this) { return this->flags.initiator; } -/** - * Implementation of ike_header_t.set_initiator_flag. - */ -static void set_initiator_flag(private_ike_header_t *this, bool initiator) +METHOD(ike_header_t, set_initiator_flag, void, + private_ike_header_t *this, bool initiator) { this->flags.initiator = initiator; } -/** - * Implementation of ike_header_t.get_exchange_type. - */ -static u_int8_t get_exchange_type(private_ike_header_t *this) +METHOD(ike_header_t, get_exchange_type, u_int8_t, + private_ike_header_t *this) { return this->exchange_type; } -/** - * Implementation of ike_header_t.set_exchange_type. - */ -static void set_exchange_type(private_ike_header_t *this, u_int8_t exchange_type) +METHOD(ike_header_t, set_exchange_type, void, + private_ike_header_t *this, u_int8_t exchange_type) { this->exchange_type = exchange_type; } -/** - * Implements ike_header_t's get_message_id function. - * See #ike_header_t.get_message_id for description. - */ -static u_int32_t get_message_id(private_ike_header_t *this) +METHOD(ike_header_t, get_message_id, u_int32_t, + private_ike_header_t *this) { return this->message_id; } -/** - * Implementation of ike_header_t.set_message_id. - */ -static void set_message_id(private_ike_header_t *this, u_int32_t message_id) +METHOD(ike_header_t, set_message_id, void, + private_ike_header_t *this, u_int32_t message_id) { this->message_id = message_id; } -/** - * Implementation of ike_header_t.destroy and payload_t.destroy. - */ -static void destroy(ike_header_t *this) +METHOD2(payload_t, ike_header_t, destroy, void, + private_ike_header_t *this) { free(this); } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(payload_t *this, encoding_rule_t **rules, size_t *rule_count) -{ - *rules = ike_header_encodings; - *rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t); -} - -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(payload_t *this) -{ - return HEADER; -} - -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(payload_t *this) -{ - return (((private_ike_header_t*)this)->next_payload); -} - -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(payload_t *this) -{ - return (((private_ike_header_t*)this)->length); -} - /* * Described in header. */ ike_header_t *ike_header_create() { - private_ike_header_t *this = malloc_thing(private_ike_header_t); - - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = get_encoding_rules; - this->public.payload_interface.get_length = get_length; - this->public.payload_interface.get_next_type = get_next_type; - this->public.payload_interface.set_next_type = set_next_type; - this->public.payload_interface.get_type = get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - this->public.destroy = destroy; - - this->public.get_initiator_spi = (u_int64_t (*) (ike_header_t*))get_initiator_spi; - this->public.set_initiator_spi = (void (*) (ike_header_t*,u_int64_t))set_initiator_spi; - this->public.get_responder_spi = (u_int64_t (*) (ike_header_t*))get_responder_spi; - this->public.set_responder_spi = (void (*) (ike_header_t *,u_int64_t))set_responder_spi; - this->public.get_maj_version = (u_int8_t (*) (ike_header_t*))get_maj_version; - this->public.get_min_version = (u_int8_t (*) (ike_header_t*))get_min_version; - this->public.get_response_flag = (bool (*) (ike_header_t*))get_response_flag; - this->public.set_response_flag = (void (*) (ike_header_t*,bool))set_response_flag; - this->public.get_version_flag = (bool (*) (ike_header_t*))get_version_flag; - this->public.get_initiator_flag = (bool (*) (ike_header_t*))get_initiator_flag; - this->public.set_initiator_flag = (void (*) (ike_header_t*,bool))set_initiator_flag; - this->public.get_exchange_type = (u_int8_t (*) (ike_header_t*))get_exchange_type; - this->public.set_exchange_type = (void (*) (ike_header_t*,u_int8_t))set_exchange_type; - this->public.get_message_id = (u_int32_t (*) (ike_header_t*))get_message_id; - this->public.set_message_id = (void (*) (ike_header_t*,u_int32_t))set_message_id; - - /* set default values of the fields */ - this->initiator_spi = 0; - this->responder_spi = 0; - this->next_payload = 0; - this->maj_version = IKE_MAJOR_VERSION; - this->min_version = IKE_MINOR_VERSION; - this->exchange_type = EXCHANGE_TYPE_UNDEFINED; - this->flags.initiator = TRUE; - this->flags.version = HIGHER_VERSION_SUPPORTED_FLAG; - this->flags.response = FALSE; - this->message_id = 0; - this->length = IKE_HEADER_LENGTH; - - return (ike_header_t*)this; + private_ike_header_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_initiator_spi = _get_initiator_spi, + .set_initiator_spi = _set_initiator_spi, + .get_responder_spi = _get_responder_spi, + .set_responder_spi = _set_responder_spi, + .get_maj_version = _get_maj_version, + .set_maj_version = _set_maj_version, + .get_min_version = _get_min_version, + .set_min_version = _set_min_version, + .get_response_flag = _get_response_flag, + .set_response_flag = _set_response_flag, + .get_version_flag = _get_version_flag, + .set_version_flag = _set_version_flag, + .get_initiator_flag = _get_initiator_flag, + .set_initiator_flag = _set_initiator_flag, + .get_exchange_type = _get_exchange_type, + .set_exchange_type = _set_exchange_type, + .get_message_id = _get_message_id, + .set_message_id = _set_message_id, + .destroy = _destroy, + }, + .maj_version = IKE_MAJOR_VERSION, + .min_version = IKE_MINOR_VERSION, + .exchange_type = EXCHANGE_TYPE_UNDEFINED, + .flags = { + .initiator = TRUE, + .version = HIGHER_VERSION_SUPPORTED_FLAG, + }, + .length = IKE_HEADER_LENGTH, + ); + + return &this->public; } diff --git a/src/libcharon/encoding/payloads/ike_header.h b/src/libcharon/encoding/payloads/ike_header.h index e63e8bf06..f52c852c5 100644 --- a/src/libcharon/encoding/payloads/ike_header.h +++ b/src/libcharon/encoding/payloads/ike_header.h @@ -142,6 +142,13 @@ struct ike_header_t { */ u_int8_t (*get_maj_version) (ike_header_t *this); + /** + * Set the major version. + * + * @param major major version + */ + void (*set_maj_version) (ike_header_t *this, u_int8_t major); + /** * Get the minor version. * @@ -149,6 +156,13 @@ struct ike_header_t { */ u_int8_t (*get_min_version) (ike_header_t *this); + /** + * Set the minor version. + * + * @param minor minor version + */ + void (*set_min_version) (ike_header_t *this, u_int8_t minor); + /** * Get the response flag. * @@ -162,6 +176,7 @@ struct ike_header_t { * @param response response flag */ void (*set_response_flag) (ike_header_t *this, bool response); + /** * Get "higher version supported"-flag. * @@ -169,6 +184,13 @@ struct ike_header_t { */ bool (*get_version_flag) (ike_header_t *this); + /** + * Set the "higher version supported"-flag. + * + * @param version flag value + */ + void (*set_version_flag)(ike_header_t *this, bool version); + /** * Get the initiator flag. * diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c index 1bc79f084..999d73192 100644 --- a/src/libcharon/encoding/payloads/ke_payload.c +++ b/src/libcharon/encoding/payloads/ke_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -20,14 +21,13 @@ #include - typedef struct private_ke_payload_t private_ke_payload_t; /** * Private data of an ke_payload_t object. - * */ struct private_ke_payload_t { + /** * Public ke_payload_t interface. */ @@ -43,6 +43,16 @@ struct private_ke_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved_bit[7]; + + /** + * Reserved bytes + */ + u_int8_t reserved_byte[2]; + /** * Length of this payload. */ @@ -64,27 +74,27 @@ struct private_ke_payload_t { * * The defined offsets are the positions in a object of type * private_ke_payload_t. - * */ encoding_rule_t ke_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_ke_payload_t, next_payload) }, + { U_INT_8, offsetof(private_ke_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_ke_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_ke_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[0]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[1]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[2]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[3]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[4]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[5]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[6]) }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_ke_payload_t, payload_length) }, + { PAYLOAD_LENGTH, offsetof(private_ke_payload_t, payload_length) }, /* DH Group number as 16 bit field*/ - { U_INT_16, offsetof(private_ke_payload_t, dh_group_number) }, - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, + { U_INT_16, offsetof(private_ke_payload_t, dh_group_number) }, + /* 2 reserved bytes */ + { RESERVED_BYTE, offsetof(private_ke_payload_t, reserved_byte[0])}, + { RESERVED_BYTE, offsetof(private_ke_payload_t, reserved_byte[1])}, /* Key Exchange Data is from variable size */ { KEY_EXCHANGE_DATA, offsetof(private_ke_payload_t, key_exchange_data)} }; @@ -103,123 +113,60 @@ encoding_rule_t ke_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_ke_payload_t *this) +METHOD(payload_t, verify, status_t, + private_ke_payload_t *this) { - /* dh group is not verified in here */ return SUCCESS; } -/** - * Implementation of payload_t.destroy. - */ -static void destroy(private_ke_payload_t *this) -{ - if (this->key_exchange_data.ptr != NULL) - { - free(this->key_exchange_data.ptr); - } - free(this); -} - -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = ke_payload_encodings; - *rule_count = sizeof(ke_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(ke_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_ke_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_ke_payload_t *this) { return KEY_EXCHANGE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_ke_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_ke_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_ke_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_ke_payload_t *this,payload_type_t type) { this->next_payload = type; } -/** - * recompute the length of the payload. - */ -static void compute_length(private_ke_payload_t *this) -{ - size_t length = KE_PAYLOAD_HEADER_LENGTH; - if (this->key_exchange_data.ptr != NULL) - { - length += this->key_exchange_data.len; - } - this->payload_length = length; -} - -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_ke_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_ke_payload_t *this) { - compute_length(this); return this->payload_length; } -/** - * Implementation of ke_payload_t.get_key_exchange_data. - */ -static chunk_t get_key_exchange_data(private_ke_payload_t *this) +METHOD(ke_payload_t, get_key_exchange_data, chunk_t, + private_ke_payload_t *this) { - return (this->key_exchange_data); + return this->key_exchange_data; } -/** - * Implementation of ke_payload_t.set_key_exchange_data. - */ -static void set_key_exchange_data(private_ke_payload_t *this, chunk_t key_exchange_data) -{ - /* destroy existing data first */ - if (this->key_exchange_data.ptr != NULL) - { - /* free existing value */ - free(this->key_exchange_data.ptr); - this->key_exchange_data.ptr = NULL; - this->key_exchange_data.len = 0; - - } - - this->key_exchange_data = chunk_clone(key_exchange_data); - compute_length(this); -} - -/** - * Implementation of ke_payload_t.get_dh_group_number. - */ -static diffie_hellman_group_t get_dh_group_number(private_ke_payload_t *this) +METHOD(ke_payload_t, get_dh_group_number, diffie_hellman_group_t, + private_ke_payload_t *this) { return this->dh_group_number; } -/** - * Implementation of ke_payload_t.set_dh_group_number. - */ -static void set_dh_group_number(private_ke_payload_t *this, diffie_hellman_group_t dh_group_number) +METHOD2(payload_t, ke_payload_t, destroy, void, + private_ke_payload_t *this) { - this->dh_group_number = dh_group_number; + free(this->key_exchange_data.ptr); + free(this); } /* @@ -227,31 +174,27 @@ static void set_dh_group_number(private_ke_payload_t *this, diffie_hellman_group */ ke_payload_t *ke_payload_create() { - private_ke_payload_t *this = malloc_thing(private_ke_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.get_key_exchange_data = (chunk_t (*) (ke_payload_t *)) get_key_exchange_data; - this->public.set_key_exchange_data = (void (*) (ke_payload_t *,chunk_t)) set_key_exchange_data; - this->public.get_dh_group_number = (diffie_hellman_group_t (*) (ke_payload_t *)) get_dh_group_number; - this->public.set_dh_group_number =(void (*) (ke_payload_t *,diffie_hellman_group_t)) set_dh_group_number; - this->public.destroy = (void (*) (ke_payload_t *)) destroy; - - /* set default values of the fields */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = KE_PAYLOAD_HEADER_LENGTH; - this->key_exchange_data = chunk_empty; - this->dh_group_number = MODP_NONE; - + private_ke_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_key_exchange_data = _get_key_exchange_data, + .get_dh_group_number = _get_dh_group_number, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = KE_PAYLOAD_HEADER_LENGTH, + .dh_group_number = MODP_NONE, + ); return &this->public; } @@ -264,7 +207,7 @@ ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *dh) dh->get_my_public_value(dh, &this->key_exchange_data); this->dh_group_number = dh->get_dh_group(dh); - compute_length(this); + this->payload_length = this->key_exchange_data.len + KE_PAYLOAD_HEADER_LENGTH; return &this->public; } diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h index 3ca05009e..65cc11883 100644 --- a/src/libcharon/encoding/payloads/ke_payload.h +++ b/src/libcharon/encoding/payloads/ke_payload.h @@ -47,23 +47,12 @@ struct ke_payload_t { payload_t payload_interface; /** - * Returns the currently set key exchange data of this KE payload. + * Returns the key exchange data of this KE payload. * - * @warning Returned data are not copied. - * - * @return chunk_t pointing to the value + * @return chunk_t pointing to internal data */ chunk_t (*get_key_exchange_data) (ke_payload_t *this); - /** - * Sets the key exchange data of this KE payload. - * - * Value is getting copied. - * - * @param key_exchange_data chunk_t pointing to the value to set - */ - void (*set_key_exchange_data) (ke_payload_t *this, chunk_t key_exchange_data); - /** * Gets the Diffie-Hellman Group Number of this KE payload. * @@ -71,14 +60,6 @@ struct ke_payload_t { */ diffie_hellman_group_t (*get_dh_group_number) (ke_payload_t *this); - /** - * Sets the Diffie-Hellman Group Number of this KE payload. - * - * @param dh_group_number DH Group to set - */ - void (*set_dh_group_number) (ke_payload_t *this, - diffie_hellman_group_t dh_group_number); - /** * Destroys an ke_payload_t object. */ diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c index 4ad5ce9dd..78000b8c6 100644 --- a/src/libcharon/encoding/payloads/nonce_payload.c +++ b/src/libcharon/encoding/payloads/nonce_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -14,21 +15,19 @@ * for more details. */ -/* offsetof macro */ #include #include "nonce_payload.h" #include - typedef struct private_nonce_payload_t private_nonce_payload_t; /** * Private data of an nonce_payload_t object. - * */ struct private_nonce_payload_t { + /** * Public nonce_payload_t interface. */ @@ -44,6 +43,11 @@ struct private_nonce_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -60,25 +64,24 @@ struct private_nonce_payload_t { * * The defined offsets are the positions in a object of type * private_nonce_payload_t. - * */ encoding_rule_t nonce_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_nonce_payload_t, next_payload) }, + { U_INT_8, offsetof(private_nonce_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_nonce_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_nonce_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[6]) }, /* Length of the whole nonce payload*/ - { PAYLOAD_LENGTH, offsetof(private_nonce_payload_t, payload_length) }, + { PAYLOAD_LENGTH, offsetof(private_nonce_payload_t, payload_length) }, /* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */ - { NONCE_DATA, offsetof(private_nonce_payload_t, nonce) } + { NONCE_DATA, offsetof(private_nonce_payload_t, nonce) }, }; /* 1 2 3 @@ -92,102 +95,64 @@ encoding_rule_t nonce_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_nonce_payload_t *this) +METHOD(payload_t, verify, status_t, + private_nonce_payload_t *this) { - if ((this->nonce.len < 16) || ((this->nonce.len > 256))) + if (this->nonce.len < 16 || this->nonce.len > 256) { - /* nonce length is wrong */ return FAILED; } - return SUCCESS; } -/** - * Implementation of nonce_payload_t.set_nonce. - */ -static status_t set_nonce(private_nonce_payload_t *this, chunk_t nonce) -{ - this->nonce.ptr = clalloc(nonce.ptr, nonce.len); - this->nonce.len = nonce.len; - this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len; - return SUCCESS; -} - -/** - * Implementation of nonce_payload_t.get_nonce. - */ -static chunk_t get_nonce(private_nonce_payload_t *this) -{ - chunk_t nonce; - nonce.ptr = clalloc(this->nonce.ptr,this->nonce.len); - nonce.len = this->nonce.len; - return nonce; -} - -/** - * Implementation of nonce_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = nonce_payload_encodings; - *rule_count = sizeof(nonce_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(nonce_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_nonce_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_nonce_payload_t *this) { return NONCE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_nonce_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_nonce_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_nonce_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_nonce_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * recompute the length of the payload. - */ -static void compute_length(private_nonce_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_nonce_payload_t *this) { - this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + this->nonce.len; + return this->payload_length; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_nonce_payload_t *this) +METHOD(nonce_payload_t, set_nonce, void, + private_nonce_payload_t *this, chunk_t nonce) { - compute_length(this); - return this->payload_length; + this->nonce = chunk_clone(nonce); + this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len; } -/** - * Implementation of payload_t.destroy and nonce_payload_t.destroy. - */ -static void destroy(private_nonce_payload_t *this) +METHOD(nonce_payload_t, get_nonce, chunk_t, + private_nonce_payload_t *this) { - if (this->nonce.ptr != NULL) - { - free(this->nonce.ptr); - } + return chunk_clone(this->nonce); +} +METHOD2(payload_t, nonce_payload_t, destroy, void, + private_nonce_payload_t *this) +{ + free(this->nonce.ptr); free(this); } @@ -196,30 +161,25 @@ static void destroy(private_nonce_payload_t *this) */ nonce_payload_t *nonce_payload_create() { - private_nonce_payload_t *this = malloc_thing(private_nonce_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (nonce_payload_t *)) destroy; - this->public.set_nonce = (void (*) (nonce_payload_t *,chunk_t)) set_nonce; - this->public.get_nonce = (chunk_t (*) (nonce_payload_t *)) get_nonce; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH; - this->nonce.ptr = NULL; - this->nonce.len = 0; - - return (&(this->public)); + private_nonce_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .set_nonce = _set_nonce, + .get_nonce = _get_nonce, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = NONCE_PAYLOAD_HEADER_LENGTH, + ); + return &this->public; } - - diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c index a56fd1869..77f15ec6d 100644 --- a/src/libcharon/encoding/payloads/notify_payload.c +++ b/src/libcharon/encoding/payloads/notify_payload.c @@ -1,7 +1,8 @@ /* + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2006-2008 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger - * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -186,9 +187,9 @@ typedef struct private_notify_payload_t private_notify_payload_t; /** * Private data of an notify_payload_t object. - * */ struct private_notify_payload_t { + /** * Public notify_payload_t interface. */ @@ -204,6 +205,11 @@ struct private_notify_payload_t { */ bool critical; + /** + * reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -240,7 +246,6 @@ struct private_notify_payload_t { * * The defined offsets are the positions in a object of type * private_notify_payload_t. - * */ encoding_rule_t notify_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -248,13 +253,13 @@ encoding_rule_t notify_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_notify_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_notify_payload_t, payload_length) }, /* Protocol ID as 8 bit field*/ @@ -262,11 +267,11 @@ encoding_rule_t notify_payload_encodings[] = { /* SPI Size as 8 bit field*/ { SPI_SIZE, offsetof(private_notify_payload_t, spi_size) }, /* Notify message type as 16 bit field*/ - { U_INT_16, offsetof(private_notify_payload_t, notify_type) }, + { U_INT_16, offsetof(private_notify_payload_t, notify_type) }, /* SPI as variable length field*/ { SPI, offsetof(private_notify_payload_t, spi) }, /* Key Exchange Data is from variable size */ - { NOTIFICATION_DATA, offsetof(private_notify_payload_t, notification_data) } + { NOTIFICATION_DATA,offsetof(private_notify_payload_t, notification_data) } }; /* @@ -287,10 +292,8 @@ encoding_rule_t notify_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_notify_payload_t *this) +METHOD(payload_t, verify, status_t, + private_notify_payload_t *this) { bool bad_length = FALSE; @@ -404,35 +407,27 @@ static status_t verify(private_notify_payload_t *this) return SUCCESS; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = notify_payload_encodings; - *rule_count = sizeof(notify_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(notify_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_notify_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_notify_payload_t *this) { return NOTIFY; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_notify_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_notify_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_notify_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_notify_payload_t *this, payload_type_t type) { this->next_payload = type; } @@ -443,6 +438,7 @@ static void set_next_type(private_notify_payload_t *this,payload_type_t type) static void compute_length (private_notify_payload_t *this) { size_t length = NOTIFY_PAYLOAD_HEADER_LENGTH; + if (this->notification_data.ptr != NULL) { length += this->notification_data.len; @@ -454,51 +450,38 @@ static void compute_length (private_notify_payload_t *this) this->payload_length = length; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_notify_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_notify_payload_t *this) { - compute_length(this); return this->payload_length; } -/** - * Implementation of notify_payload_t.get_protocol_id. - */ -static u_int8_t get_protocol_id(private_notify_payload_t *this) +METHOD(notify_payload_t, get_protocol_id, u_int8_t, + private_notify_payload_t *this) { return this->protocol_id; } -/** - * Implementation of notify_payload_t.set_protocol_id. - */ -static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id) +METHOD(notify_payload_t, set_protocol_id, void, + private_notify_payload_t *this, u_int8_t protocol_id) { this->protocol_id = protocol_id; } -/** - * Implementation of notify_payload_t.get_notify_type. - */ -static notify_type_t get_notify_type(private_notify_payload_t *this) +METHOD(notify_payload_t, get_notify_type, notify_type_t, + private_notify_payload_t *this) { return this->notify_type; } -/** - * Implementation of notify_payload_t.set_notify_type. - */ -static void set_notify_type(private_notify_payload_t *this, u_int16_t notify_type) +METHOD(notify_payload_t, set_notify_type, void, + private_notify_payload_t *this, notify_type_t notify_type) { this->notify_type = notify_type; } -/** - * Implementation of notify_payload_t.get_spi. - */ -static u_int32_t get_spi(private_notify_payload_t *this) +METHOD(notify_payload_t, get_spi, u_int32_t, + private_notify_payload_t *this) { switch (this->protocol_id) { @@ -514,10 +497,8 @@ static u_int32_t get_spi(private_notify_payload_t *this) return 0; } -/** - * Implementation of notify_payload_t.set_spi. - */ -static void set_spi(private_notify_payload_t *this, u_int32_t spi) +METHOD(notify_payload_t, set_spi, void, + private_notify_payload_t *this, u_int32_t spi) { chunk_free(&this->spi); switch (this->protocol_id) @@ -534,37 +515,26 @@ static void set_spi(private_notify_payload_t *this, u_int32_t spi) compute_length(this); } -/** - * Implementation of notify_payload_t.get_notification_data. - */ -static chunk_t get_notification_data(private_notify_payload_t *this) +METHOD(notify_payload_t, get_notification_data, chunk_t, + private_notify_payload_t *this) { - return (this->notification_data); + return this->notification_data; } -/** - * Implementation of notify_payload_t.set_notification_data. - */ -static status_t set_notification_data(private_notify_payload_t *this, chunk_t notification_data) +METHOD(notify_payload_t, set_notification_data, void, + private_notify_payload_t *this, chunk_t data) { - chunk_free(&this->notification_data); - if (notification_data.len > 0) - { - this->notification_data = chunk_clone(notification_data); - } + free(this->notification_data.ptr); + this->notification_data = chunk_clone(data); compute_length(this); - return SUCCESS; } -/** - * Implementation of notify_payload_t.destroy and notify_payload_t.destroy. - */ -static status_t destroy(private_notify_payload_t *this) +METHOD2(payload_t, notify_payload_t, destroy, void, + private_notify_payload_t *this) { - chunk_free(&this->notification_data); - chunk_free(&this->spi); + free(this->notification_data.ptr); + free(this->spi.ptr); free(this); - return SUCCESS; } /* @@ -572,52 +542,45 @@ static status_t destroy(private_notify_payload_t *this) */ notify_payload_t *notify_payload_create() { - private_notify_payload_t *this = malloc_thing(private_notify_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id; - this->public.set_protocol_id = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id; - this->public.get_notify_type = (notify_type_t (*) (notify_payload_t *)) get_notify_type; - this->public.set_notify_type = (void (*) (notify_payload_t *,notify_type_t)) set_notify_type; - this->public.get_spi = (u_int32_t (*) (notify_payload_t *)) get_spi; - this->public.set_spi = (void (*) (notify_payload_t *,u_int32_t)) set_spi; - this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data; - this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data; - this->public.destroy = (void (*) (notify_payload_t *)) destroy; - - /* set default values of the fields */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH; - this->protocol_id = 0; - this->notify_type = 0; - this->spi.ptr = NULL; - this->spi.len = 0; - this->spi_size = 0; - this->notification_data.ptr = NULL; - this->notification_data.len = 0; - + private_notify_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_protocol_id = _get_protocol_id, + .set_protocol_id = _set_protocol_id, + .get_notify_type = _get_notify_type, + .set_notify_type = _set_notify_type, + .get_spi = _get_spi, + .set_spi = _set_spi, + .get_notification_data = _get_notification_data, + .set_notification_data = _set_notification_data, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH, + ); return &this->public; } /* * Described in header. */ -notify_payload_t *notify_payload_create_from_protocol_and_type(protocol_id_t protocol_id, notify_type_t notify_type) +notify_payload_t *notify_payload_create_from_protocol_and_type( + protocol_id_t protocol_id, notify_type_t notify_type) { notify_payload_t *notify = notify_payload_create(); - notify->set_notify_type(notify,notify_type); - notify->set_protocol_id(notify,protocol_id); + notify->set_notify_type(notify, notify_type); + notify->set_protocol_id(notify, protocol_id); return notify; } diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c index 1cee6d2aa..d1e677db7 100644 --- a/src/libcharon/encoding/payloads/payload.c +++ b/src/libcharon/encoding/payloads/payload.c @@ -59,25 +59,23 @@ ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, N #ifdef ME ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION, "ID_PEER"); -ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER, +ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER, "HEADER", "PROPOSAL_SUBSTRUCTURE", "TRANSFORM_SUBSTRUCTURE", "TRANSFORM_ATTRIBUTE", "TRAFFIC_SELECTOR_SUBSTRUCTURE", - "CONFIGURATION_ATTRIBUTE", - "UNKNOWN_PAYLOAD"); + "CONFIGURATION_ATTRIBUTE"); #else -ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION, +ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, EXTENSIBLE_AUTHENTICATION, "HEADER", "PROPOSAL_SUBSTRUCTURE", "TRANSFORM_SUBSTRUCTURE", "TRANSFORM_ATTRIBUTE", "TRAFFIC_SELECTOR_SUBSTRUCTURE", - "CONFIGURATION_ATTRIBUTE", - "UNKNOWN_PAYLOAD"); + "CONFIGURATION_ATTRIBUTE"); #endif /* ME */ -ENUM_END(payload_type_names, UNKNOWN_PAYLOAD); +ENUM_END(payload_type_names, CONFIGURATION_ATTRIBUTE); /* short forms of payload names */ ENUM_BEGIN(payload_type_short_names, NO_PAYLOAD, NO_PAYLOAD, @@ -102,25 +100,23 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICAT #ifdef ME ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION, "IDp"); -ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER, +ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER, "HDR", "PROP", "TRANS", "TRANSATTR", "TSSUB", - "CPATTR", - "??"); + "CPATTR"); #else -ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION, +ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, EXTENSIBLE_AUTHENTICATION, "HDR", "PROP", "TRANS", "TRANSATTR", "TSSUB", - "CPATTR", - "??"); + "CPATTR"); #endif /* ME */ -ENUM_END(payload_type_short_names, UNKNOWN_PAYLOAD); +ENUM_END(payload_type_short_names, CONFIGURATION_ATTRIBUTE); /* * see header @@ -178,7 +174,45 @@ payload_t *payload_create(payload_type_t type) case ENCRYPTED: return (payload_t*)encryption_payload_create(); default: - return (payload_t*)unknown_payload_create(); + return (payload_t*)unknown_payload_create(type); } } +/** + * See header. + */ +bool payload_is_known(payload_type_t type) +{ + if (type == HEADER || + (type >= SECURITY_ASSOCIATION && type <= EXTENSIBLE_AUTHENTICATION)) + { + return TRUE; + } +#ifdef ME + if (type == ID_PEER) + { + return TRUE; + } +#endif + return FALSE; +} + +/** + * See header. + */ +void* payload_get_field(payload_t *payload, encoding_type_t type, u_int skip) +{ + encoding_rule_t *rule; + size_t count; + int i; + + payload->get_encoding_rules(payload, &rule, &count); + for (i = 0; i < count; i++) + { + if (rule[i].type == type && skip-- == 0) + { + return ((char*)payload) + rule[i].offset; + } + } + return NULL; +} diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h index 2e783cb30..0f407ff42 100644 --- a/src/libcharon/encoding/payloads/payload.h +++ b/src/libcharon/encoding/payloads/payload.h @@ -137,7 +137,7 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle IKEv2-Header like a payload. */ - HEADER = 140, + HEADER = 256, /** * PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space. @@ -145,7 +145,7 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a proposal substructure like a payload. */ - PROPOSAL_SUBSTRUCTURE = 141, + PROPOSAL_SUBSTRUCTURE = 257, /** * TRANSFORM_SUBSTRUCTURE has a value of PRIVATE USE space. @@ -153,7 +153,7 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform substructure like a payload. */ - TRANSFORM_SUBSTRUCTURE = 142, + TRANSFORM_SUBSTRUCTURE = 258, /** * TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space. @@ -161,7 +161,7 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform attribute like a payload. */ - TRANSFORM_ATTRIBUTE = 143, + TRANSFORM_ATTRIBUTE = 259, /** * TRAFFIC_SELECTOR_SUBSTRUCTURE has a value of PRIVATE USE space. @@ -169,7 +169,7 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform selector like a payload. */ - TRAFFIC_SELECTOR_SUBSTRUCTURE = 144, + TRAFFIC_SELECTOR_SUBSTRUCTURE = 260, /** * CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space. @@ -177,18 +177,9 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform attribute like a payload. */ - CONFIGURATION_ATTRIBUTE = 145, - - /** - * A unknown payload has a value of PRIVATE USE space. - * - * This payload type is not sent over wire and just - * used internally to handle a unknown payload. - */ - UNKNOWN_PAYLOAD = 146, + CONFIGURATION_ATTRIBUTE = 261, }; - /** * enum names for payload_type_t. */ @@ -269,4 +260,22 @@ struct payload_t { */ payload_t *payload_create(payload_type_t type); +/** + * Check if a specific payload is implemented, or handled as unknown payload. + * + * @param type type of the payload to check + * @return FALSE if payload type handled as unknown payload + */ +bool payload_is_known(payload_type_t type); + +/** + * Get the value field in a payload using encoding rules. + * + * @param payload payload to look up a field + * @param type encoding rule type to look up + * @param skip number rules of type to skip, 0 to get first + * @return type specific value pointer, NULL if not found + */ +void* payload_get_field(payload_t *payload, encoding_type_t type, u_int skip); + #endif /** PAYLOAD_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 985b03255..f39c3b0e6 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -46,6 +46,11 @@ struct private_proposal_substructure_t { */ u_int8_t next_payload; + /** + * reserved byte + */ + u_int8_t reserved; + /** * Length of this payload. */ @@ -91,8 +96,8 @@ struct private_proposal_substructure_t { encoding_rule_t proposal_substructure_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) }, - /* Reserved Byte is skipped */ - { RESERVED_BYTE, 0 }, + /* 1 Reserved Byte */ + { RESERVED_BYTE, offsetof(private_proposal_substructure_t, reserved) }, /* Length of the whole proposal substructure payload*/ { PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) }, /* proposal number is a number of 8 bit */ @@ -213,28 +218,23 @@ METHOD(payload_t, set_next_type, void, */ static void compute_length(private_proposal_substructure_t *this) { - iterator_t *iterator; - payload_t *current_transform; - size_t transforms_count = 0; - size_t length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH; + enumerator_t *enumerator; + payload_t *transform; - iterator = this->transforms->create_iterator(this->transforms,TRUE); - while (iterator->iterate(iterator, (void**)¤t_transform)) + this->transforms_count = 0; + this->proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->spi.len; + enumerator = this->transforms->create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, &transform)) { - length += current_transform->get_length(current_transform); - transforms_count++; + this->proposal_length += transform->get_length(transform); + this->transforms_count++; } - iterator->destroy(iterator); - - length += this->spi.len; - this->transforms_count = transforms_count; - this->proposal_length = length; + enumerator->destroy(enumerator); } METHOD(payload_t, get_length, size_t, private_proposal_substructure_t *this) { - compute_length(this); return this->proposal_length; } @@ -342,32 +342,10 @@ METHOD(proposal_substructure_t, get_proposal, proposal_t*, return proposal; } -METHOD(proposal_substructure_t, clone_, proposal_substructure_t*, +METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*, private_proposal_substructure_t *this) { - private_proposal_substructure_t *clone; - enumerator_t *enumerator; - transform_substructure_t *current; - - clone = (private_proposal_substructure_t*)proposal_substructure_create(); - clone->next_payload = this->next_payload; - clone->proposal_number = this->proposal_number; - clone->protocol_id = this->protocol_id; - clone->spi_size = this->spi_size; - if (this->spi.ptr != NULL) - { - clone->spi.ptr = clalloc(this->spi.ptr, this->spi.len); - clone->spi.len = this->spi.len; - } - enumerator = this->transforms->create_enumerator(this->transforms); - while (enumerator->enumerate(enumerator, ¤t)) - { - current = current->clone(current); - add_transform_substructure(clone, current); - } - enumerator->destroy(enumerator); - - return &clone->public; + return this->transforms->create_enumerator(this->transforms); } METHOD2(payload_t, proposal_substructure_t, destroy, void, @@ -403,12 +381,13 @@ proposal_substructure_t *proposal_substructure_create() .get_protocol_id = _get_protocol_id, .set_is_last_proposal = _set_is_last_proposal, .get_proposal = _get_proposal, + .create_substructure_enumerator = _create_substructure_enumerator, .set_spi = _set_spi, .get_spi = _get_spi, - .clone = _clone_, .destroy = _destroy, }, .next_payload = NO_PAYLOAD, + .proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH, .transforms = linked_list_create(), ); @@ -500,6 +479,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( } this->proposal_number = proposal->get_number(proposal); this->protocol_id = proposal->get_protocol(proposal); + compute_length(this); return &this->public; } diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h index 56e7184b6..d0ba1fd2a 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.h +++ b/src/libcharon/encoding/payloads/proposal_substructure.h @@ -111,11 +111,11 @@ struct proposal_substructure_t { proposal_t * (*get_proposal) (proposal_substructure_t *this); /** - * Clones an proposal_substructure_t object. + * Create an enumerator over transform substructures. * - * @return cloned object + * @return enumerator over transform_substructure_t */ - proposal_substructure_t* (*clone) (proposal_substructure_t *this); + enumerator_t* (*create_substructure_enumerator)(proposal_substructure_t *this); /** * Destroys an proposal_substructure_t object. diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c index 4fbd4cac0..db20d052f 100644 --- a/src/libcharon/encoding/payloads/sa_payload.c +++ b/src/libcharon/encoding/payloads/sa_payload.c @@ -45,6 +45,11 @@ struct private_sa_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -68,13 +73,13 @@ encoding_rule_t sa_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_sa_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[6]) }, /* Length of the whole SA payload*/ { PAYLOAD_LENGTH, offsetof(private_sa_payload_t, payload_length) }, /* Proposals are stored in a proposal substructure, @@ -185,7 +190,6 @@ static void compute_length(private_sa_payload_t *this) METHOD(payload_t, get_length, size_t, private_sa_payload_t *this) { - compute_length(this); return this->payload_length; } @@ -258,6 +262,12 @@ METHOD(sa_payload_t, get_proposals, linked_list_t*, return list; } +METHOD(sa_payload_t, create_substructure_enumerator, enumerator_t*, + private_sa_payload_t *this) +{ + return this->proposals->create_enumerator(this->proposals); +} + METHOD2(payload_t, sa_payload_t, destroy, void, private_sa_payload_t *this) { @@ -286,6 +296,7 @@ sa_payload_t *sa_payload_create() }, .add_proposal = _add_proposal, .get_proposals = _get_proposals, + .create_substructure_enumerator = _create_substructure_enumerator, .destroy = _destroy, }, .next_payload = NO_PAYLOAD, diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h index 801a70738..cc8c481c8 100644 --- a/src/libcharon/encoding/payloads/sa_payload.h +++ b/src/libcharon/encoding/payloads/sa_payload.h @@ -60,6 +60,13 @@ struct sa_payload_t { */ void (*add_proposal) (sa_payload_t *this, proposal_t *proposal); + /** + * Create an enumerator over all proposal substructures. + * + * @return enumerator over proposal_substructure_t + */ + enumerator_t* (*create_substructure_enumerator)(sa_payload_t *this); + /** * Destroys an sa_payload_t object. */ diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c index f24857591..df36e4383 100644 --- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c +++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -19,14 +20,13 @@ #include #include - typedef struct private_traffic_selector_substructure_t private_traffic_selector_substructure_t; /** * Private data of an traffic_selector_substructure_t object. - * */ struct private_traffic_selector_substructure_t { + /** * Public traffic_selector_substructure_t interface. */ @@ -73,24 +73,22 @@ struct private_traffic_selector_substructure_t { * * The defined offsets are the positions in a object of type * private_traffic_selector_substructure_t. - * */ encoding_rule_t traffic_selector_substructure_encodings[] = { /* 1 Byte next ts type*/ - { TS_TYPE, offsetof(private_traffic_selector_substructure_t, ts_type) }, + { TS_TYPE, offsetof(private_traffic_selector_substructure_t, ts_type) }, /* 1 Byte IP protocol id*/ - { U_INT_8, offsetof(private_traffic_selector_substructure_t, ip_protocol_id) }, + { U_INT_8, offsetof(private_traffic_selector_substructure_t, ip_protocol_id) }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_traffic_selector_substructure_t, payload_length) }, + { PAYLOAD_LENGTH,offsetof(private_traffic_selector_substructure_t, payload_length) }, /* 2 Byte start port*/ - { U_INT_16, offsetof(private_traffic_selector_substructure_t, start_port) }, + { U_INT_16, offsetof(private_traffic_selector_substructure_t, start_port) }, /* 2 Byte end port*/ { U_INT_16, offsetof(private_traffic_selector_substructure_t, end_port) }, /* starting address is either 4 or 16 byte */ - { ADDRESS, offsetof(private_traffic_selector_substructure_t, starting_address) }, + { ADDRESS, offsetof(private_traffic_selector_substructure_t, starting_address) }, /* ending address is either 4 or 16 byte */ - { ADDRESS, offsetof(private_traffic_selector_substructure_t, ending_address) } - + { ADDRESS, offsetof(private_traffic_selector_substructure_t, ending_address) } }; /* @@ -111,10 +109,8 @@ encoding_rule_t traffic_selector_substructure_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_traffic_selector_substructure_t *this) +METHOD(payload_t, verify, status_t, + private_traffic_selector_substructure_t *this) { if (this->start_port > this->end_port) { @@ -152,72 +148,48 @@ static status_t verify(private_traffic_selector_substructure_t *this) return SUCCESS; } -/** - * Implementation of traffic_selector_substructure_t.get_encoding_rules. - */ -static void get_encoding_rules(private_traffic_selector_substructure_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_traffic_selector_substructure_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = traffic_selector_substructure_encodings; - *rule_count = sizeof(traffic_selector_substructure_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(traffic_selector_substructure_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_traffic_selector_substructure_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_traffic_selector_substructure_t *this) { return TRAFFIC_SELECTOR_SUBSTRUCTURE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_traffic_selector_substructure_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_traffic_selector_substructure_t *this) { - return 0; + return NO_PAYLOAD; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_traffic_selector_substructure_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_traffic_selector_substructure_t *this,payload_type_t type) { - } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_traffic_selector_substructure_t *this) +METHOD(payload_t, get_length, size_t, + private_traffic_selector_substructure_t *this) { return this->payload_length; } -/** - * Implementation of traffic_selector_substructure_t.get_traffic_selector. - */ -static traffic_selector_t *get_traffic_selector(private_traffic_selector_substructure_t *this) +METHOD(traffic_selector_substructure_t, get_traffic_selector, traffic_selector_t*, + private_traffic_selector_substructure_t *this) { - traffic_selector_t *ts; - ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type, - this->starting_address, this->start_port, - this->ending_address, this->end_port); - return ts; + return traffic_selector_create_from_bytes( + this->ip_protocol_id, this->ts_type, + this->starting_address, this->start_port, + this->ending_address, this->end_port); } -/** - * recompute length field of the payload - */ -void compute_length(private_traffic_selector_substructure_t *this) -{ - this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH + - this->ending_address.len + this->starting_address.len; -} - -/** - * Implementation of payload_t.destroy and traffic_selector_substructure_t.destroy. - */ -static void destroy(private_traffic_selector_substructure_t *this) +METHOD2(payload_t, traffic_selector_substructure_t, destroy, void, + private_traffic_selector_substructure_t *this) { free(this->starting_address.ptr); free(this->ending_address.ptr); @@ -229,48 +201,46 @@ static void destroy(private_traffic_selector_substructure_t *this) */ traffic_selector_substructure_t *traffic_selector_substructure_create() { - private_traffic_selector_substructure_t *this = malloc_thing(private_traffic_selector_substructure_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.get_traffic_selector = (traffic_selector_t* (*)(traffic_selector_substructure_t*))get_traffic_selector; - this->public.destroy = (void (*) (traffic_selector_substructure_t *)) destroy; - - /* private variables */ - this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH; - this->start_port = 0; - this->end_port = 0; - this->starting_address = chunk_empty; - this->ending_address = chunk_empty; - this->ip_protocol_id = 0; - /* must be set to be valid */ - this->ts_type = TS_IPV4_ADDR_RANGE; - - return (&(this->public)); + private_traffic_selector_substructure_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_traffic_selector = _get_traffic_selector, + .destroy = _destroy, + }, + .payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH, + /* must be set to be valid */ + .ts_type = TS_IPV4_ADDR_RANGE, + ); + return &this->public; } /* * Described in header */ -traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(traffic_selector_t *traffic_selector) +traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector( + traffic_selector_t *ts) { - private_traffic_selector_substructure_t *this = (private_traffic_selector_substructure_t*)traffic_selector_substructure_create(); - this->ts_type = traffic_selector->get_type(traffic_selector); - this->ip_protocol_id = traffic_selector->get_protocol(traffic_selector); - this->start_port = traffic_selector->get_from_port(traffic_selector); - this->end_port = traffic_selector->get_to_port(traffic_selector); - this->starting_address = chunk_clone(traffic_selector->get_from_address(traffic_selector)); - this->ending_address = chunk_clone(traffic_selector->get_to_address(traffic_selector)); - - compute_length(this); + private_traffic_selector_substructure_t *this; + + this = (private_traffic_selector_substructure_t*)traffic_selector_substructure_create(); + this->ts_type = ts->get_type(ts); + this->ip_protocol_id = ts->get_protocol(ts); + this->start_port = ts->get_from_port(ts); + this->end_port = ts->get_to_port(ts); + this->starting_address = chunk_clone(ts->get_from_address(ts)); + this->ending_address = chunk_clone(ts->get_to_address(ts)); + this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH + + this->ending_address.len + this->starting_address.len; - return &(this->public); + return &this->public; } diff --git a/src/libcharon/encoding/payloads/transform_attribute.c b/src/libcharon/encoding/payloads/transform_attribute.c index 8bf2ddef4..7d21258b1 100644 --- a/src/libcharon/encoding/payloads/transform_attribute.c +++ b/src/libcharon/encoding/payloads/transform_attribute.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -26,9 +27,9 @@ typedef struct private_transform_attribute_t private_transform_attribute_t; /** * Private data of an transform_attribute_t object. - * */ struct private_transform_attribute_t { + /** * Public transform_attribute_t interface. */ @@ -70,7 +71,6 @@ ENUM_END(transform_attribute_type_name, KEY_LENGTH); * * The defined offsets are the positions in a object of type * private_transform_attribute_t. - * */ encoding_rule_t transform_attribute_encodings[] = { /* Flag defining the format of this payload */ @@ -78,7 +78,7 @@ encoding_rule_t transform_attribute_encodings[] = { /* type of the attribute as 15 bit unsigned integer */ { ATTRIBUTE_TYPE, offsetof(private_transform_attribute_t, attribute_type) }, /* Length or value, depending on the attribute format flag */ - { ATTRIBUTE_LENGTH_OR_VALUE, offsetof(private_transform_attribute_t, attribute_length_or_value) }, + { ATTRIBUTE_LENGTH_OR_VALUE,offsetof(private_transform_attribute_t, attribute_length_or_value) }, /* Value of attribute if attribute format flag is zero */ { ATTRIBUTE_VALUE, offsetof(private_transform_attribute_t, attribute_value) } }; @@ -95,162 +95,106 @@ encoding_rule_t transform_attribute_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_transform_attribute_t *this) +METHOD(payload_t, verify, status_t, + private_transform_attribute_t *this) { - if (this->attribute_type != KEY_LENGTH) - { - return FAILED; - } - return SUCCESS; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_transform_attribute_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_transform_attribute_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = transform_attribute_encodings; - *rule_count = sizeof(transform_attribute_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(transform_attribute_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_transform_attribute_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_transform_attribute_t *this) { return TRANSFORM_ATTRIBUTE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_transform_attribute_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_transform_attribute_t *this) { - return (NO_PAYLOAD); + return NO_PAYLOAD; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_transform_attribute_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_transform_attribute_t *this, payload_type_t type) { } -/** - * Implementation of transform_attribute_t.get_length. - */ -static size_t get_length(private_transform_attribute_t *this) +METHOD(payload_t, get_length, size_t, + private_transform_attribute_t *this) { - if (this->attribute_format == TRUE) + if (this->attribute_format) { - /*Attribute size is only 4 byte */ return 4; } - return (this->attribute_length_or_value + 4); + return this->attribute_length_or_value + 4; } -/** - * Implementation of transform_attribute_t.set_value_chunk. - */ -static void set_value_chunk(private_transform_attribute_t *this, chunk_t value) +METHOD(transform_attribute_t, set_value_chunk, void, + private_transform_attribute_t *this, chunk_t value) { - if (this->attribute_value.ptr != NULL) - { - /* free existing value */ - free(this->attribute_value.ptr); - this->attribute_value.ptr = NULL; - this->attribute_value.len = 0; - - } + chunk_free(&this->attribute_value); - if (value.len > 2) + if (value.len != 2) { - this->attribute_value.ptr = clalloc(value.ptr,value.len); - this->attribute_value.len = value.len; + this->attribute_value = chunk_clone(value); this->attribute_length_or_value = value.len; - /* attribute has not a fixed length */ this->attribute_format = FALSE; } else { - memcpy(&(this->attribute_length_or_value),value.ptr,value.len); + memcpy(&this->attribute_length_or_value, value.ptr, value.len); } } -/** - * Implementation of transform_attribute_t.set_value. - */ -static void set_value(private_transform_attribute_t *this, u_int16_t value) +METHOD(transform_attribute_t, set_value, void, + private_transform_attribute_t *this, u_int16_t value) { - if (this->attribute_value.ptr != NULL) - { - /* free existing value */ - free(this->attribute_value.ptr); - this->attribute_value.ptr = NULL; - this->attribute_value.len = 0; - - } + chunk_free(&this->attribute_value); this->attribute_length_or_value = value; + this->attribute_format = TRUE; } -/** - * Implementation of transform_attribute_t.get_value_chunk. - */ -static chunk_t get_value_chunk (private_transform_attribute_t *this) +METHOD(transform_attribute_t, get_value_chunk, chunk_t, + private_transform_attribute_t *this) { - chunk_t value; - - if (this->attribute_format == FALSE) + if (this->attribute_format) { - value.ptr = this->attribute_value.ptr; - value.len = this->attribute_value.len; + return chunk_from_thing(this->attribute_length_or_value); } - else - { - value.ptr = (void *) &(this->attribute_length_or_value); - value.len = 2; - } - - return value; + return this->attribute_value; } -/** - * Implementation of transform_attribute_t.get_value. - */ -static u_int16_t get_value (private_transform_attribute_t *this) +METHOD(transform_attribute_t, get_value, u_int16_t, + private_transform_attribute_t *this) { return this->attribute_length_or_value; } - -/** - * Implementation of transform_attribute_t.set_attribute_type. - */ -static void set_attribute_type (private_transform_attribute_t *this, u_int16_t type) +METHOD(transform_attribute_t, set_attribute_type, void, + private_transform_attribute_t *this, u_int16_t type) { this->attribute_type = type & 0x7FFF; } -/** - * Implementation of transform_attribute_t.get_attribute_type. - */ -static u_int16_t get_attribute_type (private_transform_attribute_t *this) +METHOD(transform_attribute_t, get_attribute_type, u_int16_t, + private_transform_attribute_t *this) { return this->attribute_type; } -/** - * Implementation of transform_attribute_t.clone. - */ -static transform_attribute_t * _clone(private_transform_attribute_t *this) +METHOD(transform_attribute_t, clone_, transform_attribute_t*, + private_transform_attribute_t *this) { private_transform_attribute_t *new_clone; - new_clone = (private_transform_attribute_t *) transform_attribute_create(); + new_clone = (private_transform_attribute_t *)transform_attribute_create(); new_clone->attribute_format = this->attribute_format; new_clone->attribute_type = this->attribute_type; @@ -258,22 +202,15 @@ static transform_attribute_t * _clone(private_transform_attribute_t *this) if (!new_clone->attribute_format) { - new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len); - new_clone->attribute_value.len = this->attribute_value.len; + new_clone->attribute_value = chunk_clone(this->attribute_value); } - - return (transform_attribute_t *) new_clone; + return &new_clone->public; } -/** - * Implementation of transform_attribute_t.destroy and payload_t.destroy. - */ -static void destroy(private_transform_attribute_t *this) +METHOD2(payload_t, transform_attribute_t, destroy, void, + private_transform_attribute_t *this) { - if (this->attribute_value.ptr != NULL) - { - free(this->attribute_value.ptr); - } + free(this->attribute_value.ptr); free(this); } @@ -282,35 +219,31 @@ static void destroy(private_transform_attribute_t *this) */ transform_attribute_t *transform_attribute_create() { - private_transform_attribute_t *this = malloc_thing(private_transform_attribute_t); - - /* payload interface */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.set_value_chunk = (void (*) (transform_attribute_t *,chunk_t)) set_value_chunk; - this->public.set_value = (void (*) (transform_attribute_t *,u_int16_t)) set_value; - this->public.get_value_chunk = (chunk_t (*) (transform_attribute_t *)) get_value_chunk; - this->public.get_value = (u_int16_t (*) (transform_attribute_t *)) get_value; - this->public.set_attribute_type = (void (*) (transform_attribute_t *,u_int16_t type)) set_attribute_type; - this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type; - this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) _clone; - this->public.destroy = (void (*) (transform_attribute_t *)) destroy; - - /* set default values of the fields */ - this->attribute_format = TRUE; - this->attribute_type = 0; - this->attribute_length_or_value = 0; - this->attribute_value.ptr = NULL; - this->attribute_value.len = 0; - - return (&(this->public)); + private_transform_attribute_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .set_value_chunk = _set_value_chunk, + .set_value = _set_value, + .get_value_chunk = _get_value_chunk, + .get_value = _get_value, + .set_attribute_type = _set_attribute_type, + .get_attribute_type = _get_attribute_type, + .clone = _clone_, + .destroy = _destroy, + }, + .attribute_format = TRUE, + ); + return &this->public; } /* @@ -319,7 +252,7 @@ transform_attribute_t *transform_attribute_create() transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length) { transform_attribute_t *attribute = transform_attribute_create(); - attribute->set_attribute_type(attribute,KEY_LENGTH); - attribute->set_value(attribute,key_length); + attribute->set_attribute_type(attribute, KEY_LENGTH); + attribute->set_value(attribute, key_length); return attribute; } diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c index c94f6c1a2..0428da726 100644 --- a/src/libcharon/encoding/payloads/transform_substructure.c +++ b/src/libcharon/encoding/payloads/transform_substructure.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -24,14 +25,13 @@ #include #include - typedef struct private_transform_substructure_t private_transform_substructure_t; /** * Private data of an transform_substructure_t object. - * */ struct private_transform_substructure_t { + /** * Public transform_substructure_t interface. */ @@ -41,14 +41,16 @@ struct private_transform_substructure_t { * Next payload type. */ u_int8_t next_payload; - + /** + * Reserved bytes + */ + u_int8_t reserved[2]; /** * Length of this payload. */ u_int16_t transform_length; - /** * Type of the transform. */ @@ -65,30 +67,28 @@ struct private_transform_substructure_t { linked_list_t *attributes; }; - /** * Encoding rules to parse or generate a Transform substructure. * * The defined offsets are the positions in a object of type * private_transform_substructure_t. - * */ encoding_rule_t transform_substructure_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_transform_substructure_t, next_payload) }, - /* Reserved Byte is skipped */ - { RESERVED_BYTE, 0 }, + { U_INT_8, offsetof(private_transform_substructure_t, next_payload) }, + /* 1 Reserved Byte */ + { RESERVED_BYTE, offsetof(private_transform_substructure_t, reserved[0]) }, /* Length of the whole transform substructure*/ - { PAYLOAD_LENGTH, offsetof(private_transform_substructure_t, transform_length) }, + { PAYLOAD_LENGTH, offsetof(private_transform_substructure_t, transform_length)}, /* transform type is a number of 8 bit */ - { U_INT_8, offsetof(private_transform_substructure_t, transform_type) }, - /* Reserved Byte is skipped */ - { RESERVED_BYTE, 0 }, + { U_INT_8, offsetof(private_transform_substructure_t, transform_type) }, + /* 1 Reserved Byte */ + { RESERVED_BYTE, offsetof(private_transform_substructure_t, reserved[1]) }, /* tranform ID is a number of 8 bit */ - { U_INT_16, offsetof(private_transform_substructure_t, transform_id) }, + { U_INT_16, offsetof(private_transform_substructure_t, transform_id) }, /* Attributes are stored in a transform attribute, offset points to a linked_list_t pointer */ - { TRANSFORM_ATTRIBUTES, offsetof(private_transform_substructure_t, attributes) } + { TRANSFORM_ATTRIBUTES, offsetof(private_transform_substructure_t, attributes) } }; /* @@ -105,19 +105,15 @@ encoding_rule_t transform_substructure_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ - -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_transform_substructure_t *this) +METHOD(payload_t, verify, status_t, + private_transform_substructure_t *this) { status_t status = SUCCESS; - iterator_t *iterator; - payload_t *current_attributes; + enumerator_t *enumerator; + payload_t *attribute; - if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3)) + if (this->next_payload != NO_PAYLOAD && this->next_payload != 3) { - /* must be 0 or 3 */ DBG1(DBG_ENC, "inconsistent next payload"); return FAILED; } @@ -138,45 +134,41 @@ static status_t verify(private_transform_substructure_t *this) return FAILED; } } - iterator = this->attributes->create_iterator(this->attributes,TRUE); - while(iterator->iterate(iterator, (void**)¤t_attributes)) + enumerator = this->attributes->create_enumerator(this->attributes); + while (enumerator->enumerate(enumerator, &attribute)) { - status = current_attributes->verify(current_attributes); + status = attribute->verify(attribute); if (status != SUCCESS) { DBG1(DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed"); + break; } } - iterator->destroy(iterator); + enumerator->destroy(enumerator); /* proposal number is checked in SA payload */ return status; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_transform_substructure_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_transform_substructure_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = transform_substructure_encodings; - *rule_count = sizeof(transform_substructure_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(transform_substructure_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_transform_substructure_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_transform_substructure_t *this) { return TRANSFORM_SUBSTRUCTURE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_transform_substructure_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_transform_substructure_t *this) { - return (this->next_payload); + return this->next_payload; } /** @@ -184,154 +176,69 @@ static payload_type_t get_next_type(private_transform_substructure_t *this) */ static void compute_length (private_transform_substructure_t *this) { - iterator_t *iterator; - payload_t *current_attribute; - size_t length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; + enumerator_t *enumerator; + payload_t *attribute; - iterator = this->attributes->create_iterator(this->attributes,TRUE); - while (iterator->iterate(iterator, (void**)¤t_attribute)) + this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; + enumerator = this->attributes->create_enumerator(this->attributes); + while (enumerator->enumerate(enumerator, &attribute)) { - length += current_attribute->get_length(current_attribute); + this->transform_length += attribute->get_length(attribute); } - iterator->destroy(iterator); - - this->transform_length = length; + enumerator->destroy(enumerator); } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_transform_substructure_t *this) +METHOD(payload_t, get_length, size_t, + private_transform_substructure_t *this) { - compute_length(this); return this->transform_length; } -/** - * Implementation of transform_substructure_t.create_transform_attribute_iterator. - */ -static iterator_t *create_transform_attribute_iterator (private_transform_substructure_t *this,bool forward) -{ - return this->attributes->create_iterator(this->attributes,forward); -} - -/** - * Implementation of transform_substructure_t.add_transform_attribute. - */ -static void add_transform_attribute (private_transform_substructure_t *this,transform_attribute_t *attribute) -{ - this->attributes->insert_last(this->attributes,(void *) attribute); - compute_length(this); -} - -/** - * Implementation of transform_substructure_t.set_is_last_transform. - */ -static void set_is_last_transform (private_transform_substructure_t *this, bool is_last) -{ - this->next_payload = (is_last) ? 0: TRANSFORM_TYPE_VALUE; -} - -/** - * Implementation of transform_substructure_t.get_is_last_transform. - */ -static bool get_is_last_transform (private_transform_substructure_t *this) -{ - return ((this->next_payload == TRANSFORM_TYPE_VALUE) ? FALSE : TRUE); -} - -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_transform_substructure_t *this,payload_type_t type) +METHOD(transform_substructure_t, set_is_last_transform, void, + private_transform_substructure_t *this, bool is_last) { + this->next_payload = is_last ? 0: TRANSFORM_TYPE_VALUE; } -/** - * Implementation of transform_substructure_t.set_transform_type. - */ -static void set_transform_type (private_transform_substructure_t *this,u_int8_t type) +METHOD(payload_t, set_next_type, void, + private_transform_substructure_t *this,payload_type_t type) { - this->transform_type = type; } -/** - * Implementation of transform_substructure_t.get_transform_type. - */ -static u_int8_t get_transform_type (private_transform_substructure_t *this) +METHOD(transform_substructure_t, get_transform_type, u_int8_t, + private_transform_substructure_t *this) { return this->transform_type; } -/** - * Implementation of transform_substructure_t.set_transform_id. - */ -static void set_transform_id (private_transform_substructure_t *this,u_int16_t id) -{ - this->transform_id = id; -} - -/** - * Implementation of transform_substructure_t.get_transform_id. - */ -static u_int16_t get_transform_id (private_transform_substructure_t *this) +METHOD(transform_substructure_t, get_transform_id, u_int16_t, + private_transform_substructure_t *this) { return this->transform_id; } -/** - * Implementation of transform_substructure_t.clone. - */ -static transform_substructure_t *clone_(private_transform_substructure_t *this) -{ - private_transform_substructure_t *clone; - iterator_t *attributes; - transform_attribute_t *current_attribute; - - clone = (private_transform_substructure_t *) transform_substructure_create(); - clone->next_payload = this->next_payload; - clone->transform_type = this->transform_type; - clone->transform_id = this->transform_id; - - attributes = this->attributes->create_iterator(this->attributes, FALSE); - while (attributes->iterate(attributes, (void**)¤t_attribute)) - { - current_attribute = current_attribute->clone(current_attribute); - clone->public.add_transform_attribute(&clone->public, current_attribute); - } - attributes->destroy(attributes); - - return &clone->public; -} - - -/** - * Implementation of transform_substructure_t.get_key_length. - */ -static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length) +METHOD(transform_substructure_t, get_key_length, status_t, + private_transform_substructure_t *this, u_int16_t *key_length) { - iterator_t *attributes; - transform_attribute_t *current_attribute; + enumerator_t *enumerator; + transform_attribute_t *attribute; - attributes = this->attributes->create_iterator(this->attributes, TRUE); - while (attributes->iterate(attributes, (void**)¤t_attribute)) + enumerator = this->attributes->create_enumerator(this->attributes); + while (enumerator->enumerate(enumerator, &attribute)) { - if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH) + if (attribute->get_attribute_type(attribute) == KEY_LENGTH) { - *key_length = current_attribute->get_value(current_attribute); - attributes->destroy(attributes); + *key_length = attribute->get_value(attribute); + enumerator->destroy(enumerator); return SUCCESS; } } - attributes->destroy(attributes); + enumerator->destroy(enumerator); return FAILED; } - -/** - * Implementation of transform_substructure_t.destroy and payload_t.destroy. - */ -static void destroy(private_transform_substructure_t *this) +METHOD2(payload_t, transform_substructure_t, destroy, void, + private_transform_substructure_t *this) { this->attributes->destroy_offset(this->attributes, offsetof(transform_attribute_t, destroy)); @@ -343,60 +250,50 @@ static void destroy(private_transform_substructure_t *this) */ transform_substructure_t *transform_substructure_create() { - private_transform_substructure_t *this = malloc_thing(private_transform_substructure_t); - - /* payload interface */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.create_transform_attribute_iterator = (iterator_t * (*) (transform_substructure_t *,bool)) create_transform_attribute_iterator; - this->public.add_transform_attribute = (void (*) (transform_substructure_t *,transform_attribute_t *)) add_transform_attribute; - this->public.set_is_last_transform = (void (*) (transform_substructure_t *,bool)) set_is_last_transform; - this->public.get_is_last_transform = (bool (*) (transform_substructure_t *)) get_is_last_transform; - this->public.set_transform_type = (void (*) (transform_substructure_t *,u_int8_t)) set_transform_type; - this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type; - this->public.set_transform_id = (void (*) (transform_substructure_t *,u_int16_t)) set_transform_id; - this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id; - this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length; - this->public.clone = (transform_substructure_t* (*) (transform_substructure_t *)) clone_; - this->public.destroy = (void (*) (transform_substructure_t *)) destroy; - - /* set default values of the fields */ - this->next_payload = NO_PAYLOAD; - this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; - this->transform_id = 0; - this->transform_type = 0; - this->attributes = linked_list_create(); - - return (&(this->public)); + private_transform_substructure_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .set_is_last_transform = _set_is_last_transform, + .get_transform_type = _get_transform_type, + .get_transform_id = _get_transform_id, + .get_key_length = _get_key_length, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH, + .attributes = linked_list_create(), + ); + return &this->public; } /* * Described in header */ transform_substructure_t *transform_substructure_create_type( - transform_type_t transform_type, - u_int16_t transform_id, u_int16_t key_length) + transform_type_t type, u_int16_t id, u_int16_t key_length) { - transform_substructure_t *transform = transform_substructure_create(); + private_transform_substructure_t *this; - transform->set_transform_type(transform,transform_type); - transform->set_transform_id(transform,transform_id); + this = (private_transform_substructure_t*)transform_substructure_create(); + this->transform_type = type; + this->transform_id = id; if (key_length) { - transform_attribute_t *attribute; - - attribute = transform_attribute_create_key_length(key_length); - transform->add_transform_attribute(transform, attribute); - + this->attributes->insert_last(this->attributes, + (void*)transform_attribute_create_key_length(key_length)); + compute_length(this); } - return transform; + return &this->public; } diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h index 5d31f8c0a..c961700a4 100644 --- a/src/libcharon/encoding/payloads/transform_substructure.h +++ b/src/libcharon/encoding/payloads/transform_substructure.h @@ -34,7 +34,6 @@ typedef struct transform_substructure_t transform_substructure_t; #include #include - /** * IKEv1 Value for a transform payload. */ @@ -45,31 +44,18 @@ typedef struct transform_substructure_t transform_substructure_t; */ #define TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH 8 - /** * Class representing an IKEv2- TRANSFORM SUBSTRUCTURE. * * The TRANSFORM SUBSTRUCTURE format is described in RFC section 3.3.2. */ struct transform_substructure_t { + /** * The payload_t interface. */ payload_t payload_interface; - /** - * Creates an iterator of stored transform_attribute_t objects. - * - * When deleting an transform attribute using this iterator, - * the length of this transform substructure has to be refreshed - * by calling get_length(). - * - * @param forward iterator direction (TRUE: front to end) - * @return created iterator_t object. - */ - iterator_t * (*create_transform_attribute_iterator) ( - transform_substructure_t *this, bool forward); - /** * Adds a transform_attribute_t object to this object. * @@ -88,20 +74,6 @@ struct transform_substructure_t { */ void (*set_is_last_transform) (transform_substructure_t *this, bool is_last); - /** - * Checks if this is the last transform. - * - * @return TRUE if this is the last Transform, FALSE otherwise - */ - bool (*get_is_last_transform) (transform_substructure_t *this); - - /** - * Sets transform type of the current transform substructure. - * - * @param type type value to set - */ - void (*set_transform_type) (transform_substructure_t *this, u_int8_t type); - /** * get transform type of the current transform. * @@ -110,21 +82,14 @@ struct transform_substructure_t { u_int8_t (*get_transform_type) (transform_substructure_t *this); /** - * Sets transform id of the current transform substructure. - * - * @param id transform id to set - */ - void (*set_transform_id) (transform_substructure_t *this, u_int16_t id); - - /** - * get transform id of the current transform. + * Get transform id of the current transform. * * @return Transform id of current transform substructure. */ u_int16_t (*get_transform_id) (transform_substructure_t *this); /** - * get transform id of the current transform. + * Get transform id of the current transform. * * @param key_length The key length is written to this location * @return @@ -135,13 +100,6 @@ struct transform_substructure_t { status_t (*get_key_length) (transform_substructure_t *this, u_int16_t *key_length); - /** - * Clones an transform_substructure_t object. - * - * @return cloned transform_substructure_t object - */ - transform_substructure_t* (*clone) (transform_substructure_t *this); - /** * Destroys an transform_substructure_t object. */ @@ -151,24 +109,19 @@ struct transform_substructure_t { /** * Creates an empty transform_substructure_t object. * - * @return created transform_substructure_t object + * @return created transform_substructure_t object */ transform_substructure_t *transform_substructure_create(void); /** * Creates an empty transform_substructure_t object. * - * The key length is used for the transport types ENCRYPTION_ALGORITHM, - * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all - * other transport types the key_length parameter is not used - * - * @param transform_type type of transform to create - * @param transform_id transform id specifying the specific algorithm of a transform type - * @param key_length Key length for key lenght attribute - * @return transform_substructure_t object + * @param type type of transform to create + * @param id transform id specifc for the transform type + * @param key_length key length for key lenght attribute, 0 to omit + * @return transform_substructure_t object */ transform_substructure_t *transform_substructure_create_type( - transform_type_t transform_type, u_int16_t transform_id, - u_int16_t key_length); + transform_type_t type, u_int16_t id, u_int16_t key_length); #endif /** TRANSFORM_SUBSTRUCTURE_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c index 6bf3e4293..28f760e40 100644 --- a/src/libcharon/encoding/payloads/ts_payload.c +++ b/src/libcharon/encoding/payloads/ts_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -25,9 +26,9 @@ typedef struct private_ts_payload_t private_ts_payload_t; /** * Private data of an ts_payload_t object. - * */ struct private_ts_payload_t { + /** * Public ts_payload_t interface. */ @@ -48,6 +49,16 @@ struct private_ts_payload_t { */ bool critical; + /** + * reserved bits + */ + bool reserved_bit[7]; + + /** + * reserved bytes + */ + bool reserved_byte[3]; + /** * Length of this payload. */ @@ -56,12 +67,12 @@ struct private_ts_payload_t { /** * Number of traffic selectors */ - u_int8_t number_of_traffic_selectors; + u_int8_t ts_num; /** * Contains the traffic selectors of type traffic_selector_substructure_t. */ - linked_list_t *traffic_selectors; + linked_list_t *substrs; }; /** @@ -69,31 +80,30 @@ struct private_ts_payload_t { * * The defined offsets are the positions in a object of type * private_ts_payload_t. - * */ encoding_rule_t ts_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_ts_payload_t, next_payload) }, + { U_INT_8, offsetof(private_ts_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_ts_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_ts_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[0]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[1]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[2]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[3]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[4]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[5]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[6]) }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_ts_payload_t, payload_length)}, + { PAYLOAD_LENGTH, offsetof(private_ts_payload_t, payload_length) }, /* 1 Byte TS type*/ - { U_INT_8, offsetof(private_ts_payload_t, number_of_traffic_selectors) }, + { U_INT_8, offsetof(private_ts_payload_t, ts_num) }, /* 3 reserved bytes */ - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, offsetof(private_ts_payload_t, reserved_byte[0])}, + { RESERVED_BYTE, offsetof(private_ts_payload_t, reserved_byte[1])}, + { RESERVED_BYTE, offsetof(private_ts_payload_t, reserved_byte[2])}, /* some ts data bytes, length is defined in PAYLOAD_LENGTH */ - { TRAFFIC_SELECTORS, offsetof(private_ts_payload_t, traffic_selectors) } + { TRAFFIC_SELECTORS,offsetof(private_ts_payload_t, substrs) } }; /* @@ -110,71 +120,56 @@ encoding_rule_t ts_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_ts_payload_t *this) +METHOD(payload_t, verify, status_t, + private_ts_payload_t *this) { - iterator_t *iterator; - payload_t *current_traffic_selector; + enumerator_t *enumerator; + payload_t *substr; status_t status = SUCCESS; - if (this->number_of_traffic_selectors != (this->traffic_selectors->get_count(this->traffic_selectors))) + if (this->ts_num != this->substrs->get_count(this->substrs)) { - /* must be the same */ return FAILED; } - - iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE); - while(iterator->iterate(iterator, (void**)¤t_traffic_selector)) + enumerator = this->substrs->create_enumerator(this->substrs); + while (enumerator->enumerate(enumerator, &substr)) { - status = current_traffic_selector->verify(current_traffic_selector); + status = substr->verify(substr); if (status != SUCCESS) { break; } } - iterator->destroy(iterator); + enumerator->destroy(enumerator); return status; } -/** - * Implementation of ts_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = ts_payload_encodings; - *rule_count = sizeof(ts_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(ts_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_ts_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_ts_payload_t *this) { if (this->is_initiator) { return TRAFFIC_SELECTOR_INITIATOR; } - else - { - return TRAFFIC_SELECTOR_RESPONDER; - } + return TRAFFIC_SELECTOR_RESPONDER; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_ts_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_ts_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_ts_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_ts_payload_t *this,payload_type_t type) { this->next_payload = type; } @@ -182,95 +177,64 @@ static void set_next_type(private_ts_payload_t *this,payload_type_t type) /** * recompute the length of the payload. */ -static void compute_length (private_ts_payload_t *this) +static void compute_length(private_ts_payload_t *this) { - iterator_t *iterator; - size_t ts_count = 0; - size_t length = TS_PAYLOAD_HEADER_LENGTH; - payload_t *current_traffic_selector; + enumerator_t *enumerator; + payload_t *subst; - iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE); - while (iterator->iterate(iterator, (void**)¤t_traffic_selector)) + this->payload_length = TS_PAYLOAD_HEADER_LENGTH; + this->ts_num = 0; + enumerator = this->substrs->create_enumerator(this->substrs); + while (enumerator->enumerate(enumerator, &subst)) { - length += current_traffic_selector->get_length(current_traffic_selector); - ts_count++; + this->payload_length += subst->get_length(subst); + this->ts_num++; } - iterator->destroy(iterator); - - this->number_of_traffic_selectors= ts_count; - this->payload_length = length; + enumerator->destroy(enumerator); } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_ts_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_ts_payload_t *this) { - compute_length(this); return this->payload_length; } -/** - * Implementation of ts_payload_t.get_initiator. - */ -static bool get_initiator (private_ts_payload_t *this) +METHOD(ts_payload_t, get_initiator, bool, + private_ts_payload_t *this) { - return (this->is_initiator); + return this->is_initiator; } -/** - * Implementation of ts_payload_t.set_initiator. - */ -static void set_initiator (private_ts_payload_t *this,bool is_initiator) +METHOD(ts_payload_t, set_initiator, void, + private_ts_payload_t *this,bool is_initiator) { this->is_initiator = is_initiator; } -/** - * Implementation of ts_payload_t.add_traffic_selector_substructure. - */ -static void add_traffic_selector_substructure (private_ts_payload_t *this,traffic_selector_substructure_t *traffic_selector) -{ - this->traffic_selectors->insert_last(this->traffic_selectors,traffic_selector); - this->number_of_traffic_selectors = this->traffic_selectors->get_count(this->traffic_selectors); -} - -/** - * Implementation of ts_payload_t.create_traffic_selector_substructure_iterator. - */ -static iterator_t * create_traffic_selector_substructure_iterator (private_ts_payload_t *this, bool forward) -{ - return this->traffic_selectors->create_iterator(this->traffic_selectors,forward); -} - -/** - * Implementation of ts_payload_t.get_traffic_selectors. - */ -static linked_list_t *get_traffic_selectors(private_ts_payload_t *this) +METHOD(ts_payload_t, get_traffic_selectors, linked_list_t*, + private_ts_payload_t *this) { traffic_selector_t *ts; - iterator_t *iterator; - traffic_selector_substructure_t *ts_substructure; - linked_list_t *ts_list = linked_list_create(); + enumerator_t *enumerator; + traffic_selector_substructure_t *subst; + linked_list_t *list; - iterator = this->traffic_selectors->create_iterator(this->traffic_selectors, TRUE); - while (iterator->iterate(iterator, (void**)&ts_substructure)) + list = linked_list_create(); + enumerator = this->substrs->create_enumerator(this->substrs); + while (enumerator->enumerate(enumerator, &subst)) { - ts = ts_substructure->get_traffic_selector(ts_substructure); - ts_list->insert_last(ts_list, (void*)ts); + ts = subst->get_traffic_selector(subst); + list->insert_last(list, ts); } - iterator->destroy(iterator); + enumerator->destroy(enumerator); - return ts_list; + return list; } -/** - * Implementation of payload_t.destroy and ts_payload_t.destroy. - */ -static void destroy(private_ts_payload_t *this) +METHOD2(payload_t, ts_payload_t, destroy, void, + private_ts_payload_t *this) { - this->traffic_selectors->destroy_offset(this->traffic_selectors, - offsetof(payload_t, destroy)); + this->substrs->destroy_offset(this->substrs, offsetof(payload_t, destroy)); free(this); } @@ -279,56 +243,53 @@ static void destroy(private_ts_payload_t *this) */ ts_payload_t *ts_payload_create(bool is_initiator) { - private_ts_payload_t *this = malloc_thing(private_ts_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (ts_payload_t *)) destroy; - this->public.get_initiator = (bool (*) (ts_payload_t *)) get_initiator; - this->public.set_initiator = (void (*) (ts_payload_t *,bool)) set_initiator; - this->public.add_traffic_selector_substructure = (void (*) (ts_payload_t *,traffic_selector_substructure_t *)) add_traffic_selector_substructure; - this->public.create_traffic_selector_substructure_iterator = (iterator_t* (*) (ts_payload_t *,bool)) create_traffic_selector_substructure_iterator; - this->public.get_traffic_selectors = (linked_list_t *(*) (ts_payload_t *)) get_traffic_selectors; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length =TS_PAYLOAD_HEADER_LENGTH; - this->is_initiator = is_initiator; - this->number_of_traffic_selectors = 0; - this->traffic_selectors = linked_list_create(); + private_ts_payload_t *this; - return &(this->public); + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_initiator = _get_initiator, + .set_initiator = _set_initiator, + .get_traffic_selectors = _get_traffic_selectors, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = TS_PAYLOAD_HEADER_LENGTH, + .is_initiator = is_initiator, + .substrs = linked_list_create(), + ); + return &this->public; } /* * Described in header */ -ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked_list_t *traffic_selectors) +ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, + linked_list_t *traffic_selectors) { - iterator_t *iterator; + enumerator_t *enumerator; traffic_selector_t *ts; - traffic_selector_substructure_t *ts_substructure; + traffic_selector_substructure_t *subst; private_ts_payload_t *this; this = (private_ts_payload_t*)ts_payload_create(is_initiator); - iterator = traffic_selectors->create_iterator(traffic_selectors, TRUE); - while (iterator->iterate(iterator, (void**)&ts)) + enumerator = traffic_selectors->create_enumerator(traffic_selectors); + while (enumerator->enumerate(enumerator, &ts)) { - ts_substructure = traffic_selector_substructure_create_from_traffic_selector(ts); - this->public.add_traffic_selector_substructure(&(this->public), ts_substructure); + subst = traffic_selector_substructure_create_from_traffic_selector(ts); + this->substrs->insert_last(this->substrs, subst); } - iterator->destroy(iterator); + enumerator->destroy(enumerator); + compute_length(this); - return &(this->public); + return &this->public; } - diff --git a/src/libcharon/encoding/payloads/ts_payload.h b/src/libcharon/encoding/payloads/ts_payload.h index d322ff1a8..88ca00bc9 100644 --- a/src/libcharon/encoding/payloads/ts_payload.h +++ b/src/libcharon/encoding/payloads/ts_payload.h @@ -19,7 +19,6 @@ * @{ @ingroup payloads */ - #ifndef TS_PAYLOAD_H_ #define TS_PAYLOAD_H_ @@ -36,13 +35,13 @@ typedef struct ts_payload_t ts_payload_t; */ #define TS_PAYLOAD_HEADER_LENGTH 8 - /** * Class representing an IKEv2 TS payload. * * The TS payload format is described in RFC section 3.13. */ struct ts_payload_t { + /** * The payload_t interface. */ @@ -66,27 +65,6 @@ struct ts_payload_t { */ void (*set_initiator) (ts_payload_t *this,bool is_initiator); - /** - * Adds a traffic_selector_substructure_t object to this object. - * - * @param traffic_selector traffic_selector_substructure_t object to add - */ - void (*add_traffic_selector_substructure) (ts_payload_t *this, - traffic_selector_substructure_t *traffic_selector); - - /** - * Creates an iterator of stored traffic_selector_substructure_t objects. - * - * When removing an traffic_selector_substructure_t object - * using this iterator, the length of this payload - * has to get refreshed by calling payload_t.get_length! - * - * @param forward iterator direction (TRUE: front to end) - * @return created iterator_t object - */ - iterator_t *(*create_traffic_selector_substructure_iterator) ( - ts_payload_t *this, bool forward); - /** * Get a list of nested traffic selectors as traffic_selector_t. * @@ -105,19 +83,15 @@ struct ts_payload_t { /** * Creates an empty ts_payload_t object. * - * @param is_initiator - * - TRUE if this payload is of type TSi - * - FALSE if this payload is of type TSr - * @return ts_payload_t object + * @param is_initiator TRUE for TSi, FALSE for TSr payload type + * @return ts_payload_t object */ ts_payload_t *ts_payload_create(bool is_initiator); /** * Creates ts_payload with a list of traffic_selector_t * - * @param is_initiator - * - TRUE if this payload is of type TSi - * - FALSE if this payload is of type TSr + * @param is_initiator TRUE for TSi, FALSE for TSr payload type * @param traffic_selectors list of traffic selectors to include * @return ts_payload_t object */ diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c index dd5547dc3..27af338b3 100644 --- a/src/libcharon/encoding/payloads/unknown_payload.c +++ b/src/libcharon/encoding/payloads/unknown_payload.c @@ -18,8 +18,6 @@ #include "unknown_payload.h" - - typedef struct private_unknown_payload_t private_unknown_payload_t; /** @@ -32,6 +30,11 @@ struct private_unknown_payload_t { */ unknown_payload_t public; + /** + * Type of this payload + */ + payload_type_t type; + /** * Next payload type. */ @@ -42,6 +45,11 @@ struct private_unknown_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -62,21 +70,21 @@ struct private_unknown_payload_t { */ encoding_rule_t unknown_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_unknown_payload_t, next_payload)}, + { U_INT_8, offsetof(private_unknown_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_unknown_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_unknown_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[6]) }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_unknown_payload_t, payload_length)}, + { PAYLOAD_LENGTH, offsetof(private_unknown_payload_t, payload_length) }, /* some unknown data bytes, length is defined in PAYLOAD_LENGTH */ - { UNKNOWN_DATA, offsetof(private_unknown_payload_t, data) } + { UNKNOWN_DATA, offsetof(private_unknown_payload_t, data) }, }; /* @@ -91,111 +99,109 @@ encoding_rule_t unknown_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_unknown_payload_t *this) +METHOD(payload_t, verify, status_t, + private_unknown_payload_t *this) { - /* can't do any checks, so we assume its good */ + if (this->payload_length != UNKNOWN_PAYLOAD_HEADER_LENGTH + this->data.len) + { + return FAILED; + } return SUCCESS; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = unknown_payload_encodings; *rule_count = sizeof(unknown_payload_encodings) / sizeof(encoding_rule_t); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_unknown_payload_t *this) +METHOD(payload_t, get_payload_type, payload_type_t, + private_unknown_payload_t *this) { - return UNKNOWN_PAYLOAD; + return this->type; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_unknown_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_unknown_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_unknown_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_unknown_payload_t *this,payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_unknown_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_unknown_payload_t *this) { return this->payload_length; } -/** - * Implementation of unknown_payload_t.get_data. - */ -static bool is_critical(private_unknown_payload_t *this) +METHOD(unknown_payload_t, is_critical, bool, + private_unknown_payload_t *this) { return this->critical; } -/** - * Implementation of unknown_payload_t.get_data. - */ -static chunk_t get_data (private_unknown_payload_t *this) +METHOD(unknown_payload_t, get_data, chunk_t, + private_unknown_payload_t *this) { - return (this->data); + return this->data; } -/** - * Implementation of payload_t.destroy and unknown_payload_t.destroy. - */ -static void destroy(private_unknown_payload_t *this) +METHOD2(payload_t, unknown_payload_t, destroy, void, + private_unknown_payload_t *this) { - if (this->data.ptr != NULL) - { - chunk_free(&(this->data)); - } - + free(this->data.ptr); free(this); } /* * Described in header */ -unknown_payload_t *unknown_payload_create() +unknown_payload_t *unknown_payload_create(payload_type_t type) +{ + private_unknown_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_payload_type, + .destroy = _destroy, + }, + .is_critical = _is_critical, + .get_data = _get_data, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH, + .type = type, + ); + + return &this->public; +} + + +/* + * Described in header + */ +unknown_payload_t *unknown_payload_create_data(payload_type_t type, + bool critical, chunk_t data) { - private_unknown_payload_t *this = malloc_thing(private_unknown_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (unknown_payload_t *)) destroy; - this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical; - this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH; - this->data = chunk_empty; - - return (&(this->public)); + private_unknown_payload_t *this; + + this = (private_unknown_payload_t*)unknown_payload_create(type); + this->data = data; + this->critical = critical; + this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH + data.len; + + return &this->public; } diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h index c761ed2b6..5ae85331b 100644 --- a/src/libcharon/encoding/payloads/unknown_payload.h +++ b/src/libcharon/encoding/payloads/unknown_payload.h @@ -70,10 +70,22 @@ struct unknown_payload_t { }; /** - * Creates an empty unknown_payload_t object. + * Creates an empty unknown_payload_t. * - * @return unknown_payload_t object + * @param type of the payload + * @return unknown_payload_t object */ -unknown_payload_t *unknown_payload_create(void); +unknown_payload_t *unknown_payload_create(payload_type_t type); + +/** + * Create an unknown payload with data. + * + * @param type type of payload to create + * @param critical TRUE to set critical bit + * @param data data to set for this payload, gets owned by payload + * @return payload object + */ +unknown_payload_t *unknown_payload_create_data(payload_type_t type, + bool critical, chunk_t data); #endif /** UNKNOWN_PAYLOAD_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.c b/src/libcharon/encoding/payloads/vendor_id_payload.c index bf33d2418..e9e80e989 100644 --- a/src/libcharon/encoding/payloads/vendor_id_payload.c +++ b/src/libcharon/encoding/payloads/vendor_id_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2009 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -40,6 +41,11 @@ struct private_vendor_id_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -59,21 +65,21 @@ struct private_vendor_id_payload_t { */ encoding_rule_t vendor_id_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_vendor_id_payload_t, next_payload) }, + { U_INT_8, offsetof(private_vendor_id_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_vendor_id_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_vendor_id_payload_t, payload_length)}, /* some vendor_id data bytes, length is defined in PAYLOAD_LENGTH */ - { VID_DATA, offsetof(private_vendor_id_payload_t, data) } + { VID_DATA, offsetof(private_vendor_id_payload_t, data) } }; /* @@ -88,68 +94,52 @@ encoding_rule_t vendor_id_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_vendor_id_payload_t *this) +METHOD(payload_t, verify, status_t, + private_vendor_id_payload_t *this) { return SUCCESS; } -/** - * Implementation of vendor_id_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_vendor_id_payload_t *this, - encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_vendor_id_payload_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = vendor_id_payload_encodings; - *rule_count = sizeof(vendor_id_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(vendor_id_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_vendor_id_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_vendor_id_payload_t *this) { return VENDOR_ID; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_vendor_id_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_vendor_id_payload_t *this) { return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_vendor_id_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_vendor_id_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_vendor_id_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_vendor_id_payload_t *this) { return this->payload_length; } -/** - * Implementation of vendor_id_payload_t.get_data. - */ -static chunk_t get_data(private_vendor_id_payload_t *this) +METHOD(vendor_id_payload_t, get_data, chunk_t, + private_vendor_id_payload_t *this) { return this->data; } -/** - * Implementation of payload_t.destroy and vendor_id_payload_t.destroy. - */ -static void destroy(private_vendor_id_payload_t *this) +METHOD2(payload_t, vendor_id_payload_t, destroy, void, + private_vendor_id_payload_t *this) { free(this->data.ptr); free(this); @@ -158,38 +148,35 @@ static void destroy(private_vendor_id_payload_t *this) /* * Described in header */ -vendor_id_payload_t *vendor_id_payload_create() +vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data) { - private_vendor_id_payload_t *this = malloc_thing(private_vendor_id_payload_t); - - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - this->public.get_data = (chunk_t (*) (vendor_id_payload_t *)) get_data; - - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH; - this->data = chunk_empty; + private_vendor_id_payload_t *this; + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_data = _get_data, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH + data.len, + .data = data, + ); return &this->public; } /* * Described in header */ -vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data) +vendor_id_payload_t *vendor_id_payload_create() { - private_vendor_id_payload_t *this; - - this = (private_vendor_id_payload_t*)vendor_id_payload_create(); - this->payload_length += data.len; - this->data = data; - - return &this->public; + return vendor_id_payload_create_data(chunk_empty); } - diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.h b/src/libcharon/encoding/payloads/vendor_id_payload.h index 241535cac..4e4e7d8eb 100644 --- a/src/libcharon/encoding/payloads/vendor_id_payload.h +++ b/src/libcharon/encoding/payloads/vendor_id_payload.h @@ -50,6 +50,11 @@ struct vendor_id_payload_t { * @return VID data, pointing to an internal chunk_t */ chunk_t (*get_data)(vendor_id_payload_t *this); + + /** + * Destroy Vendor ID payload. + */ + void (*destroy)(vendor_id_payload_t *this); }; /** diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index 426d1a689..018318a59 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c index 44ef38d85..12cf0c941 100644 --- a/src/libcharon/plugins/addrblock/addrblock_validator.c +++ b/src/libcharon/plugins/addrblock/addrblock_validator.c @@ -1,8 +1,6 @@ /* - * Copyright (C) 2010 Martin Willi - * Copyright (C) 2010 revosec AG - * Copyright (C) 2009 Andreas Steffen - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2010 Martin Willi, revosec AG + * Copyright (C) 2009 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -90,7 +88,8 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer) METHOD(cert_validator_t, validate, bool, private_addrblock_validator_t *this, certificate_t *subject, - certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) + certificate_t *issuer, bool online, int pathlen, bool anchor, + auth_cfg_t *auth) { if (subject->get_type(subject) == CERT_X509 && issuer->get_type(issuer) == CERT_X509) diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in index d80868798..7d6eb2b9c 100644 --- a/src/libcharon/plugins/android/Makefile.in +++ b/src/libcharon/plugins/android/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c index aa7fc6f92..601c91e7b 100644 --- a/src/libcharon/plugins/android/android_creds.c +++ b/src/libcharon/plugins/android/android_creds.c @@ -235,7 +235,7 @@ METHOD(android_creds_t, set_username_password, void, DESTROY_IF(this->user); this->user = id->clone(id); free(this->pass); - this->pass = password ? strdup(password) : NULL; + this->pass = strdupnull(password); this->lock->unlock(this->lock); } diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c index f9a8e1ea1..487567f2a 100644 --- a/src/libcharon/plugins/android/android_service.c +++ b/src/libcharon/plugins/android/android_service.c @@ -291,8 +291,8 @@ static job_requeue_t initiate(private_android_service_t *this) peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index e843c42e8..8046fc052 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index e1e83d648..8851c1b79 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -459,7 +459,7 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) { dhcp_transaction_t *transaction = NULL; enumerator_t *enumerator; - host_t *offer, *server; + host_t *offer, *server = NULL; offer = host_create_from_chunk(AF_INET, chunk_from_thing(dhcp->your_address), 0); @@ -500,7 +500,7 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) chunk_create((char*)&option->data[pos], 4)); } } - if (option->type == DHCP_SERVER_ID && option->len == 4) + if (!server && option->type == DHCP_SERVER_ID && option->len == 4) { server = host_create_from_chunk(AF_INET, chunk_create(option->data, 4), DHCP_SERVER_PORT); @@ -515,12 +515,11 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) } DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server); transaction->set_address(transaction, offer->clone(offer)); - transaction->set_server(transaction, server->clone(server)); + transaction->set_server(transaction, server); } this->mutex->unlock(this->mutex); this->condvar->broadcast(this->condvar); offer->destroy(offer); - server->destroy(server); } /** diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index c0750786d..4a23f9010 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index 41f69546e..ad1ae1906 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 02d659197..142a35e50 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index 46011694a..5c1e07ade 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 2e307147f..4e01d96cc 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index 635cfe6ec..495ccf441 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index 1d771d9a4..99084e2c1 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index d05930bbd..90f203f61 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index 46a584265..3cd766a75 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 2d8556a59..a48fb652a 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -225,9 +225,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -266,6 +264,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index e59015f82..f2af3ae0d 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index 3c66d2f36..9a58a6055 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in index e4b78faf8..9ebb85be9 100644 --- a/src/libcharon/plugins/eap_tls/Makefile.in +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in index fb7108a8a..cf75585ef 100644 --- a/src/libcharon/plugins/eap_tnc/Makefile.in +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c index f0bff0e1f..dd4ed5322 100644 --- a/src/libcharon/plugins/eap_tnc/eap_tnc.c +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c @@ -18,7 +18,7 @@ #include #include -#include +#include typedef struct private_eap_tnc_t private_eap_tnc_t; @@ -114,6 +114,8 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, private_eap_tnc_t *this; size_t frag_size; int max_msg_count; + char* protocol; + tnccs_type_t type; tnccs_t *tnccs; INIT(this, @@ -133,7 +135,27 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, "charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN); max_msg_count = lib->settings->get_int(lib->settings, "charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT); - tnccs = charon->tnccs->create_instance(charon->tnccs, TNCCS_1_1, is_server); + protocol = lib->settings->get_str(lib->settings, + "charon.plugins.eap-tnc.protocol", "tnccs-1.1"); + if (strcaseeq(protocol, "tnccs-2.0")) + { + type = TNCCS_2_0; + } + else if (strcaseeq(protocol, "tnccs-1.1")) + { + type = TNCCS_1_1; + } + else if (strcaseeq(protocol, "tnccs-dynamic") && is_server) + { + type = TNCCS_DYNAMIC; + } + else + { + DBG1(DBG_TNC, "TNCCS protocol '%s' not supported", protocol); + free(this); + return NULL; + } + tnccs = charon->tnccs->create_instance(charon->tnccs, type, is_server); this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size, max_msg_count); if (!this->tls_eap) { diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in index 2cdd7701d..ff67686b2 100644 --- a/src/libcharon/plugins/eap_ttls/Makefile.in +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -225,9 +225,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -266,6 +264,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c index 10d08ca2a..29b0a9303 100644 --- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c @@ -196,6 +196,7 @@ METHOD(tls_application_t, process, status_t, in->destroy(in); return NEED_MORE; } + this->start_phase2 = FALSE; } type = this->method->get_type(this->method, &vendor); diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index bfd50d6da..21e8b78db 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index 3600eb7c6..2fcd7cc82 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c index 980c0551a..15f7824f9 100644 --- a/src/libcharon/plugins/ha/ha_ctl.c +++ b/src/libcharon/plugins/ha/ha_ctl.c @@ -21,8 +21,8 @@ #include #include #include -#include +#include #include #define HA_FIFO IPSEC_PIDDIR "/charon.ha" @@ -60,13 +60,14 @@ struct private_ha_ctl_t { */ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this) { - int fifo, old; + int fifo; + bool oldstate; char buf[8]; u_int segment; - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old); + oldstate = thread_cancelability(TRUE); fifo = open(HA_FIFO, O_RDONLY); - pthread_setcancelstate(old, NULL); + thread_cancelability(oldstate); if (fifo == -1) { DBG1(DBG_CFG, "opening HA fifo failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index b46a221bd..85dc0f4a4 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -596,9 +596,9 @@ static void process_child_add(private_ha_dispatcher_t *this, if (initiator) { if (child_sa->install(child_sa, encr_r, integ_r, inbound_spi, - inbound_cpi, TRUE, local_ts, remote_ts) != SUCCESS || + inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS || child_sa->install(child_sa, encr_i, integ_i, outbound_spi, - outbound_cpi, FALSE, local_ts, remote_ts) != SUCCESS) + outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS) { failed = TRUE; } @@ -606,9 +606,9 @@ static void process_child_add(private_ha_dispatcher_t *this, else { if (child_sa->install(child_sa, encr_i, integ_i, inbound_spi, - inbound_cpi, TRUE, local_ts, remote_ts) != SUCCESS || + inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS || child_sa->install(child_sa, encr_r, integ_r, outbound_spi, - outbound_cpi, FALSE, local_ts, remote_ts) != SUCCESS) + outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS) { failed = TRUE; } diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c index 19e0f692e..7c7bef851 100644 --- a/src/libcharon/plugins/ha/ha_segments.c +++ b/src/libcharon/plugins/ha/ha_segments.c @@ -15,11 +15,10 @@ #include "ha_segments.h" -#include - #include #include #include +#include #include #define DEFAULT_HEARTBEAT_DELAY 1000 @@ -255,16 +254,15 @@ METHOD(listener_t, alert_hook, bool, */ static job_requeue_t watchdog(private_ha_segments_t *this) { - int oldstate; - bool timeout; + bool timeout, oldstate; this->mutex->lock(this->mutex); - pthread_cleanup_push((void*)this->mutex->unlock, this->mutex); - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + thread_cleanup_push((void*)this->mutex->unlock, this->mutex); + oldstate = thread_cancelability(TRUE); timeout = this->condvar->timed_wait(this->condvar, this->mutex, this->heartbeat_timeout); - pthread_setcancelstate(oldstate, NULL); - pthread_cleanup_pop(TRUE); + thread_cancelability(oldstate); + thread_cleanup_pop(TRUE); if (timeout) { DBG1(DBG_CFG, "no heartbeat received, taking all segments"); diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c index 614c70ed3..086178442 100644 --- a/src/libcharon/plugins/ha/ha_socket.c +++ b/src/libcharon/plugins/ha/ha_socket.c @@ -20,10 +20,10 @@ #include #include #include -#include #include #include +#include #include typedef struct private_ha_socket_t private_ha_socket_t; @@ -121,12 +121,12 @@ METHOD(ha_socket_t, pull, ha_message_t*, { ha_message_t *message; char buf[1024]; - int oldstate; + bool oldstate; ssize_t len; - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + oldstate = thread_cancelability(TRUE); len = recv(this->fd, buf, sizeof(buf), 0); - pthread_setcancelstate(oldstate, NULL); + thread_cancelability(oldstate); if (len <= 0) { switch (errno) diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index fef84a430..299053ec1 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -223,8 +223,8 @@ static void setup_tunnel(private_ha_tunnel_t *this, peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE); child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535); diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in index a4e529d89..fa1194fd0 100644 --- a/src/libcharon/plugins/led/Makefile.in +++ b/src/libcharon/plugins/led/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index 85db9a10b..c921ec3db 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -225,9 +225,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -266,6 +264,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index a230aa3f5..71391d593 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -224,8 +224,8 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) } child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1"); child_cfg->add_proposal(child_cfg, proposal); ts = traffic_selector_create_dynamic(0, 0, 65535); diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index aece95e12..ef9d7f9ef 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -52,7 +52,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c index cb9b80c7f..8fd65adfa 100644 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c @@ -28,6 +28,8 @@ #include #include +static const char *plugin_name = "load_tester"; + typedef struct private_load_tester_plugin_t private_load_tester_plugin_t; /** @@ -189,7 +191,7 @@ plugin_t *load_tester_plugin_create() this = malloc_thing(private_load_tester_plugin_t); this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - lib->crypto->add_dh(lib->crypto, MODP_NULL, + lib->crypto->add_dh(lib->crypto, MODP_NULL, plugin_name, (dh_constructor_t)load_tester_diffie_hellman_create); this->delay = lib->settings->get_int(lib->settings, diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am index ed6c76c0f..0bf7fad5d 100644 --- a/src/libcharon/plugins/maemo/Makefile.am +++ b/src/libcharon/plugins/maemo/Makefile.am @@ -19,5 +19,9 @@ libstrongswan_maemo_la_LIBADD = ${maemo_LIBS} dbusservice_DATA = org.strongswan.charon.service -EXTRA_DIST = $(dbusservice_DATA) +org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in + sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@ + +EXTRA_DIST = org.strongswan.charon.service.in +CLEANFILES = $(dbusservice_DATA) diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in index 978950d22..0ca1fa436 100644 --- a/src/libcharon/plugins/maemo/Makefile.in +++ b/src/libcharon/plugins/maemo/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -288,7 +288,8 @@ libstrongswan_maemo_la_SOURCES = \ libstrongswan_maemo_la_LDFLAGS = -module -avoid-version libstrongswan_maemo_la_LIBADD = ${maemo_LIBS} dbusservice_DATA = org.strongswan.charon.service -EXTRA_DIST = $(dbusservice_DATA) +EXTRA_DIST = org.strongswan.charon.service.in +CLEANFILES = $(dbusservice_DATA) all: all-am .SUFFIXES: @@ -528,6 +529,7 @@ install-strip: mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -626,6 +628,9 @@ uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES uninstall-pluginLTLIBRARIES +org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in + sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@ + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c index efd914a00..0e9fd8ccc 100644 --- a/src/libcharon/plugins/maemo/maemo_service.c +++ b/src/libcharon/plugins/maemo/maemo_service.c @@ -115,12 +115,11 @@ METHOD(listener_t, ike_updown, bool, return TRUE; } -METHOD(listener_t, child_state_change, bool, - private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, - child_sa_state_t state) +METHOD(listener_t, ike_state_change, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) { /* this call back is only registered during initiation */ - if (this->ike_sa == ike_sa && state == CHILD_DESTROYING) + if (this->ike_sa == ike_sa && state == IKE_DESTROYING) { change_status(this, VPN_STATUS_CONNECTION_FAILED); return FALSE; @@ -138,7 +137,7 @@ METHOD(listener_t, child_updown, bool, { /* disable hooks registered to catch initiation failures */ this->public.listener.ike_updown = NULL; - this->public.listener.child_state_change = NULL; + this->public.listener.ike_state_change = NULL; change_status(this, VPN_STATUS_CONNECTED); } else @@ -347,7 +346,7 @@ static gboolean initiate_connection(private_maemo_service_t *this, child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */, TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE, - FALSE, 0, 0, NULL, NULL); + ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); @@ -371,7 +370,7 @@ static gboolean initiate_connection(private_maemo_service_t *this, this->ike_sa = ike_sa; this->status = VPN_STATUS_CONNECTING; this->public.listener.ike_updown = _ike_updown; - this->public.listener.child_state_change = _child_state_change; + this->public.listener.ike_state_change = _ike_state_change; charon->bus->add_listener(charon->bus, &this->public.listener); if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) @@ -464,7 +463,7 @@ maemo_service_t *maemo_service_create() .public = { .listener = { .ike_updown = _ike_updown, - .child_state_change = _child_state_change, + .ike_state_change = _ike_state_change, .child_updown = _child_updown, .ike_rekey = _ike_rekey, }, diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service b/src/libcharon/plugins/maemo/org.strongswan.charon.service deleted file mode 100644 index 7dd31ed60..000000000 --- a/src/libcharon/plugins/maemo/org.strongswan.charon.service +++ /dev/null @@ -1,4 +0,0 @@ -[D-BUS Service] -Name=org.strongswan.charon -Exec=/usr/bin/run-standalone.sh /usr/libexec/ipsec/charon -User=root diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service.in b/src/libcharon/plugins/maemo/org.strongswan.charon.service.in new file mode 100644 index 000000000..8fa83af93 --- /dev/null +++ b/src/libcharon/plugins/maemo/org.strongswan.charon.service.in @@ -0,0 +1,4 @@ +[D-BUS Service] +Name=org.strongswan.charon +Exec=/usr/bin/run-standalone.sh @LIBEXECDIR@/ipsec/charon +User=root diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index 6dcbc99dd..372a436a6 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index 870d87c7e..b5672dba9 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -182,8 +182,8 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); @@ -261,8 +261,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->current->add_auth_cfg(this->current, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index f6db7d834..4bb65bd09 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in index 2f5c20971..69af7bf83 100644 --- a/src/libcharon/plugins/nm/Makefile.in +++ b/src/libcharon/plugins/nm/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/nm/nm_creds.c b/src/libcharon/plugins/nm/nm_creds.c index 638787019..ea98c056d 100644 --- a/src/libcharon/plugins/nm/nm_creds.c +++ b/src/libcharon/plugins/nm/nm_creds.c @@ -400,7 +400,7 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id DESTROY_IF(this->user); this->user = id->clone(id); free(this->pass); - this->pass = password ? strdup(password) : NULL; + this->pass = strdupnull(password); this->lock->unlock(this->lock); } @@ -411,7 +411,7 @@ static void set_key_password(private_nm_creds_t *this, char *password) { this->lock->write_lock(this->lock); free(this->keypass); - this->keypass = password ? strdup(password) : NULL; + this->keypass = strdupnull(password); this->lock->unlock(this->lock); } @@ -423,7 +423,7 @@ static void set_pin(private_nm_creds_t *this, chunk_t keyid, char *pin) this->lock->write_lock(this->lock); free(this->keypass); free(this->keyid.ptr); - this->keypass = pin ? strdup(pin) : NULL; + this->keypass = strdupnull(pin); this->keyid = chunk_clone(keyid); this->lock->unlock(this->lock); } diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c index 72c5bbbb5..4300b57cf 100644 --- a/src/libcharon/plugins/nm/nm_service.c +++ b/src/libcharon/plugins/nm/nm_service.c @@ -518,8 +518,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, child_cfg = child_cfg_create(priv->name, &lifetime, NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */ - ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, ipcomp, + 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index f24e2d1e7..3d2cef13c 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index bd85386b2..b82372e30 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 8e0790671..7a49088b2 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in index 5f4cba131..744b12fcf 100644 --- a/src/libcharon/plugins/socket_raw/Makefile.in +++ b/src/libcharon/plugins/socket_raw/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index 7c4521785..4244d3b5e 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index a47d93f7b..dc016012c 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2006-2008 Martin Willi + * Copyright (C) 2010 Andreas Steffen * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -38,13 +39,13 @@ struct private_sql_config_t { }; /** - * forward declaration + * Forward declaration */ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, identification_t *me, identification_t *other); /** - * build a traffic selector from a SQL query + * Build a traffic selector from an SQL query */ static traffic_selector_t *build_traffic_selector(private_sql_config_t *this, enumerator_t *e, bool *local) @@ -119,24 +120,62 @@ static void add_traffic_selectors(private_sql_config_t *this, } /** - * build a Child configuration from a SQL query + * Add ESP proposals to a child config + */ +static void add_esp_proposals(private_sql_config_t *this, + child_cfg_t *child, int id) +{ + enumerator_t *e; + proposal_t *proposal; + char *prop; + bool use_default = TRUE; + + e = this->db->query(this->db, + "SELECT proposal " + "FROM proposals JOIN child_config_proposal ON id = prop " + "WHERE child_cfg = ? ORDER BY prio", + DB_INT, id, DB_TEXT); + if (e) + { + while (e->enumerate(e, &prop)) + { + proposal = proposal_create_from_string(PROTO_ESP, prop); + if (!proposal) + { + DBG1(DBG_CFG, "could not create ESP proposal from '%s'", prop); + break; + } + child->add_proposal(child, proposal); + use_default = FALSE; + } + e->destroy(e); + } + if (use_default) + { + child->add_proposal(child, proposal_create_default(PROTO_ESP)); + } +} + +/** + * Build a child config from an SQL query */ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e) { - int id, lifetime, rekeytime, jitter, hostaccess, mode, dpd, close, ipcomp; + int id, lifetime, rekeytime, jitter, hostaccess, mode, ipcomp, reqid; + int start, dpd, close; char *name, *updown; child_cfg_t *child_cfg; - if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, - &updown, &hostaccess, &mode, &dpd, &close, &ipcomp)) + if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, &updown, + &hostaccess, &mode, &start, &dpd, &close, &ipcomp, &reqid)) { lifetime_cfg_t lft = { .time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter } }; child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode, - dpd, close, ipcomp, 0, 0, NULL, NULL); - /* TODO: read proposal from db */ - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + start, dpd, close, ipcomp, 0, reqid, + NULL, NULL, 0); + add_esp_proposals(this, child_cfg, id); add_traffic_selectors(this, child_cfg, id); return child_cfg; } @@ -152,13 +191,13 @@ static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id) child_cfg_t *child_cfg; e = this->db->query(this->db, - "SELECT id, name, lifetime, rekeytime, jitter, " - "updown, hostaccess, mode, dpd_action, close_action, ipcomp " + "SELECT id, name, lifetime, rekeytime, jitter, updown, hostaccess, " + "mode, start_action, dpd_action, close_action, ipcomp, reqid " "FROM child_configs JOIN peer_config_child_config ON id = child_cfg " "WHERE peer_cfg = ?", DB_INT, id, - DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, - DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT); + DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_TEXT, DB_INT, + DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT); if (e) { while ((child_cfg = build_child_cfg(this, e))) @@ -170,29 +209,65 @@ static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id) } /** - * build a ike configuration from a SQL query + * Add IKE proposals to an IKE config + */ +static void add_ike_proposals(private_sql_config_t *this, + ike_cfg_t *ike_cfg, int id) +{ + enumerator_t *e; + proposal_t *proposal; + char *prop; + bool use_default = TRUE; + + e = this->db->query(this->db, + "SELECT proposal " + "FROM proposals JOIN ike_config_proposal ON id = prop " + "WHERE ike_cfg = ? ORDER BY prio", + DB_INT, id, DB_TEXT); + if (e) + { + while (e->enumerate(e, &prop)) + { + proposal = proposal_create_from_string(PROTO_IKE, prop); + if (!proposal) + { + DBG1(DBG_CFG, "could not create IKE proposal from '%s'", prop); + break; + } + ike_cfg->add_proposal(ike_cfg, proposal); + use_default = FALSE; + } + e->destroy(e); + } + if (use_default) + { + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + } +} + +/** + * Build an IKE config from an SQL query */ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e, host_t *my_host, host_t *other_host) { - int certreq, force_encap; + int id, certreq, force_encap; char *local, *remote; - while (e->enumerate(e, &certreq, &force_encap, &local, &remote)) + while (e->enumerate(e, &id, &certreq, &force_encap, &local, &remote)) { ike_cfg_t *ike_cfg; ike_cfg = ike_cfg_create(certreq, force_encap, local, IKEV2_UDP_PORT, remote, IKEV2_UDP_PORT); - /* TODO: read proposal from db */ - ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + add_ike_proposals(this, ike_cfg, id); return ike_cfg; } return NULL; } /** - * Query a IKE config by its id + * Query an IKE config by its id */ static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id) { @@ -200,10 +275,10 @@ static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id) ike_cfg_t *ike_cfg = NULL; e = this->db->query(this->db, - "SELECT certreq, force_encap, local, remote " + "SELECT id, certreq, force_encap, local, remote " "FROM ike_configs WHERE id = ?", DB_INT, id, - DB_INT, DB_INT, DB_TEXT, DB_TEXT); + DB_INT, DB_INT, DB_INT, DB_TEXT, DB_TEXT); if (e) { ike_cfg = build_ike_cfg(this, e, NULL, NULL); @@ -246,7 +321,7 @@ static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id) } /** - * build a peer configuration from a SQL query + * Build a peer config from an SQL query */ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, identification_t *me, identification_t *other) @@ -325,10 +400,8 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, return NULL; } -/** - * implements backend_t.get_peer_cfg_by_name. - */ -static peer_cfg_t *get_peer_cfg_by_name(private_sql_config_t *this, char *name) +METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, + private_sql_config_t *this, char *name) { enumerator_t *e; peer_cfg_t *peer_cfg = NULL; @@ -398,11 +471,8 @@ static void ike_enumerator_destroy(ike_enumerator_t *this) free(this); } -/** - * Implementation of backend_t.create_ike_cfg_enumerator. - */ -static enumerator_t* create_ike_cfg_enumerator(private_sql_config_t *this, - host_t *me, host_t *other) +METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, + private_sql_config_t *this, host_t *me, host_t *other) { ike_enumerator_t *e = malloc_thing(ike_enumerator_t); @@ -414,9 +484,9 @@ static enumerator_t* create_ike_cfg_enumerator(private_sql_config_t *this, e->public.destroy = (void*)ike_enumerator_destroy; e->inner = this->db->query(this->db, - "SELECT certreq, force_encap, local, remote " + "SELECT id, certreq, force_encap, local, remote " "FROM ike_configs", - DB_INT, DB_INT, DB_TEXT, DB_TEXT); + DB_INT, DB_INT, DB_INT, DB_TEXT, DB_TEXT); if (!e->inner) { free(e); @@ -466,12 +536,8 @@ static void peer_enumerator_destroy(peer_enumerator_t *this) free(this); } -/** - * Implementation of backend_t.create_peer_cfg_enumerator. - */ -static enumerator_t* create_peer_cfg_enumerator(private_sql_config_t *this, - identification_t *me, - identification_t *other) +METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, + private_sql_config_t *this, identification_t *me, identification_t *other) { peer_enumerator_t *e = malloc_thing(peer_enumerator_t); @@ -508,10 +574,8 @@ static enumerator_t* create_peer_cfg_enumerator(private_sql_config_t *this, return &e->public; } -/** - * Implementation of sql_config_t.destroy. - */ -static void destroy(private_sql_config_t *this) +METHOD(sql_config_t, destroy, void, + private_sql_config_t *this) { free(this); } @@ -521,14 +585,19 @@ static void destroy(private_sql_config_t *this) */ sql_config_t *sql_config_create(database_t *db) { - private_sql_config_t *this = malloc_thing(private_sql_config_t); - - this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator; - this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator; - this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name; - this->public.destroy = (void(*)(sql_config_t*))destroy; + private_sql_config_t *this; - this->db = db; + INIT(this, + .public = { + .backend = { + .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, + .create_ike_cfg_enumerator = _create_ike_cfg_enumerator, + .get_peer_cfg_by_name = _get_peer_cfg_by_name, + }, + .destroy = _destroy, + }, + .db = db + ); return &this->public; } diff --git a/src/libcharon/plugins/sql/sql_cred.c b/src/libcharon/plugins/sql/sql_cred.c index 12f4ab045..117eec921 100644 --- a/src/libcharon/plugins/sql/sql_cred.c +++ b/src/libcharon/plugins/sql/sql_cred.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2010 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -37,6 +38,7 @@ struct private_sql_cred_t { database_t *db; }; + /** * enumerator over private keys */ @@ -49,11 +51,8 @@ typedef struct { private_key_t *current; } private_enumerator_t; -/** - * Implementation of private_enumerator_t.public.enumerate - */ -static bool private_enumerator_enumerate(private_enumerator_t *this, - private_key_t **key) +METHOD(enumerator_t, private_enumerator_enumerate, bool, + private_enumerator_t *this, private_key_t **key) { chunk_t blob; int type; @@ -62,7 +61,7 @@ static bool private_enumerator_enumerate(private_enumerator_t *this, while (this->inner->enumerate(this->inner, &type, &blob)) { this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, - BUILD_BLOB_ASN1_DER, blob, + BUILD_BLOB_PEM, blob, BUILD_END); if (this->current) { @@ -74,29 +73,25 @@ static bool private_enumerator_enumerate(private_enumerator_t *this, return FALSE; } -/** - * Implementation of private_enumerator_t.public.destroy - */ -static void private_enumerator_destroy(private_enumerator_t *this) +METHOD(enumerator_t, private_enumerator_destroy, void, + private_enumerator_t *this) { DESTROY_IF(this->current); this->inner->destroy(this->inner); free(this); } -/** - * Implementation of credential_set_t.create_private_enumerator. - */ -static enumerator_t* create_private_enumerator(private_sql_cred_t *this, - key_type_t type, - identification_t *id) +METHOD(credential_set_t, create_private_enumerator, enumerator_t*, + private_sql_cred_t *this, key_type_t type, identification_t *id) { private_enumerator_t *e; - e = malloc_thing(private_enumerator_t); - e->current = NULL; - e->public.enumerate = (void*)private_enumerator_enumerate; - e->public.destroy = (void*)private_enumerator_destroy; + INIT(e, + .public = { + .enumerate = (void*)_private_enumerator_enumerate, + .destroy = _private_enumerator_destroy, + }, + ); if (id && id->get_type(id) != ID_ANY) { e->inner = this->db->query(this->db, @@ -123,6 +118,7 @@ static enumerator_t* create_private_enumerator(private_sql_cred_t *this, return &e->public; } + /** * enumerator over certificates */ @@ -135,11 +131,8 @@ typedef struct { certificate_t *current; } cert_enumerator_t; -/** - * Implementation of cert_enumerator_t.public.enumerate - */ -static bool cert_enumerator_enumerate(cert_enumerator_t *this, - certificate_t **cert) +METHOD(enumerator_t, cert_enumerator_enumerate, bool, + cert_enumerator_t *this, certificate_t **cert) { chunk_t blob; int type; @@ -148,7 +141,7 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this, while (this->inner->enumerate(this->inner, &type, &blob)) { this->current = lib->creds->create(lib->creds, CRED_CERTIFICATE, type, - BUILD_BLOB_ASN1_DER, blob, + BUILD_BLOB_PEM, blob, BUILD_END); if (this->current) { @@ -160,29 +153,26 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this, return FALSE; } -/** - * Implementation of cert_enumerator_t.public.destroy - */ -static void cert_enumerator_destroy(cert_enumerator_t *this) +METHOD(enumerator_t, cert_enumerator_destroy, void, + cert_enumerator_t *this) { DESTROY_IF(this->current); this->inner->destroy(this->inner); free(this); } -/** - * Implementation of credential_set_t.create_cert_enumerator. - */ -static enumerator_t* create_cert_enumerator(private_sql_cred_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) +METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, + private_sql_cred_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) { cert_enumerator_t *e; - e = malloc_thing(cert_enumerator_t); - e->current = NULL; - e->public.enumerate = (void*)cert_enumerator_enumerate; - e->public.destroy = (void*)cert_enumerator_destroy; + INIT(e, + .public = { + .enumerate = (void*)_cert_enumerator_enumerate, + .destroy = _cert_enumerator_destroy, + }, + ); if (id && id->get_type(id) != ID_ANY) { e->inner = this->db->query(this->db, @@ -213,6 +203,7 @@ static enumerator_t* create_cert_enumerator(private_sql_cred_t *this, return &e->public; } + /** * enumerator over shared keys */ @@ -229,12 +220,9 @@ typedef struct { shared_key_t *current; } shared_enumerator_t; -/** - * Implementation of shared_enumerator_t.public.enumerate - */ -static bool shared_enumerator_enumerate(shared_enumerator_t *this, - shared_key_t **shared, - id_match_t *me, id_match_t *other) +METHOD(enumerator_t, shared_enumerator_enumerate, bool, + shared_enumerator_t *this, shared_key_t **shared, + id_match_t *me, id_match_t *other) { chunk_t blob; int type; @@ -261,31 +249,28 @@ static bool shared_enumerator_enumerate(shared_enumerator_t *this, return FALSE; } -/** - * Implementation of shared_enumerator_t.public.destroy - */ -static void shared_enumerator_destroy(shared_enumerator_t *this) +METHOD(enumerator_t, shared_enumerator_destroy, void, + shared_enumerator_t *this) { DESTROY_IF(this->current); this->inner->destroy(this->inner); free(this); } -/** - * Implementation of credential_set_t.create_shared_enumerator. - */ -static enumerator_t* create_shared_enumerator(private_sql_cred_t *this, - shared_key_type_t type, - identification_t *me, identification_t *other) +METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, + private_sql_cred_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) { shared_enumerator_t *e; - e = malloc_thing(shared_enumerator_t); - e->me = me; - e->other = other; - e->current = NULL; - e->public.enumerate = (void*)shared_enumerator_enumerate; - e->public.destroy = (void*)shared_enumerator_destroy; + INIT(e, + .public = { + .enumerate = (void*)_shared_enumerator_enumerate, + .destroy = _shared_enumerator_destroy, + }, + .me = me, + .other = other, + ); if (!me && !other) { e->inner = this->db->query(this->db, @@ -329,36 +314,141 @@ static enumerator_t* create_shared_enumerator(private_sql_cred_t *this, return &e->public; } + /** - * Implementation of credential_set_t.cache_cert. + * enumerator over CDPs */ -static void cache_cert(private_sql_cred_t *this, certificate_t *cert) +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** inner SQL enumerator */ + enumerator_t *inner; + /** currently enumerated string */ + char *current; +} cdp_enumerator_t; + +/** + * types of CDPs + */ +typedef enum { + /** any available CDP */ + CDP_TYPE_ANY = 0, + /** CRL */ + CDP_TYPE_CRL, + /** OCSP Responder */ + CDP_TYPE_OCSP, +} cdp_type_t; + +METHOD(enumerator_t, cdp_enumerator_enumerate, bool, + cdp_enumerator_t *this, char **uri) +{ + char *text; + + free(this->current); + while (this->inner->enumerate(this->inner, &text)) + { + *uri = this->current = strdup(text); + return TRUE; + } + this->current = NULL; + return FALSE; +} + +METHOD(enumerator_t, cdp_enumerator_destroy, void, + cdp_enumerator_t *this) +{ + free(this->current); + this->inner->destroy(this->inner); + free(this); +} + +METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, + private_sql_cred_t *this, certificate_type_t type, identification_t *id) +{ + cdp_enumerator_t *e; + cdp_type_t cdp_type; + + switch (type) + { /* we serve CRLs and OCSP responders */ + case CERT_X509_CRL: + cdp_type = CDP_TYPE_CRL; + break; + case CERT_X509_OCSP_RESPONSE: + cdp_type = CDP_TYPE_OCSP; + break; + case CERT_ANY: + cdp_type = CDP_TYPE_ANY; + break; + default: + return NULL; + } + INIT(e, + .public = { + .enumerate = (void*)_cdp_enumerator_enumerate, + .destroy = _cdp_enumerator_destroy, + }, + ); + if (id && id->get_type(id) != ID_ANY) + { + e->inner = this->db->query(this->db, + "SELECT dp.uri FROM certificate_distribution_points AS dp " + "JOIN certificate_authorities AS ca ON ca.id = dp.ca " + "JOIN certificates AS c ON c.id = ca.certificate " + "JOIN certificate_identity AS ci ON c.id = ci.certificate " + "JOIN identities AS i ON ci.identity = i.id " + "WHERE i.type = ? AND i.data = ? AND (? OR dp.type = ?)", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), + DB_INT, cdp_type == CDP_TYPE_ANY, DB_INT, cdp_type, + DB_TEXT); + } + else + { + e->inner = this->db->query(this->db, + "SELECT dp.uri FROM certificate_distribution_points AS dp " + "WHERE (? OR dp.type = ?)", + DB_INT, cdp_type == CDP_TYPE_ANY, DB_INT, cdp_type, + DB_TEXT); + } + if (!e->inner) + { + free(e); + return NULL; + } + return &e->public; +} + +METHOD(credential_set_t, cache_cert, void, + private_sql_cred_t *this, certificate_t *cert) { /* TODO: implement CRL caching to database */ } -/** - * Implementation of sql_cred_t.destroy. - */ -static void destroy(private_sql_cred_t *this) +METHOD(sql_cred_t, destroy, void, + private_sql_cred_t *this) { free(this); } + /** * Described in header. */ sql_cred_t *sql_cred_create(database_t *db) { - private_sql_cred_t *this = malloc_thing(private_sql_cred_t); - - this->public.set.create_private_enumerator = (void*)create_private_enumerator; - this->public.set.create_cert_enumerator = (void*)create_cert_enumerator; - this->public.set.create_shared_enumerator = (void*)create_shared_enumerator; - this->public.set.create_cdp_enumerator = (void*)return_null; - this->public.set.cache_cert = (void*)cache_cert; - this->public.destroy = (void(*)(sql_cred_t*))destroy; - - this->db = db; + private_sql_cred_t *this; + + INIT(this, + .public = { + .set = { + .create_private_enumerator = _create_private_enumerator, + .create_cert_enumerator = _create_cert_enumerator, + .create_shared_enumerator = _create_shared_enumerator, + .create_cdp_enumerator = _create_cdp_enumerator, + .cache_cert = _cache_cert, + }, + .destroy = _destroy, + }, + .db = db, + ); return &this->public; } diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c index 7b0a198d1..ad1eb91b1 100644 --- a/src/libcharon/plugins/sql/sql_plugin.c +++ b/src/libcharon/plugins/sql/sql_plugin.c @@ -53,10 +53,8 @@ struct private_sql_plugin_t { sql_logger_t *logger; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_sql_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_sql_plugin_t *this) { charon->backends->remove_backend(charon->backends, &this->config->backend); lib->credmgr->remove_set(lib->credmgr, &this->cred->set); @@ -83,11 +81,15 @@ plugin_t *sql_plugin_create() return NULL; } - this = malloc_thing(private_sql_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .db = lib->db->create(lib->db, uri), + ); - this->db = lib->db->create(lib->db, uri); if (!this->db) { DBG1(DBG_CFG, "sql plugin failed to connect to database"); diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am index 40888a40b..e561224e9 100644 --- a/src/libcharon/plugins/stroke/Makefile.am +++ b/src/libcharon/plugins/stroke/Makefile.am @@ -21,7 +21,6 @@ libstrongswan_stroke_la_SOURCES = \ stroke_cred.h stroke_cred.c \ stroke_ca.h stroke_ca.c \ stroke_attribute.h stroke_attribute.c \ - stroke_list.h stroke_list.c \ - stroke_shared_key.h stroke_shared_key.c + stroke_list.h stroke_list.c libstrongswan_stroke_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index e6e98838b..ccf3eeede 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -77,7 +77,7 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_stroke_la_LIBADD = am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \ stroke_config.lo stroke_control.lo stroke_cred.lo stroke_ca.lo \ - stroke_attribute.lo stroke_list.lo stroke_shared_key.lo + stroke_attribute.lo stroke_list.lo libstrongswan_stroke_la_OBJECTS = \ $(am_libstrongswan_stroke_la_OBJECTS) libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -292,8 +292,7 @@ libstrongswan_stroke_la_SOURCES = \ stroke_cred.h stroke_cred.c \ stroke_ca.h stroke_ca.c \ stroke_attribute.h stroke_attribute.c \ - stroke_list.h stroke_list.c \ - stroke_shared_key.h stroke_shared_key.c + stroke_list.h stroke_list.c libstrongswan_stroke_la_LDFLAGS = -module -avoid-version all: all-am @@ -386,7 +385,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_cred.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_list.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_plugin.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_shared_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_socket.Plo@am__quote@ .c.o: diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c index 9a3ae0ab9..69e13deb9 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.c +++ b/src/libcharon/plugins/stroke/stroke_ca.c @@ -113,6 +113,7 @@ static void ca_section_destroy(ca_section_t *this) this->crl->destroy_function(this->crl, free); this->ocsp->destroy_function(this->ocsp, free); this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy)); + this->cert->destroy(this->cert); free(this->certuribase); free(this->name); free(this); @@ -207,11 +208,8 @@ static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data return enumerator; } -/** - * Implementation of credential_set_t.create_cdp_enumerator. - */ -static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this, - certificate_type_t type, identification_t *id) +METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, + private_stroke_ca_t *this, certificate_type_t type, identification_t *id) { cdp_data_t *data; @@ -235,10 +233,9 @@ static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this, (type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp, data, (void*)cdp_data_destroy); } -/** - * Implementation of stroke_ca_t.add. - */ -static void add(private_stroke_ca_t *this, stroke_msg_t *msg) + +METHOD(stroke_ca_t, add, void, + private_stroke_ca_t *this, stroke_msg_t *msg) { certificate_t *cert; ca_section_t *ca; @@ -279,10 +276,8 @@ static void add(private_stroke_ca_t *this, stroke_msg_t *msg) } } -/** - * Implementation of stroke_ca_t.del. - */ -static void del(private_stroke_ca_t *this, stroke_msg_t *msg) +METHOD(stroke_ca_t, del, void, + private_stroke_ca_t *this, stroke_msg_t *msg) { enumerator_t *enumerator; ca_section_t *ca = NULL; @@ -336,10 +331,8 @@ static void list_uris(linked_list_t *list, char *label, FILE *out) enumerator->destroy(enumerator); } -/** - * Implementation of stroke_ca_t.check_for_hash_and_url. - */ -static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cert) +METHOD(stroke_ca_t, check_for_hash_and_url, void, + private_stroke_ca_t *this, certificate_t* cert) { ca_section_t *section; enumerator_t *enumerator; @@ -376,10 +369,8 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer hasher->destroy(hasher); } -/** - * Implementation of stroke_ca_t.list. - */ -static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_ca_t, list, void, + private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) { bool first = TRUE; ca_section_t *section; @@ -426,10 +417,8 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) this->lock->unlock(this->lock); } -/** - * Implementation of stroke_ca_t.destroy - */ -static void destroy(private_stroke_ca_t *this) +METHOD(stroke_ca_t, destroy, void, + private_stroke_ca_t *this) { this->sections->destroy_function(this->sections, (void*)ca_section_destroy); this->lock->destroy(this->lock); @@ -441,22 +430,27 @@ static void destroy(private_stroke_ca_t *this) */ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) { - private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t); - - this->public.set.create_private_enumerator = (void*)return_null; - this->public.set.create_cert_enumerator = (void*)return_null; - this->public.set.create_shared_enumerator = (void*)return_null; - this->public.set.create_cdp_enumerator = (void*)create_cdp_enumerator; - this->public.set.cache_cert = (void*)nop; - this->public.add = (void(*)(stroke_ca_t*, stroke_msg_t *msg))add; - this->public.del = (void(*)(stroke_ca_t*, stroke_msg_t *msg))del; - this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list; - this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url; - this->public.destroy = (void(*)(stroke_ca_t*))destroy; - - this->sections = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - this->cred = cred; + private_stroke_ca_t *this; + + INIT(this, + .public = { + .set = { + .create_private_enumerator = (void*)return_null, + .create_cert_enumerator = (void*)return_null, + .create_shared_enumerator = (void*)return_null, + .create_cdp_enumerator = _create_cdp_enumerator, + .cache_cert = (void*)nop, + }, + .add = _add, + .del = _del, + .list = _list, + .check_for_hash_and_url = _check_for_hash_and_url, + .destroy = _destroy, + }, + .sections = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .cred = cred, + ); return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 165212a5e..ea7d17592 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -53,12 +53,8 @@ struct private_stroke_config_t { stroke_cred_t *cred; }; -/** - * Implementation of backend_t.create_peer_cfg_enumerator. - */ -static enumerator_t* create_peer_cfg_enumerator(private_stroke_config_t *this, - identification_t *me, - identification_t *other) +METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, + private_stroke_config_t *this, identification_t *me, identification_t *other) { this->mutex->lock(this->mutex); return enumerator_create_cleaner(this->list->create_enumerator(this->list), @@ -74,11 +70,8 @@ static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out) return TRUE; } -/** - * Implementation of backend_t.create_ike_cfg_enumerator. - */ -static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this, - host_t *me, host_t *other) +METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, + private_stroke_config_t *this, host_t *me, host_t *other) { this->mutex->lock(this->mutex); return enumerator_create_filter(this->list->create_enumerator(this->list), @@ -86,10 +79,8 @@ static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this, (void*)this->mutex->unlock); } -/** - * implements backend_t.get_peer_cfg_by_name. - */ -static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *name) +METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, + private_stroke_config_t *this, char *name) { enumerator_t *e1, *e2; peer_cfg_t *current, *found = NULL; @@ -438,13 +429,38 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, enumerator->destroy(enumerator); } + /* certificatePolicies */ + if (end->cert_policy) + { + enumerator_t *enumerator; + char *policy; + + enumerator = enumerator_create_token(end->cert_policy, ",", " "); + while (enumerator->enumerate(enumerator, &policy)) + { + cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy)); + } + enumerator->destroy(enumerator); + } + /* authentication metod (class, actually) */ if (streq(auth, "pubkey") || - streq(auth, "rsasig") || streq(auth, "rsa") || - streq(auth, "ecdsasig") || streq(auth, "ecdsa")) + strneq(auth, "rsa", strlen("rsa")) || + strneq(auth, "ecdsa", strlen("ecdsa"))) { + u_int strength; + cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); build_crl_policy(cfg, local, msg->add_conn.crl_policy); + + if (sscanf(auth, "rsa-%d", &strength) == 1) + { + cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength); + } + if (sscanf(auth, "ecdsa-%d", &strength) == 1) + { + cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength); + } } else if (streq(auth, "psk") || streq(auth, "secret")) { @@ -808,9 +824,9 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, child_cfg = child_cfg_create( msg->add_conn.name, &lifetime, msg->add_conn.me.updown, msg->add_conn.me.hostaccess, - msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp, + msg->add_conn.mode, ACTION_NONE, dpd, dpd, msg->add_conn.ipcomp, msg->add_conn.inactivity, msg->add_conn.reqid, - &mark_in, &mark_out); + &mark_in, &mark_out, msg->add_conn.tfc); child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode, msg->add_conn.install_policy); add_ts(this, &msg->add_conn.me, child_cfg, TRUE); @@ -821,10 +837,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, return child_cfg; } -/** - * Implementation of stroke_config_t.add. - */ -static void add(private_stroke_config_t *this, stroke_msg_t *msg) +METHOD(stroke_config_t, add, void, + private_stroke_config_t *this, stroke_msg_t *msg) { ike_cfg_t *ike_cfg, *existing_ike; peer_cfg_t *peer_cfg, *existing; @@ -884,10 +898,8 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg) } } -/** - * Implementation of stroke_config_t.del. - */ -static void del(private_stroke_config_t *this, stroke_msg_t *msg) +METHOD(stroke_config_t, del, void, + private_stroke_config_t *this, stroke_msg_t *msg) { enumerator_t *enumerator, *children; peer_cfg_t *peer; @@ -938,10 +950,8 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg) } } -/** - * Implementation of stroke_config_t.destroy - */ -static void destroy(private_stroke_config_t *this) +METHOD(stroke_config_t, destroy, void, + private_stroke_config_t *this) { this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy)); this->mutex->destroy(this->mutex); @@ -953,19 +963,24 @@ static void destroy(private_stroke_config_t *this) */ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred) { - private_stroke_config_t *this = malloc_thing(private_stroke_config_t); - - this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator; - this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator; - this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name; - this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add; - this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del; - this->public.destroy = (void(*)(stroke_config_t*))destroy; - - this->list = linked_list_create(); - this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); - this->ca = ca; - this->cred = cred; + private_stroke_config_t *this; + + INIT(this, + .public = { + .backend = { + .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, + .create_ike_cfg_enumerator = _create_ike_cfg_enumerator, + .get_peer_cfg_by_name = _get_peer_cfg_by_name, + }, + .add = _add, + .del = _del, + .destroy = _destroy, + }, + .list = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), + .ca = ca, + .cred = cred, + ); return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index e0398ba78..3541ab8f9 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -17,6 +17,8 @@ #include #include +#include +#include typedef struct private_stroke_control_t private_stroke_control_t; @@ -90,10 +92,8 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name) return found; } -/** - * Implementation of stroke_control_t.initiate. - */ -static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_control_t, initiate, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; @@ -137,76 +137,89 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou } /** - * Implementation of stroke_control_t.terminate. + * Parse a terminate/rekey specifier */ -static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +static bool parse_specifier(char *string, u_int32_t *id, + char **name, bool *child, bool *all) { - char *string, *pos = NULL, *name = NULL; - u_int32_t id = 0; - bool child, all = FALSE; int len; - ike_sa_t *ike_sa; - enumerator_t *enumerator; - linked_list_t *ike_list, *child_list; - stroke_log_info_t info; - uintptr_t del; + char *pos = NULL; - string = msg->terminate.name; + *id = 0; + *name = NULL; + *all = FALSE; len = strlen(string); if (len < 1) { - DBG1(DBG_CFG, "error parsing string"); - return; + return FALSE; } switch (string[len-1]) { case '}': - child = TRUE; + *child = TRUE; pos = strchr(string, '{'); break; case ']': - child = FALSE; + *child = FALSE; pos = strchr(string, '['); break; default: - name = string; - child = FALSE; + *name = string; + *child = FALSE; break; } - if (name) + if (*name) { /* is a single name */ } else if (pos == string + len - 2) { /* is name[] or name{} */ string[len-2] = '\0'; - name = string; + *name = string; } else { if (!pos) { - DBG1(DBG_CFG, "error parsing string"); - return; + return FALSE; } if (*(pos + 1) == '*') { /* is name[*] */ - all = TRUE; + *all = TRUE; *pos = '\0'; - name = string; + *name = string; } else { /* is name[123] or name{23} */ - id = atoi(pos + 1); - if (id == 0) + *id = atoi(pos + 1); + if (*id == 0) { - DBG1(DBG_CFG, "error parsing string"); - return; + return FALSE; } } } + return TRUE; +} + +METHOD(stroke_control_t, terminate, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +{ + char *name; + u_int32_t id; + bool child, all; + ike_sa_t *ike_sa; + enumerator_t *enumerator; + linked_list_t *ike_list, *child_list; + stroke_log_info_t info; + uintptr_t del; + + if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all)) + { + DBG1(DBG_CFG, "error parsing specifier string"); + return; + } info.out = out; info.level = msg->output_verbosity; @@ -293,11 +306,68 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o child_list->destroy(child_list); } -/** - * Implementation of stroke_control_t.terminate_srcip. - */ -static void terminate_srcip(private_stroke_control_t *this, - stroke_msg_t *msg, FILE *out) +METHOD(stroke_control_t, rekey, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +{ + char *name; + u_int32_t id; + bool child, all, finished = FALSE; + ike_sa_t *ike_sa; + enumerator_t *enumerator; + + if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all)) + { + DBG1(DBG_CFG, "error parsing specifier string"); + return; + } + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + child_sa_t *child_sa; + iterator_t *children; + + if (child) + { + children = ike_sa->create_child_sa_iterator(ike_sa); + while (children->iterate(children, (void**)&child_sa)) + { + if ((name && streq(name, child_sa->get_name(child_sa))) || + (id && id == child_sa->get_reqid(child_sa))) + { + lib->processor->queue_job(lib->processor, + (job_t*)rekey_child_sa_job_create( + child_sa->get_reqid(child_sa), + child_sa->get_protocol(child_sa), + child_sa->get_spi(child_sa, TRUE))); + if (!all) + { + finished = TRUE; + break; + } + } + } + children->destroy(children); + } + else if ((name && streq(name, ike_sa->get_name(ike_sa))) || + (id && id == ike_sa->get_unique_id(ike_sa))) + { + lib->processor->queue_job(lib->processor, + (job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE)); + if (!all) + { + finished = TRUE; + } + } + if (finished) + { + break; + } + } + enumerator->destroy(enumerator); +} + +METHOD(stroke_control_t, terminate_srcip, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -362,10 +432,8 @@ static void terminate_srcip(private_stroke_control_t *this, DESTROY_IF(end); } -/** - * Implementation of stroke_control_t.purge_ike - */ -static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_control_t, purge_ike, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { enumerator_t *enumerator; iterator_t *iterator; @@ -402,10 +470,8 @@ static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o list->destroy(list); } -/** - * Implementation of stroke_control_t.route. - */ -static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_control_t, route, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; @@ -443,10 +509,8 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) child_cfg->destroy(child_cfg); } -/** - * Implementation of stroke_control_t.unroute. - */ -static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_control_t, unroute, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { child_sa_t *child_sa; enumerator_t *enumerator; @@ -468,10 +532,8 @@ static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out fprintf(out, "configuration '%s' not found\n", msg->unroute.name); } -/** - * Implementation of stroke_control_t.destroy - */ -static void destroy(private_stroke_control_t *this) +METHOD(stroke_control_t, destroy, void, + private_stroke_control_t *this) { free(this); } @@ -481,15 +543,20 @@ static void destroy(private_stroke_control_t *this) */ stroke_control_t *stroke_control_create() { - private_stroke_control_t *this = malloc_thing(private_stroke_control_t); - - this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate; - this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate; - this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip; - this->public.purge_ike = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))purge_ike; - this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route; - this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute; - this->public.destroy = (void(*)(stroke_control_t*))destroy; + private_stroke_control_t *this; + + INIT(this, + .public = { + .initiate = _initiate, + .terminate = _terminate, + .terminate_srcip = _terminate_srcip, + .rekey = _rekey, + .purge_ike = _purge_ike, + .route = _route, + .unroute = _unroute, + .destroy = _destroy, + }, + ); return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_control.h b/src/libcharon/plugins/stroke/stroke_control.h index 9b49bdc31..869aab3d3 100644 --- a/src/libcharon/plugins/stroke/stroke_control.h +++ b/src/libcharon/plugins/stroke/stroke_control.h @@ -53,6 +53,13 @@ struct stroke_control_t { */ void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); + /** + * Rekey a connection. + * + * @param msg stroke message + */ + void (*rekey)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); + /** * Delete IKE_SAs without a CHILD_SA. * diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 91e71f1f4..83e5a9ad6 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -25,7 +25,6 @@ #include #include "stroke_cred.h" -#include "stroke_shared_key.h" #include #include @@ -64,24 +63,9 @@ struct private_stroke_cred_t { stroke_cred_t public; /** - * list of trusted peer/signer/CA certificates (certificate_t) + * credentials */ - linked_list_t *certs; - - /** - * list of shared secrets (private_shared_key_t) - */ - linked_list_t *shared; - - /** - * list of private keys (private_key_t) - */ - linked_list_t *private; - - /** - * read-write lock to lists - */ - rwlock_t *lock; + mem_cred_t *creds; /** * cache CRLs to disk? @@ -89,237 +73,6 @@ struct private_stroke_cred_t { bool cachecrl; }; -/** - * data to pass to various filters - */ -typedef struct { - private_stroke_cred_t *this; - identification_t *id; - certificate_type_t cert; - key_type_t key; -} id_data_t; - -/** - * destroy id enumerator data and unlock list - */ -static void id_data_destroy(id_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * filter function for private key enumerator - */ -static bool private_filter(id_data_t *data, - private_key_t **in, private_key_t **out) -{ - private_key_t *key; - - key = *in; - if (data->key == KEY_ANY || data->key == key->get_type(key)) - { - if (data->id == NULL) - { - *out = key; - return TRUE; - } - if (key->has_fingerprint(key, data->id->get_encoding(data->id))) - { - *out = key; - return TRUE; - } - } - return FALSE; -} - -/** - * Implements credential_set_t.create_private_enumerator - */ -static enumerator_t* create_private_enumerator(private_stroke_cred_t *this, - key_type_t type, identification_t *id) -{ - id_data_t *data; - - data = malloc_thing(id_data_t); - data->this = this; - data->id = id; - data->key = type; - - this->lock->read_lock(this->lock); - return enumerator_create_filter(this->private->create_enumerator(this->private), - (void*)private_filter, data, - (void*)id_data_destroy); -} - -/** - * filter function for certs enumerator - */ -static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out) -{ - public_key_t *public; - certificate_t *cert = *in; - - if (data->cert != CERT_ANY && data->cert != cert->get_type(cert)) - { - return FALSE; - } - if (data->id == NULL || cert->has_subject(cert, data->id)) - { - *out = *in; - return TRUE; - } - - public = cert->get_public_key(cert); - if (public) - { - if (data->key == KEY_ANY || data->key != public->get_type(public)) - { - if (public->has_fingerprint(public, data->id->get_encoding(data->id))) - { - public->destroy(public); - *out = *in; - return TRUE; - } - } - public->destroy(public); - } - return FALSE; -} - -/** - * Implements credential_set_t.create_cert_enumerator - */ -static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) -{ - id_data_t *data; - - if (trusted && (cert == CERT_X509_CRL || cert == CERT_X509_AC)) - { - return NULL; - } - data = malloc_thing(id_data_t); - data->this = this; - data->id = id; - data->cert = cert; - data->key = key; - - this->lock->read_lock(this->lock); - return enumerator_create_filter(this->certs->create_enumerator(this->certs), - (void*)certs_filter, data, - (void*)id_data_destroy); -} - -typedef struct { - private_stroke_cred_t *this; - identification_t *me; - identification_t *other; - shared_key_type_t type; -} shared_data_t; - -/** - * free shared key enumerator data and unlock list - */ -static void shared_data_destroy(shared_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * filter function for certs enumerator - */ -static bool shared_filter(shared_data_t *data, - stroke_shared_key_t **in, shared_key_t **out, - void **unused1, id_match_t *me, - void **unused2, id_match_t *other) -{ - id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE; - stroke_shared_key_t *stroke = *in; - shared_key_t *shared = &stroke->shared; - - if (data->type != SHARED_ANY && shared->get_type(shared) != data->type) - { - return FALSE; - } - - if (data->me) - { - my_match = stroke->has_owner(stroke, data->me); - } - if (data->other) - { - other_match = stroke->has_owner(stroke, data->other); - } - if ((data->me || data->other) && (!my_match && !other_match)) - { - return FALSE; - } - *out = shared; - if (me) - { - *me = my_match; - } - if (other) - { - *other = other_match; - } - return TRUE; -} - -/** - * Implements credential_set_t.create_shared_enumerator - */ -static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this, - shared_key_type_t type, identification_t *me, - identification_t *other) -{ - shared_data_t *data = malloc_thing(shared_data_t); - - data->this = this; - data->me = me; - data->other = other; - data->type = type; - this->lock->read_lock(this->lock); - return enumerator_create_filter(this->shared->create_enumerator(this->shared), - (void*)shared_filter, data, - (void*)shared_data_destroy); -} - -/** - * Add a certificate to chain - */ -static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert) -{ - certificate_t *current; - enumerator_t *enumerator; - bool new = TRUE; - - this->lock->read_lock(this->lock); - enumerator = this->certs->create_enumerator(this->certs); - while (enumerator->enumerate(enumerator, (void**)¤t)) - { - if (current->equals(current, cert)) - { - /* cert already in queue */ - cert->destroy(cert); - cert = current; - new = FALSE; - break; - } - } - enumerator->destroy(enumerator); - - if (new) - { - this->certs->insert_last(this->certs, cert); - } - this->lock->unlock(this->lock); - return cert; -} - /** * Implementation of stroke_cred_t.load_ca. */ @@ -352,84 +105,11 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename) cert->destroy(cert); return NULL; } - return (certificate_t*)add_cert(this, cert); + return this->creds->add_cert_ref(this->creds, TRUE, cert); } return NULL; } -/** - * Add X.509 CRL to chain - */ -static bool add_crl(private_stroke_cred_t *this, crl_t* crl) -{ - certificate_t *current, *cert = &crl->certificate; - enumerator_t *enumerator; - bool new = TRUE, found = FALSE; - - this->lock->write_lock(this->lock); - enumerator = this->certs->create_enumerator(this->certs); - while (enumerator->enumerate(enumerator, (void**)¤t)) - { - if (current->get_type(current) == CERT_X509_CRL) - { - crl_t *crl_c = (crl_t*)current; - chunk_t authkey = crl->get_authKeyIdentifier(crl); - chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c); - - /* if compare authorityKeyIdentifiers if available */ - if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c)) - { - found = TRUE; - } - else - { - identification_t *issuer = cert->get_issuer(cert); - identification_t *issuer_c = current->get_issuer(current); - - /* otherwise compare issuer distinguished names */ - if (issuer->equals(issuer, issuer_c)) - { - found = TRUE; - } - } - if (found) - { - new = crl_is_newer(crl, crl_c); - if (new) - { - this->certs->remove_at(this->certs, enumerator); - } - else - { - cert->destroy(cert); - } - break; - } - } - } - enumerator->destroy(enumerator); - - if (new) - { - this->certs->insert_last(this->certs, cert); - } - this->lock->unlock(this->lock); - return new; -} - -/** - * Add X.509 attribute certificate to chain - */ -static bool add_ac(private_stroke_cred_t *this, ac_t* ac) -{ - certificate_t *cert = &ac->certificate; - - this->lock->write_lock(this->lock); - this->certs->insert_last(this->certs, cert); - this->lock->unlock(this->lock); - return TRUE; -} - /** * Implementation of stroke_cred_t.load_peer. */ @@ -453,10 +133,10 @@ static certificate_t* load_peer(private_stroke_cred_t *this, char *filename) BUILD_END); if (cert) { - cert = add_cert(this, cert); + cert = this->creds->add_cert_ref(this->creds, TRUE, cert); DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", cert->get_subject(cert), filename); - return cert->get_ref(cert); + return cert; } DBG1(DBG_CFG, " loading certificate from '%s' failed", filename); return NULL; @@ -511,8 +191,8 @@ static void load_certdir(private_stroke_cred_t *this, char *path, } else { - DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'", - cert->get_subject(cert), file); + DBG1(DBG_CFG, " loaded ca certificate \"%Y\" " + "from '%s'", cert->get_subject(cert), file); } } else @@ -540,7 +220,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path, } if (cert) { - add_cert(this, cert); + this->creds->add_cert(this->creds, TRUE, cert); } break; case CERT_X509_CRL: @@ -550,7 +230,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path, BUILD_END); if (cert) { - add_crl(this, (crl_t*)cert); + this->creds->add_crl(this->creds, (crl_t*)cert); DBG1(DBG_CFG, " loaded crl from '%s'", file); } else @@ -565,7 +245,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path, BUILD_END); if (cert) { - add_ac(this, (ac_t*)cert); + this->creds->add_cert(this->creds, FALSE, cert); DBG1(DBG_CFG, " loaded attribute certificate from '%s'", file); } @@ -593,7 +273,7 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) crl_t *crl = (crl_t*)cert; cert->get_ref(cert); - if (add_crl(this, crl)) + if (this->creds->add_crl(this->creds, crl)) { char buf[BUF_LEN]; chunk_t chunk, hex; @@ -914,7 +594,6 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, } /* unlock: smartcard needs the pin and potentially calls public set */ - this->lock->unlock(this->lock); switch (format) { case SC_FORMAT_SLOT_MODULE_KEYID: @@ -936,7 +615,6 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, BUILD_PKCS11_KEYID, chunk, BUILD_END); break; } - this->lock->write_lock(this->lock); if (mem) { lib->credmgr->remove_local_set(lib->credmgr, &mem->set); @@ -951,7 +629,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, if (key) { DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr); - this->private->insert_last(this->private, key); + this->creds->add_key(this->creds, key); } return TRUE; } @@ -1022,11 +700,8 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data); lib->credmgr->add_local_set(lib->credmgr, &cb->set); - /* unlock, as the builder might ask for a secret */ - this->lock->unlock(this->lock); key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, BUILD_FROM_FILE, path, BUILD_END); - this->lock->write_lock(this->lock); lib->credmgr->remove_local_set(lib->credmgr, &cb->set); cb->destroy(cb); @@ -1042,11 +717,8 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, mem->add_shared(mem, shared, NULL); lib->credmgr->add_local_set(lib->credmgr, &mem->set); - /* unlock, as the builder might ask for a secret */ - this->lock->unlock(this->lock); key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, BUILD_FROM_FILE, path, BUILD_END); - this->lock->write_lock(this->lock); lib->credmgr->remove_local_set(lib->credmgr, &mem->set); mem->destroy(mem); @@ -1055,7 +727,7 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, { DBG1(DBG_CFG, " loaded %N private key from '%s'", key_type_names, key->get_type(key), path); - this->private->insert_last(this->private, key); + this->creds->add_key(this->creds, key); } else { @@ -1070,7 +742,8 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, shared_key_type_t type, chunk_t ids) { - stroke_shared_key_t *shared_key; + shared_key_t *shared_key; + linked_list_t *owners; chunk_t secret = chunk_empty; bool any = TRUE; @@ -1080,12 +753,12 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh); return FALSE; } - shared_key = stroke_shared_key_create(type, secret); + shared_key = shared_key_create(type, secret); DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type, ids.len > 0 ? (char*)ids.ptr : "%any"); DBG4(DBG_CFG, " secret: %#B", &secret); - this->shared->insert_last(this->shared, shared_key); + owners = linked_list_create(); while (ids.len > 0) { chunk_t id; @@ -1111,14 +784,15 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, continue; } - shared_key->add_owner(shared_key, peer_id); + owners->insert_last(owners, peer_id); any = FALSE; } if (any) { - shared_key->add_owner(shared_key, + owners->insert_last(owners, identification_create_from_encoding(ID_ANY, chunk_empty)); } + this->creds->add_shared_list(this->creds, shared_key, owners); return TRUE; } @@ -1130,8 +804,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, { int line_nr = 0, fd; chunk_t src, line; - private_key_t *private; - shared_key_t *shared; struct stat sb; void *addr; @@ -1160,20 +832,8 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, src = chunk_create(addr, sb.st_size); if (level == 0) - { - this->lock->write_lock(this->lock); - - /* flush secrets on non-recursive invocation */ - while (this->shared->remove_last(this->shared, - (void**)&shared) == SUCCESS) - { - shared->destroy(shared); - } - while (this->private->remove_last(this->private, - (void**)&private) == SUCCESS) - { - private->destroy(private); - } + { /* flush secrets on non-recursive invocation */ + this->creds->clear_secrets(this->creds); } while (fetchline(&src, &line)) @@ -1234,7 +894,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, if (glob(pattern, GLOB_ERR, NULL, &buf) != 0) { DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern); - globfree(&buf); } else { @@ -1302,10 +961,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, break; } } - if (level == 0) - { - this->lock->unlock(this->lock); - } munmap(addr, sb.st_size); close(fd); } @@ -1384,10 +1039,8 @@ static void reread(private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt) */ static void destroy(private_stroke_cred_t *this) { - this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy)); - this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy)); - this->private->destroy_offset(this->private, offsetof(private_key_t, destroy)); - this->lock->destroy(this->lock); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); + this->creds->destroy(this->creds); free(this); } @@ -1398,9 +1051,9 @@ stroke_cred_t *stroke_cred_create() { private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t); - this->public.set.create_private_enumerator = (void*)create_private_enumerator; - this->public.set.create_cert_enumerator = (void*)create_cert_enumerator; - this->public.set.create_shared_enumerator = (void*)create_shared_enumerator; + this->public.set.create_private_enumerator = (void*)return_null; + this->public.set.create_cert_enumerator = (void*)return_null; + this->public.set.create_shared_enumerator = (void*)return_null; this->public.set.create_cdp_enumerator = (void*)return_null; this->public.set.cache_cert = (void*)cache_cert; this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg, FILE*))reread; @@ -1409,10 +1062,8 @@ stroke_cred_t *stroke_cred_create() this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl; this->public.destroy = (void(*)(stroke_cred_t*))destroy; - this->certs = linked_list_create(); - this->shared = linked_list_create(); - this->private = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + this->creds = mem_cred_create(); + lib->credmgr->add_set(lib->credmgr, &this->creds->set); load_certs(this); load_secrets(this, SECRETS_FILE, 0, NULL); diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index 86deea490..36311f092 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -388,10 +388,8 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) enumerator->destroy(enumerator); } -/** - * Implementation of stroke_list_t.status. - */ -static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all) +METHOD(stroke_list_t, status, void, + private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all) { enumerator_t *enumerator, *children; ike_cfg_t *ike_cfg; @@ -756,7 +754,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, enumerator_t *enumerator; identification_t *altName; bool first_altName = TRUE; - int pathlen; + u_int pathlen; chunk_t serial, authkey; time_t notBefore, notAfter; public_key_t *public; @@ -836,10 +834,10 @@ static void stroke_list_certs(linked_list_t *list, char *label, } /* list optional pathLenConstraint */ - pathlen = x509->get_pathLenConstraint(x509); - if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) + pathlen = x509->get_constraint(x509, X509_PATH_LEN); + if (pathlen != X509_NO_CONSTRAINT) { - fprintf(out, " pathlen: %d\n", pathlen); + fprintf(out, " pathlen: %u\n", pathlen); } /* list optional ipAddrBlocks */ @@ -979,6 +977,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) { fprintf(out, " serial: %#B\n", &chunk); } + if (crl->is_delta_crl(crl, &chunk)) + { + fprintf(out, " delta for: %#B\n", &chunk); + } /* count the number of revoked certificates */ { @@ -1059,6 +1061,25 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) enumerator->destroy(enumerator); } +/** + * Print the name of an algorithm plus the name of the plugin that registered it + */ +static void print_alg(FILE *out, int *len, enum_name_t *alg_names, int alg_type, + const char *plugin_name) +{ + char alg_name[BUF_LEN]; + int alg_name_len; + + alg_name_len = sprintf(alg_name, " %N[%s]", alg_names, alg_type, plugin_name); + if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) + { + fprintf(out, "\n "); + *len = 13; + } + fprintf(out, "%s", alg_name); + *len += alg_name_len; +} + /** * List of registered cryptographical algorithms */ @@ -1070,58 +1091,73 @@ static void list_algs(FILE *out) hash_algorithm_t hash; pseudo_random_function_t prf; diffie_hellman_group_t group; + rng_quality_t quality; + const char *plugin_name; + int len; fprintf(out, "\n"); fprintf(out, "List of registered IKEv2 Algorithms:\n"); - fprintf(out, "\n encryption: "); + fprintf(out, "\n encryption:"); + len = 13; enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption)) + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { - fprintf(out, "%N ", encryption_algorithm_names, encryption); + print_alg(out, &len, encryption_algorithm_names, encryption, plugin_name); } enumerator->destroy(enumerator); - fprintf(out, "\n integrity: "); + fprintf(out, "\n integrity: "); + len = 13; enumerator = lib->crypto->create_signer_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &integrity)) + while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) { - fprintf(out, "%N ", integrity_algorithm_names, integrity); + print_alg(out, &len, integrity_algorithm_names, integrity, plugin_name); } enumerator->destroy(enumerator); - fprintf(out, "\n aead: "); + fprintf(out, "\n aead: "); + len = 13; enumerator = lib->crypto->create_aead_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption)) + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { - fprintf(out, "%N ", encryption_algorithm_names, encryption); + print_alg(out, &len, encryption_algorithm_names, encryption, plugin_name); } enumerator->destroy(enumerator); - fprintf(out, "\n hasher: "); + fprintf(out, "\n hasher: "); + len = 13; enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &hash)) + while (enumerator->enumerate(enumerator, &hash, &plugin_name)) { - fprintf(out, "%N ", hash_algorithm_names, hash); + print_alg(out, &len, hash_algorithm_names, hash, plugin_name); } enumerator->destroy(enumerator); - fprintf(out, "\n prf: "); + fprintf(out, "\n prf: "); + len = 13; enumerator = lib->crypto->create_prf_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &prf)) + while (enumerator->enumerate(enumerator, &prf, &plugin_name)) { - fprintf(out, "%N ", pseudo_random_function_names, prf); + print_alg(out, &len, pseudo_random_function_names, prf, plugin_name); } enumerator->destroy(enumerator); - fprintf(out, "\n dh-group: "); + fprintf(out, "\n dh-group: "); + len = 13; enumerator = lib->crypto->create_dh_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &group)) + while (enumerator->enumerate(enumerator, &group, &plugin_name)) { - fprintf(out, "%N ", diffie_hellman_group_names, group); + print_alg(out, &len, diffie_hellman_group_names, group, plugin_name); + } + enumerator->destroy(enumerator); + fprintf(out, "\n random-gen:"); + len = 13; + enumerator = lib->crypto->create_rng_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &quality, &plugin_name)) + { + print_alg(out, &len, rng_quality_names, quality, plugin_name); } enumerator->destroy(enumerator); fprintf(out, "\n"); } -/** - * Implementation of stroke_list_t.list. - */ -static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_list_t, list, void, + private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) { linked_list_t *cert_list = NULL; @@ -1224,10 +1260,8 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, } } -/** - * Implementation of stroke_list_t.leases - */ -static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_list_t, leases, void, + private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) { enumerator_t *enumerator; u_int size, offline, online; @@ -1264,10 +1298,8 @@ static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) DESTROY_IF(address); } -/** - * Implementation of stroke_list_t.destroy - */ -static void destroy(private_stroke_list_t *this) +METHOD(stroke_list_t, destroy, void, + private_stroke_list_t *this) { free(this); } @@ -1277,15 +1309,19 @@ static void destroy(private_stroke_list_t *this) */ stroke_list_t *stroke_list_create(stroke_attribute_t *attribute) { - private_stroke_list_t *this = malloc_thing(private_stroke_list_t); - - this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list; - this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status; - this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases; - this->public.destroy = (void(*)(stroke_list_t*))destroy; - - this->uptime = time_monotonic(NULL); - this->attribute = attribute; + private_stroke_list_t *this; + + INIT(this, + .public = { + + .list = _list, + .status = _status, + .leases = _leases, + .destroy = _destroy, + }, + .uptime = time_monotonic(NULL), + .attribute = attribute, + ); return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c index 4361e5050..2e83d0d28 100644 --- a/src/libcharon/plugins/stroke/stroke_plugin.c +++ b/src/libcharon/plugins/stroke/stroke_plugin.c @@ -36,10 +36,8 @@ struct private_stroke_plugin_t { stroke_socket_t *socket; }; -/** - * Implementation of stroke_plugin_t.destroy - */ -static void destroy(private_stroke_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_stroke_plugin_t *this) { this->socket->destroy(this->socket); free(this); @@ -50,11 +48,17 @@ static void destroy(private_stroke_plugin_t *this) */ plugin_t *stroke_plugin_create() { - private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t); + private_stroke_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .socket = stroke_socket_create(), + ); - this->socket = stroke_socket_create(); if (this->socket == NULL) { free(this); diff --git a/src/libcharon/plugins/stroke/stroke_shared_key.c b/src/libcharon/plugins/stroke/stroke_shared_key.c deleted file mode 100644 index 4f716e83a..000000000 --- a/src/libcharon/plugins/stroke/stroke_shared_key.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "stroke_shared_key.h" - -#include - -typedef struct private_stroke_shared_key_t private_stroke_shared_key_t; - -/** - * private data of shared_key - */ -struct private_stroke_shared_key_t { - - /** - * implements shared_key_t - */ - stroke_shared_key_t public; - - /** - * type of this key - */ - shared_key_type_t type; - - /** - * data of the key - */ - chunk_t key; - - /** - * list of key owners, as identification_t - */ - linked_list_t *owners; - - /** - * reference counter - */ - refcount_t ref; -}; - -/** - * Implementation of shared_key_t.get_type. - */ -static shared_key_type_t get_type(private_stroke_shared_key_t *this) -{ - return this->type; -} - -/** - * Implementation of shared_key_t.get_ref. - */ -static private_stroke_shared_key_t* get_ref(private_stroke_shared_key_t *this) -{ - ref_get(&this->ref); - return this; -} - -/** - * Implementation of shared_key_t.get_key. - */ -static chunk_t get_key(private_stroke_shared_key_t *this) -{ - return this->key; -} - -/** - * Implementation of stroke_shared_key_t.has_owner. - */ -static id_match_t has_owner(private_stroke_shared_key_t *this, identification_t *owner) -{ - enumerator_t *enumerator; - id_match_t match, best = ID_MATCH_NONE; - identification_t *current; - - enumerator = this->owners->create_enumerator(this->owners); - while (enumerator->enumerate(enumerator, ¤t)) - { - match = owner->matches(owner, current); - if (match > best) - { - best = match; - } - } - enumerator->destroy(enumerator); - return best; -} -/** - * Implementation of stroke_shared_key_t.add_owner. - */ -static void add_owner(private_stroke_shared_key_t *this, identification_t *owner) -{ - this->owners->insert_last(this->owners, owner); -} - -/** - * Implementation of stroke_shared_key_t.destroy - */ -static void destroy(private_stroke_shared_key_t *this) -{ - if (ref_put(&this->ref)) - { - this->owners->destroy_offset(this->owners, offsetof(identification_t, destroy)); - chunk_free(&this->key); - free(this); - } -} - -/** - * create a shared key - */ -stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key) -{ - private_stroke_shared_key_t *this = malloc_thing(private_stroke_shared_key_t); - - this->public.shared.get_type = (shared_key_type_t(*)(shared_key_t*))get_type; - this->public.shared.get_key = (chunk_t(*)(shared_key_t*))get_key; - this->public.shared.get_ref = (shared_key_t*(*)(shared_key_t*))get_ref; - this->public.shared.destroy = (void(*)(shared_key_t*))destroy; - this->public.add_owner = (void(*)(stroke_shared_key_t*, identification_t *owner))add_owner; - this->public.has_owner = (id_match_t(*)(stroke_shared_key_t*, identification_t *owner))has_owner; - - this->owners = linked_list_create(); - this->type = type; - this->key = key; - this->ref = 1; - - return &this->public; -} diff --git a/src/libcharon/plugins/stroke/stroke_shared_key.h b/src/libcharon/plugins/stroke/stroke_shared_key.h deleted file mode 100644 index 05ad55083..000000000 --- a/src/libcharon/plugins/stroke/stroke_shared_key.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke_shared_key stroke_shared_key - * @{ @ingroup stroke - */ - -#ifndef STROKE_SHARED_KEY_H_ -#define STROKE_SHARED_KEY_H_ - -#include -#include - -typedef struct stroke_shared_key_t stroke_shared_key_t; - -/** - * Shared key implementation for keys read from ipsec.secrets - */ -struct stroke_shared_key_t { - - /** - * Implements the shared_key_t interface. - */ - shared_key_t shared; - - /** - * Add an owner to the key. - * - * @param owner owner to add - */ - void (*add_owner)(stroke_shared_key_t *this, identification_t *owner); - - /** - * Check if a key has a specific owner. - * - * @param owner owner to check - * @return best match found - */ - id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner); -}; - -/** - * Create a stroke_shared_key instance. - */ -stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key); - -#endif /** STROKE_SHARED_KEY_H_ @}*/ diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 0a5110fd3..18e77905d 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -151,6 +151,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end) pop_string(msg, &end->ca); pop_string(msg, &end->ca2); pop_string(msg, &end->groups); + pop_string(msg, &end->cert_policy); pop_string(msg, &end->updown); DBG2(DBG_CFG, " %s=%s", label, end->address); @@ -245,6 +246,17 @@ static void stroke_terminate_srcip(private_stroke_socket_t *this, this->control->terminate_srcip(this->control, msg, out); } +/** + * rekey a connection by name/id + */ +static void stroke_rekey(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) +{ + pop_string(msg, &msg->terminate.name); + DBG1(DBG_CFG, "received stroke: rekey '%s'", msg->rekey.name); + + this->control->rekey(this->control, msg, out); +} + /** * route a policy (install SPD entries) */ @@ -348,6 +360,14 @@ static void stroke_purge(private_stroke_socket_t *this, { lib->credmgr->flush_cache(lib->credmgr, CERT_X509_OCSP_RESPONSE); } + if (msg->purge.flags & PURGE_CRLS) + { + lib->credmgr->flush_cache(lib->credmgr, CERT_X509_CRL); + } + if (msg->purge.flags & PURGE_CERTS) + { + lib->credmgr->flush_cache(lib->credmgr, CERT_X509); + } if (msg->purge.flags & PURGE_IKE) { this->control->purge_ike(this->control, msg, out); @@ -510,6 +530,9 @@ static job_requeue_t process(stroke_job_context_t *ctx) case STR_TERMINATE_SRCIP: stroke_terminate_srcip(this, msg, out); break; + case STR_REKEY: + stroke_rekey(this, msg, out); + break; case STR_STATUS: stroke_status(this, msg, out, FALSE); break; diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am index ca8869460..2c551813e 100644 --- a/src/libcharon/plugins/tnc_imc/Makefile.am +++ b/src/libcharon/plugins/tnc_imc/Makefile.am @@ -1,11 +1,9 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic -libstrongswan_tnc_imc_la_LIBADD = -ltnc - if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnc-imc.la else @@ -13,7 +11,8 @@ plugin_LTLIBRARIES = libstrongswan-tnc-imc.la endif libstrongswan_tnc_imc_la_SOURCES = \ - tnc_imc_plugin.h tnc_imc_plugin.c + tnc_imc_plugin.h tnc_imc_plugin.c tnc_imc.h tnc_imc.c \ + tnc_imc_manager.h tnc_imc_manager.c tnc_imc_bind_function.c libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in index 9a8794e93..dc44408ff 100644 --- a/src/libcharon/plugins/tnc_imc/Makefile.in +++ b/src/libcharon/plugins/tnc_imc/Makefile.in @@ -74,8 +74,9 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_tnc_imc_la_DEPENDENCIES = -am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo +libstrongswan_tnc_imc_la_LIBADD = +am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo tnc_imc.lo \ + tnc_imc_manager.lo tnc_imc_bind_function.lo libstrongswan_tnc_imc_la_OBJECTS = \ $(am_libstrongswan_tnc_imc_la_OBJECTS) libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -221,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -273,14 +274,14 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic -libstrongswan_tnc_imc_la_LIBADD = -ltnc @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imc.la libstrongswan_tnc_imc_la_SOURCES = \ - tnc_imc_plugin.h tnc_imc_plugin.c + tnc_imc_plugin.h tnc_imc_plugin.c tnc_imc.h tnc_imc.c \ + tnc_imc_manager.h tnc_imc_manager.c tnc_imc_bind_function.c libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version all: all-am @@ -366,6 +367,9 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_bind_function.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_plugin.Plo@am__quote@ .c.o: diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.c b/src/libcharon/plugins/tnc_imc/tnc_imc.c new file mode 100644 index 000000000..174084436 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc.c @@ -0,0 +1,207 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imc.h" + +#include + +#include +#include + +typedef struct private_tnc_imc_t private_tnc_imc_t; + +/** + * Private data of an imv_t object. + */ +struct private_tnc_imc_t { + + /** + * Public members of imc_t. + */ + imc_t public; + + /** + * Path of loaded IMC + */ + char *path; + + /** + * Name of loaded IMC + */ + char *name; + + /** + * Handle of loaded IMC + */ + void *handle; + + /** + * ID of loaded IMC + */ + TNC_IMCID id; + + /** + * List of message types supported by IMC + */ + TNC_MessageTypeList supported_types; + + /** + * Number of supported message types + */ + TNC_UInt32 type_count; +}; + +METHOD(imc_t, set_id, void, + private_tnc_imc_t *this, TNC_IMCID id) +{ + this->id = id; +} + +METHOD(imc_t, get_id, TNC_IMCID, + private_tnc_imc_t *this) +{ + return this->id; +} + +METHOD(imc_t, get_name, char*, + private_tnc_imc_t *this) +{ + return this->name; +} + +METHOD(imc_t, set_message_types, void, + private_tnc_imc_t *this, TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + /* Free an existing MessageType list */ + free(this->supported_types); + this->supported_types = NULL; + + /* Store the new MessageType list */ + this->type_count = type_count; + if (type_count && supported_types) + { + size_t size = type_count * sizeof(TNC_MessageType); + + this->supported_types = malloc(size); + memcpy(this->supported_types, supported_types, size); + } + DBG2(DBG_TNC, "IMC %u supports %u message types", this->id, type_count); +} + +METHOD(imc_t, type_supported, bool, + private_tnc_imc_t *this, TNC_MessageType message_type) +{ + TNC_VendorID msg_vid, vid; + TNC_MessageSubtype msg_subtype, subtype; + int i; + + msg_vid = (message_type >> 8) & TNC_VENDORID_ANY; + msg_subtype = message_type & TNC_SUBTYPE_ANY; + + for (i = 0; i < this->type_count; i++) + { + vid = (this->supported_types[i] >> 8) & TNC_VENDORID_ANY; + subtype = this->supported_types[i] & TNC_SUBTYPE_ANY; + + if (this->supported_types[i] == message_type + || (subtype == TNC_SUBTYPE_ANY + && (msg_vid == vid || vid == TNC_VENDORID_ANY)) + || (vid == TNC_VENDORID_ANY + && (msg_subtype == subtype || subtype == TNC_SUBTYPE_ANY))) + { + return TRUE; + } + } + return FALSE; +} + +METHOD(imc_t, destroy, void, + private_tnc_imc_t *this) +{ + dlclose(this->handle); + free(this->supported_types); + free(this->name); + free(this->path); + free(this); +} + +/** + * Described in header. + */ +imc_t* tnc_imc_create(char *name, char *path) +{ + private_tnc_imc_t *this; + + INIT(this, + .public = { + .set_id = _set_id, + .get_id = _get_id, + .get_name = _get_name, + .set_message_types = _set_message_types, + .type_supported = _type_supported, + .destroy = _destroy, + }, + .name = name, + .path = path, + ); + + this->handle = dlopen(path, RTLD_LAZY); + if (!this->handle) + { + DBG1(DBG_TNC, "IMC \"%s\" failed to load: %s", name, dlerror()); + free(this); + return NULL; + } + + this->public.initialize = dlsym(this->handle, "TNC_IMC_Initialize"); + if (!this->public.initialize) + { + DBG1(DBG_TNC, "could not resolve TNC_IMC_Initialize in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + this->public.notify_connection_change = + dlsym(this->handle, "TNC_IMC_NotifyConnectionChange"); + this->public.begin_handshake = dlsym(this->handle, "TNC_IMC_BeginHandshake"); + if (!this->public.begin_handshake) + { + DBG1(DBG_TNC, "could not resolve TNC_IMC_BeginHandshake in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + this->public.receive_message = + dlsym(this->handle, "TNC_IMC_ReceiveMessage"); + this->public.batch_ending = + dlsym(this->handle, "TNC_IMC_BatchEnding"); + this->public.terminate = + dlsym(this->handle, "TNC_IMC_Terminate"); + this->public.provide_bind_function = + dlsym(this->handle, "TNC_IMC_ProvideBindFunction"); + if (!this->public.provide_bind_function) + { + DBG1(DBG_TNC, "could not resolve TNC_IMC_ProvideBindFunction in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.h b/src/libcharon/plugins/tnc_imc/tnc_imc.h new file mode 100644 index 000000000..10a67f90b --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup tnc_imc_t tnc_imc + * @{ @ingroup tnc_imc + */ + +#ifndef TNC_IMC_H_ +#define TNC_IMC_H_ + +#include + +/** + * Create an Integrity Measurement Collector. + * + * @param name name of the IMC + * @param filename path to the dynamic IMC library + * @return instance of the imc_t interface + */ +imc_t* tnc_imc_create(char *name, char *filename); + +#endif /** TNC_IMC_H_ @}*/ diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c new file mode 100644 index 000000000..e18f1b006 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c @@ -0,0 +1,83 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imc.h" + +#include +#include + +#define TNC_IMVID_ANY 0xffff + +/** + * Called by the IMC to inform a TNCC about the set of message types the IMC + * is able to receive + */ +TNC_Result TNC_TNCC_ReportMessageTypes(TNC_IMCID imc_id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + return charon->imcs->set_message_types(charon->imcs, imc_id, + supported_types, type_count); +} + +/** + * Called by the IMC to ask a TNCC to retry an Integrity Check Handshake + */ +TNC_Result TNC_TNCC_RequestHandshakeRetry(TNC_IMCID imc_id, + TNC_ConnectionID connection_id, + TNC_RetryReason reason) +{ + return charon->tnccs->request_handshake_retry(charon->tnccs, TRUE, imc_id, + connection_id, reason); +} + +/** + * Called by the IMC when an IMC-IMV message is to be sent + */ +TNC_Result TNC_TNCC_SendMessage(TNC_IMCID imc_id, + TNC_ConnectionID connection_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) +{ + return charon->tnccs->send_message(charon->tnccs, imc_id, TNC_IMVID_ANY, + connection_id, msg, msg_len, msg_type); +} + +/** + * Called by the IMC when it needs a function pointer + */ +TNC_Result TNC_TNCC_BindFunction(TNC_IMCID id, + char *function_name, + void **function_pointer) +{ + if (streq(function_name, "TNC_TNCC_ReportMessageTypes")) + { + *function_pointer = (void*)TNC_TNCC_ReportMessageTypes; + } + else if (streq(function_name, "TNC_TNCC_RequestHandshakeRetry")) + { + *function_pointer = (void*)TNC_TNCC_RequestHandshakeRetry; + } + else if (streq(function_name, "TNC_TNCC_SendMessage")) + { + *function_pointer = (void*)TNC_TNCC_SendMessage; + } + else + { + return TNC_RESULT_INVALID_PARAMETER; + } + return TNC_RESULT_SUCCESS; +} diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c new file mode 100644 index 000000000..aa20534f5 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c @@ -0,0 +1,238 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imc_manager.h" + +#include +#include + +#include +#include +#include + +typedef struct private_tnc_imc_manager_t private_tnc_imc_manager_t; + +/** + * Private data of an imc_manager_t object. + */ +struct private_tnc_imc_manager_t { + + /** + * Public members of imc_manager_t. + */ + imc_manager_t public; + + /** + * Linked list of IMCs + */ + linked_list_t *imcs; + + /** + * Next IMC ID to be assigned + */ + TNC_IMCID next_imc_id; +}; + +METHOD(imc_manager_t, add, bool, + private_tnc_imc_manager_t *this, imc_t *imc) +{ + TNC_Version version; + + /* Initialize the module */ + imc->set_id(imc, this->next_imc_id); + if (imc->initialize(imc->get_id(imc), TNC_IFIMC_VERSION_1, + TNC_IFIMC_VERSION_1, &version) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMC \"%s\" failed to initialize", imc->get_name(imc)); + return FALSE; + } + this->imcs->insert_last(this->imcs, imc); + this->next_imc_id++; + + if (imc->provide_bind_function(imc->get_id(imc), TNC_TNCC_BindFunction) + != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMC \"%s\" failed to obtain bind function", + imc->get_name(imc)); + this->imcs->remove_last(this->imcs, (void**)&imc); + return FALSE; + } + + return TRUE; +} + +METHOD(imc_manager_t, remove_, imc_t*, + private_tnc_imc_manager_t *this, TNC_IMCID id) +{ + enumerator_t *enumerator; + imc_t *imc; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + if (id == imc->get_id(imc)) + { + this->imcs->remove_at(this->imcs, enumerator); + return imc; + } + } + enumerator->destroy(enumerator); + return NULL; +} + +METHOD(imc_manager_t, get_preferred_language, char*, + private_tnc_imc_manager_t *this) +{ + return lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imc.preferred_language", "en"); +} + +METHOD(imc_manager_t, notify_connection_change, void, + private_tnc_imc_manager_t *this, TNC_ConnectionID id, + TNC_ConnectionState state) +{ + enumerator_t *enumerator; + imc_t *imc; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + if (imc->notify_connection_change) + { + imc->notify_connection_change(imc->get_id(imc), id, state); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imc_manager_t, begin_handshake, void, + private_tnc_imc_manager_t *this, TNC_ConnectionID id) +{ + enumerator_t *enumerator; + imc_t *imc; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + imc->begin_handshake(imc->get_id(imc), id); + } + enumerator->destroy(enumerator); +} + +METHOD(imc_manager_t, set_message_types, TNC_Result, + private_tnc_imc_manager_t *this, TNC_IMCID id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + enumerator_t *enumerator; + imc_t *imc; + TNC_Result result = TNC_RESULT_FATAL; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + if (id == imc->get_id(imc)) + { + imc->set_message_types(imc, supported_types, type_count); + result = TNC_RESULT_SUCCESS; + break; + } + } + enumerator->destroy(enumerator); + return result; +} + +METHOD(imc_manager_t, receive_message, void, + private_tnc_imc_manager_t *this, TNC_ConnectionID connection_id, + TNC_BufferReference message, + TNC_UInt32 message_len, + TNC_MessageType message_type) +{ + enumerator_t *enumerator; + imc_t *imc; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + if (imc->receive_message && imc->type_supported(imc, message_type)) + { + imc->receive_message(imc->get_id(imc), connection_id, + message, message_len, message_type); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imc_manager_t, batch_ending, void, + private_tnc_imc_manager_t *this, TNC_ConnectionID id) +{ + enumerator_t *enumerator; + imc_t *imc; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + if (imc->batch_ending) + { + imc->batch_ending(imc->get_id(imc), id); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imc_manager_t, destroy, void, + private_tnc_imc_manager_t *this) +{ + imc_t *imc; + + while (this->imcs->remove_last(this->imcs, (void**)&imc) == SUCCESS) + { + if (imc->terminate && + imc->terminate(imc->get_id(imc)) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMC \"%s\" not terminated successfully", + imc->get_name(imc)); + } + imc->destroy(imc); + } + this->imcs->destroy(this->imcs); + free(this); +} + +/** + * Described in header. + */ +imc_manager_t* tnc_imc_manager_create(void) +{ + private_tnc_imc_manager_t *this; + + INIT(this, + .public = { + .add = _add, + .remove = _remove_, /* avoid name conflict with stdio.h */ + .get_preferred_language = _get_preferred_language, + .notify_connection_change = _notify_connection_change, + .begin_handshake = _begin_handshake, + .set_message_types = _set_message_types, + .receive_message = _receive_message, + .batch_ending = _batch_ending, + .destroy = _destroy, + }, + .imcs = linked_list_create(), + .next_imc_id = 1, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.h b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.h new file mode 100644 index 000000000..ed490293b --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup tnc_imc_manager tnc_imc_manager + * @{ @ingroup tnc_imc + */ + +#ifndef TNC_IMC_MANAGER_H_ +#define TNC_IMC_MANAGER_H_ + +#include + +/** + * Create an IMC manager instance. + */ +imc_manager_t *tnc_imc_manager_create(); + +#endif /** TNC_IMC_MANAGER_H_ @}*/ diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c index 0ce930ba3..89888040a 100644 --- a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c @@ -14,15 +14,137 @@ */ #include "tnc_imc_plugin.h" +#include "tnc_imc_manager.h" +#include "tnc_imc.h" -#include +#include +#include +#include +#include +#include +#include #include +#include + +/** + * load IMCs from a configuration file + */ +static bool load_imcs(char *filename) +{ + int fd, line_nr = 0; + chunk_t src, line; + struct stat sb; + void *addr; + + DBG1(DBG_TNC, "loading IMCs from '%s'", filename); + fd = open(filename, O_RDONLY); + if (fd == -1) + { + DBG1(DBG_TNC, "opening configuration file '%s' failed: %s", filename, + strerror(errno)); + return FALSE; + } + if (fstat(fd, &sb) == -1) + { + DBG1(DBG_LIB, "getting file size of '%s' failed: %s", filename, + strerror(errno)); + close(fd); + return FALSE; + } + addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (addr == MAP_FAILED) + { + DBG1(DBG_LIB, "mapping '%s' failed: %s", filename, strerror(errno)); + close(fd); + return FALSE; + } + src = chunk_create(addr, sb.st_size); + + while (fetchline(&src, &line)) + { + char *name, *path; + chunk_t token; + imc_t *imc; + + line_nr++; + + /* skip comments or empty lines */ + if (*line.ptr == '#' || !eat_whitespace(&line)) + { + continue; + } + + /* determine keyword */ + if (!extract_token(&token, ' ', &line)) + { + DBG1(DBG_TNC, "line %d: keyword must be followed by a space", + line_nr); + return FALSE; + } + + /* only interested in IMCs */ + if (!match("IMC", &token)) + { + continue; + } + + /* advance to the IMC name and extract it */ + if (!extract_token(&token, '"', &line) || + !extract_token(&token, '"', &line)) + { + DBG1(DBG_TNC, "line %d: IMC name must be set in double quotes", + line_nr); + return FALSE; + } + + /* copy the IMC name */ + name = malloc(token.len + 1); + memcpy(name, token.ptr, token.len); + name[token.len] = '\0'; + + /* advance to the IMC path and extract it */ + if (!eat_whitespace(&line)) + { + DBG1(DBG_TNC, "line %d: IMC path is missing", line_nr); + free(name); + return FALSE; + } + if (!extract_token(&token, ' ', &line)) + { + token = line; + } + + /* copy the IMC path */ + path = malloc(token.len + 1); + memcpy(path, token.ptr, token.len); + path[token.len] = '\0'; + + /* load and register IMC instance */ + imc = tnc_imc_create(name, path); + if (!imc) + { + free(name); + free(path); + return FALSE; + } + if (!charon->imcs->add(charon->imcs, imc)) + { + imc->destroy(imc); + return FALSE; + } + DBG1(DBG_TNC, "IMC %u \"%s\" loaded from '%s'", imc->get_id(imc), + name, path); + } + munmap(addr, sb.st_size); + close(fd); + return TRUE; +} METHOD(plugin_t, destroy, void, tnc_imc_plugin_t *this) { - libtnc_tncc_Terminate(); + charon->imcs->destroy(charon->imcs); free(this); } @@ -31,7 +153,7 @@ METHOD(plugin_t, destroy, void, */ plugin_t *tnc_imc_plugin_create() { - char *tnc_config, *pref_lang; + char *tnc_config; tnc_imc_plugin_t *this; INIT(this, @@ -40,18 +162,19 @@ plugin_t *tnc_imc_plugin_create() }, ); - pref_lang = lib->settings->get_str(lib->settings, - "charon.plugins.tnc-imc.preferred_language", "en"); + /* Create IMC manager */ + charon->imcs = tnc_imc_manager_create(); + + /* Load IMCs and abort if not all instances initalize successfully */ tnc_config = lib->settings->get_str(lib->settings, "charon.plugins.tnc-imc.tnc_config", "/etc/tnc_config"); - - if (libtnc_tncc_Initialize(tnc_config) != TNC_RESULT_SUCCESS) + if (!load_imcs(tnc_config)) { + charon->imcs->destroy(charon->imcs); + charon->imcs = NULL; free(this); - DBG1(DBG_TNC, "TNC IMC initialization failed"); return NULL; } - return &this->plugin; } diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am index 9c3b47364..3ba283bb7 100644 --- a/src/libcharon/plugins/tnc_imv/Makefile.am +++ b/src/libcharon/plugins/tnc_imv/Makefile.am @@ -1,11 +1,9 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic -libstrongswan_tnc_imv_la_LIBADD = -ltnc - if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnc-imv.la else @@ -13,7 +11,9 @@ plugin_LTLIBRARIES = libstrongswan-tnc-imv.la endif libstrongswan_tnc_imv_la_SOURCES = \ - tnc_imv_plugin.h tnc_imv_plugin.c + tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \ + tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \ + tnc_imv_recommendations.h tnc_imv_recommendations.c libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in index f89b5e03b..0324d2eb9 100644 --- a/src/libcharon/plugins/tnc_imv/Makefile.in +++ b/src/libcharon/plugins/tnc_imv/Makefile.in @@ -74,8 +74,10 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_tnc_imv_la_DEPENDENCIES = -am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo +libstrongswan_tnc_imv_la_LIBADD = +am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo tnc_imv.lo \ + tnc_imv_manager.lo tnc_imv_bind_function.lo \ + tnc_imv_recommendations.lo libstrongswan_tnc_imv_la_OBJECTS = \ $(am_libstrongswan_tnc_imv_la_OBJECTS) libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -221,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -273,14 +275,15 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic -libstrongswan_tnc_imv_la_LIBADD = -ltnc @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la libstrongswan_tnc_imv_la_SOURCES = \ - tnc_imv_plugin.h tnc_imv_plugin.c + tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \ + tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \ + tnc_imv_recommendations.h tnc_imv_recommendations.c libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version all: all-am @@ -366,7 +369,11 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_bind_function.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_recommendations.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libcharon/plugins/tnc_imv/tnc_imv.c new file mode 100644 index 000000000..f88b645d6 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv.c @@ -0,0 +1,208 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imv.h" + +#include + +#include +#include + +typedef struct private_tnc_imv_t private_tnc_imv_t; + +/** + * Private data of an imv_t object. + */ +struct private_tnc_imv_t { + + /** + * Public members of imv_t. + */ + imv_t public; + + /** + * Path of loaded IMV + */ + char *path; + + /** + * Name of loaded IMV + */ + char *name; + + /** + * Handle of loaded IMV + */ + void *handle; + + /** + * ID of loaded IMV + */ + TNC_IMVID id; + + /** + * List of message types supported by IMC + */ + TNC_MessageTypeList supported_types; + + /** + * Number of supported message types + */ + TNC_UInt32 type_count; +}; + +METHOD(imv_t, set_id, void, + private_tnc_imv_t *this, TNC_IMVID id) +{ + this->id = id; +} + +METHOD(imv_t, get_id, TNC_IMVID, + private_tnc_imv_t *this) +{ + return this->id; +} + +METHOD(imv_t, get_name, char*, + private_tnc_imv_t *this) +{ + return this->name; +} + +METHOD(imv_t, set_message_types, void, + private_tnc_imv_t *this, TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + /* Free an existing MessageType list */ + free(this->supported_types); + this->supported_types = NULL; + + /* Store the new MessageType list */ + this->type_count = type_count; + if (type_count && supported_types) + { + size_t size = type_count * sizeof(TNC_MessageType); + + this->supported_types = malloc(size); + memcpy(this->supported_types, supported_types, size); + } + DBG2(DBG_TNC, "IMV %u supports %u message types", this->id, type_count); +} + +METHOD(imv_t, type_supported, bool, + private_tnc_imv_t *this, TNC_MessageType message_type) +{ + TNC_VendorID msg_vid, vid; + TNC_MessageSubtype msg_subtype, subtype; + int i; + + msg_vid = (message_type >> 8) & TNC_VENDORID_ANY; + msg_subtype = message_type & TNC_SUBTYPE_ANY; + + for (i = 0; i < this->type_count; i++) + { + vid = (this->supported_types[i] >> 8) & TNC_VENDORID_ANY; + subtype = this->supported_types[i] & TNC_SUBTYPE_ANY; + + if (this->supported_types[i] == message_type + || (subtype == TNC_SUBTYPE_ANY + && (msg_vid == vid || vid == TNC_VENDORID_ANY)) + || (vid == TNC_VENDORID_ANY + && (msg_subtype == subtype || subtype == TNC_SUBTYPE_ANY))) + { + return TRUE; + } + } + return FALSE; +} + +METHOD(imv_t, destroy, void, + private_tnc_imv_t *this) +{ + dlclose(this->handle); + free(this->supported_types); + free(this->name); + free(this->path); + free(this); +} + +/** + * Described in header. + */ +imv_t* tnc_imv_create(char *name, char *path) +{ + private_tnc_imv_t *this; + + INIT(this, + .public = { + .set_id = _set_id, + .get_id = _get_id, + .get_name = _get_name, + .set_message_types = _set_message_types, + .type_supported = _type_supported, + .destroy = _destroy, + }, + .name = name, + .path = path, + ); + + this->handle = dlopen(path, RTLD_LAZY); + if (!this->handle) + { + DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror()); + free(this); + return NULL; + } + + this->public.initialize = dlsym(this->handle, "TNC_IMV_Initialize"); + if (!this->public.initialize) + { + DBG1(DBG_TNC, "could not resolve TNC_IMV_Initialize in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + this->public.notify_connection_change = + dlsym(this->handle, "TNC_IMV_NotifyConnectionChange"); + this->public.solicit_recommendation = + dlsym(this->handle, "TNC_IMV_SolicitRecommendation"); + if (!this->public.solicit_recommendation) + { + DBG1(DBG_TNC, "could not resolve TNC_IMV_SolicitRecommendation in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + this->public.receive_message = + dlsym(this->handle, "TNC_IMV_ReceiveMessage"); + this->public.batch_ending = + dlsym(this->handle, "TNC_IMV_BatchEnding"); + this->public.terminate = + dlsym(this->handle, "TNC_IMV_Terminate"); + this->public.provide_bind_function = + dlsym(this->handle, "TNC_IMV_ProvideBindFunction"); + if (!this->public.provide_bind_function) + { + DBG1(DBG_TNC, "could not resolve TNC_IMV_ProvideBindFunction in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.h b/src/libcharon/plugins/tnc_imv/tnc_imv.h new file mode 100644 index 000000000..75939e54c --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup tnc_imv_t tnc_imv + * @{ @ingroup tnc_imv + */ + +#ifndef TNC_IMV_H_ +#define TNC_IMV_H_ + +#include + +/** + * Create an Integrity Measurement Verifier. + * + * @param name name of the IMV + * @param filename path to the dynamic IMV library + * @return instance of the imv_t interface + */ +imv_t* tnc_imv_create(char *name, char *filename); + +#endif /** TNC_IMV_H_ @}*/ diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c new file mode 100644 index 000000000..0ea52f08e --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c @@ -0,0 +1,137 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imv.h" + +#include +#include + +#define TNC_IMCID_ANY 0xffff + +/** + * Called by the IMV to inform a TNCS about the set of message types the IMV + * is able to receive + */ +TNC_Result TNC_TNCS_ReportMessageTypes(TNC_IMVID imv_id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + return charon->imvs->set_message_types(charon->imvs, imv_id, + supported_types, type_count); +} + +/** + * Called by the IMV to ask a TNCS to retry an Integrity Check Handshake + */ +TNC_Result TNC_TNCS_RequestHandshakeRetry(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_RetryReason reason) +{ + return charon->tnccs->request_handshake_retry(charon->tnccs, FALSE, imv_id, + connection_id, reason); +} + +/** + * Called by the IMV when an IMV-IMC message is to be sent + */ +TNC_Result TNC_TNCS_SendMessage(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) +{ + return charon->tnccs->send_message(charon->tnccs, TNC_IMCID_ANY, imv_id, + connection_id, msg, msg_len, msg_type); +} + +/** + * Called by the IMV to deliver its IMV Action Recommendation and IMV Evaluation + * Result to the TNCS + */ +TNC_Result TNC_TNCS_ProvideRecommendation(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_IMV_Action_Recommendation recommendation, + TNC_IMV_Evaluation_Result evaluation) +{ + return charon->tnccs->provide_recommendation(charon->tnccs, imv_id, + connection_id, recommendation, evaluation); +} + +/** + * Called by the IMV to get the value of an attribute associated with a + * connection or with the TNCS as a whole. + */ +TNC_Result TNC_TNCS_GetAttribute(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer, + TNC_UInt32 *out_value_len) +{ + return charon->tnccs->get_attribute(charon->tnccs, imv_id, connection_id, + attribute_id, buffer_len, buffer, out_value_len); +} + +/** + * Called by the IMV to set the value of an attribute associated with a + * connection or with the TNCS as a whole. + */ +TNC_Result TNC_TNCS_SetAttribute(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer) +{ + return charon->tnccs->set_attribute(charon->tnccs, imv_id, connection_id, + attribute_id, buffer_len, buffer); +} + +/** + * Called by the IMV when it needs a function pointer + */ +TNC_Result TNC_TNCS_BindFunction(TNC_IMVID id, + char *function_name, + void **function_pointer) +{ + if (streq(function_name, "TNC_TNCS_ReportMessageTypes")) + { + *function_pointer = (void*)TNC_TNCS_ReportMessageTypes; + } + else if (streq(function_name, "TNC_TNCS_RequestHandshakeRetry")) + { + *function_pointer = (void*)TNC_TNCS_RequestHandshakeRetry; + } + else if (streq(function_name, "TNC_TNCS_SendMessage")) + { + *function_pointer = (void*)TNC_TNCS_SendMessage; + } + else if (streq(function_name, "TNC_TNCS_ProvideRecommendation")) + { + *function_pointer = (void*)TNC_TNCS_ProvideRecommendation; + } + else if (streq(function_name, "TNC_TNCS_GetAttribute")) + { + *function_pointer = (void*)TNC_TNCS_GetAttribute; + } + else if (streq(function_name, "TNC_TNCS_SetAttribute")) + { + *function_pointer = (void*)TNC_TNCS_SetAttribute; + } + else + { + return TNC_RESULT_INVALID_PARAMETER; + } + return TNC_RESULT_SUCCESS; +} diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c new file mode 100644 index 000000000..559de86d0 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c @@ -0,0 +1,295 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imv_manager.h" +#include "tnc_imv_recommendations.h" + +#include +#include + +#include +#include +#include + +typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t; + + +/** + * Private data of an imv_manager_t object. + */ +struct private_tnc_imv_manager_t { + + /** + * Public members of imv_manager_t. + */ + imv_manager_t public; + + /** + * Linked list of IMVs + */ + linked_list_t *imvs; + + /** + * Next IMV ID to be assigned + */ + TNC_IMVID next_imv_id; + + /** + * Policy defining how to derive final recommendation from individual ones + */ + recommendation_policy_t policy; +}; + +METHOD(imv_manager_t, add, bool, + private_tnc_imv_manager_t *this, imv_t *imv) +{ + TNC_Version version; + + /* Initialize the IMV module */ + imv->set_id(imv, this->next_imv_id); + if (imv->initialize(imv->get_id(imv), TNC_IFIMV_VERSION_1, + TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMV \"%s\" failed to initialize", imv->get_name(imv)); + return FALSE; + } + this->imvs->insert_last(this->imvs, imv); + this->next_imv_id++; + + if (imv->provide_bind_function(imv->get_id(imv), TNC_TNCS_BindFunction) + != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMV \"%s\" could failed to obtain bind function", + imv->get_name(imv)); + this->imvs->remove_last(this->imvs, (void**)&imv); + return FALSE; + } + + return TRUE; +} + +METHOD(imv_manager_t, remove_, imv_t*, + private_tnc_imv_manager_t *this, TNC_IMVID id) +{ + enumerator_t *enumerator; + imv_t *imv; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + if (id == imv->get_id(imv)) + { + this->imvs->remove_at(this->imvs, enumerator); + return imv; + } + } + enumerator->destroy(enumerator); + return NULL; +} + +METHOD(imv_manager_t, get_recommendation_policy, recommendation_policy_t, + private_tnc_imv_manager_t *this) +{ + return this->policy; +} + +METHOD(imv_manager_t, create_recommendations, recommendations_t*, + private_tnc_imv_manager_t *this) +{ + return tnc_imv_recommendations_create(this->imvs); +} + +METHOD(imv_manager_t, enforce_recommendation, bool, + private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec) +{ + char *group; + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + DBG1(DBG_TNC, "TNC recommendation is allow"); + group = "allow"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + DBG1(DBG_TNC, "TNC recommendation is isolate"); + group = "isolate"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + default: + DBG1(DBG_TNC, "TNC recommendation is none"); + return FALSE; + } + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_string(group); + auth->add(auth, AUTH_RULE_GROUP, id); + DBG1(DBG_TNC, "TNC added group membership '%s'", group); + } + return TRUE; +} + + +METHOD(imv_manager_t, notify_connection_change, void, + private_tnc_imv_manager_t *this, TNC_ConnectionID id, + TNC_ConnectionState state) +{ + enumerator_t *enumerator; + imv_t *imv; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + if (imv->notify_connection_change) + { + imv->notify_connection_change(imv->get_id(imv), id, state); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imv_manager_t, set_message_types, TNC_Result, + private_tnc_imv_manager_t *this, TNC_IMVID id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + enumerator_t *enumerator; + imv_t *imv; + TNC_Result result = TNC_RESULT_FATAL; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + if (id == imv->get_id(imv)) + { + imv->set_message_types(imv, supported_types, type_count); + result = TNC_RESULT_SUCCESS; + break; + } + } + enumerator->destroy(enumerator); + return result; +} + +METHOD(imv_manager_t, solicit_recommendation, void, + private_tnc_imv_manager_t *this, TNC_ConnectionID id) +{ + enumerator_t *enumerator; + imv_t *imv; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + imv->solicit_recommendation(imv->get_id(imv), id); + } + enumerator->destroy(enumerator); +} + +METHOD(imv_manager_t, receive_message, void, + private_tnc_imv_manager_t *this, TNC_ConnectionID connection_id, + TNC_BufferReference message, + TNC_UInt32 message_len, + TNC_MessageType message_type) +{ + enumerator_t *enumerator; + imv_t *imv; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + if (imv->receive_message && imv->type_supported(imv, message_type)) + { + imv->receive_message(imv->get_id(imv), connection_id, + message, message_len, message_type); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imv_manager_t, batch_ending, void, + private_tnc_imv_manager_t *this, TNC_ConnectionID id) +{ + enumerator_t *enumerator; + imv_t *imv; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + if (imv->batch_ending) + { + imv->batch_ending(imv->get_id(imv), id); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imv_manager_t, destroy, void, + private_tnc_imv_manager_t *this) +{ + imv_t *imv; + + while (this->imvs->remove_last(this->imvs, (void**)&imv) == SUCCESS) + { + if (imv->terminate && + imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully", + imv->get_name(imv)); + } + imv->destroy(imv); + } + this->imvs->destroy(this->imvs); + free(this); +} + +/** + * Described in header. + */ +imv_manager_t* tnc_imv_manager_create(void) +{ + private_tnc_imv_manager_t *this; + recommendation_policy_t policy; + + INIT(this, + .public = { + .add = _add, + .remove = _remove_, /* avoid name conflict with stdio.h */ + .get_recommendation_policy = _get_recommendation_policy, + .create_recommendations = _create_recommendations, + .enforce_recommendation = _enforce_recommendation, + .notify_connection_change = _notify_connection_change, + .set_message_types = _set_message_types, + .solicit_recommendation = _solicit_recommendation, + .receive_message = _receive_message, + .batch_ending = _batch_ending, + .destroy = _destroy, + }, + .imvs = linked_list_create(), + .next_imv_id = 1, + ); + policy = enum_from_name(recommendation_policy_names, + lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imv.recommendation_policy", "default")); + this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT; + DBG1(DBG_TNC, "TNC recommendation policy is '%N'", + recommendation_policy_names, this->policy); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h new file mode 100644 index 000000000..2fe9e7ae3 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup tnc_imv_manager tnc_imv_manager + * @{ @ingroup tnc_imv + */ + +#ifndef TNC_IMV_MANAGER_H_ +#define TNC_IMV_MANAGER_H_ + +#include + +/** + * Create an IMV manager instance. + */ +imv_manager_t *tnc_imv_manager_create(); + +#endif /** TNC_IMV_MANAGER_H_ @}*/ diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c index 5b3d3892d..f238f01ea 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c @@ -14,15 +14,137 @@ */ #include "tnc_imv_plugin.h" +#include "tnc_imv_manager.h" +#include "tnc_imv.h" -#include +#include +#include +#include +#include +#include +#include #include +#include + +/** + * load IMVs from a configuration file + */ +static bool load_imvs(char *filename) +{ + int fd, line_nr = 0; + chunk_t src, line; + struct stat sb; + void *addr; + + DBG1(DBG_TNC, "loading IMVs from '%s'", filename); + fd = open(filename, O_RDONLY); + if (fd == -1) + { + DBG1(DBG_TNC, "opening configuration file '%s' failed: %s", filename, + strerror(errno)); + return FALSE; + } + if (fstat(fd, &sb) == -1) + { + DBG1(DBG_LIB, "getting file size of '%s' failed: %s", filename, + strerror(errno)); + close(fd); + return FALSE; + } + addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (addr == MAP_FAILED) + { + DBG1(DBG_LIB, "mapping '%s' failed: %s", filename, strerror(errno)); + close(fd); + return FALSE; + } + src = chunk_create(addr, sb.st_size); + + while (fetchline(&src, &line)) + { + char *name, *path; + chunk_t token; + imv_t *imv; + + line_nr++; + + /* skip comments or empty lines */ + if (*line.ptr == '#' || !eat_whitespace(&line)) + { + continue; + } + + /* determine keyword */ + if (!extract_token(&token, ' ', &line)) + { + DBG1(DBG_TNC, "line %d: keyword must be followed by a space", + line_nr); + return FALSE; + } + + /* only interested in IMVs */ + if (!match("IMV", &token)) + { + continue; + } + + /* advance to the IMV name and extract it */ + if (!extract_token(&token, '"', &line) || + !extract_token(&token, '"', &line)) + { + DBG1(DBG_TNC, "line %d: IMV name must be set in double quotes", + line_nr); + return FALSE; + } + + /* copy the IMV name */ + name = malloc(token.len + 1); + memcpy(name, token.ptr, token.len); + name[token.len] = '\0'; + + /* advance to the IMV path and extract it */ + if (!eat_whitespace(&line)) + { + DBG1(DBG_TNC, "line %d: IMV path is missing", line_nr); + free(name); + return FALSE; + } + if (!extract_token(&token, ' ', &line)) + { + token = line; + } + + /* copy the IMV path */ + path = malloc(token.len + 1); + memcpy(path, token.ptr, token.len); + path[token.len] = '\0'; + + /* load and register IMV instance */ + imv = tnc_imv_create(name, path); + if (!imv) + { + free(name); + free(path); + return FALSE; + } + if (!charon->imvs->add(charon->imvs, imv)) + { + imv->destroy(imv); + return FALSE; + } + DBG1(DBG_TNC, "IMV %u \"%s\" loaded from '%s'", imv->get_id(imv), + name, path); + } + munmap(addr, sb.st_size); + close(fd); + return TRUE; +} METHOD(plugin_t, destroy, void, tnc_imv_plugin_t *this) { - libtnc_tncs_Terminate(); + charon->imvs->destroy(charon->imvs); free(this); } @@ -42,13 +164,18 @@ plugin_t *tnc_imv_plugin_create() tnc_config = lib->settings->get_str(lib->settings, "charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config"); - if (libtnc_tncs_Initialize(tnc_config) != TNC_RESULT_SUCCESS) + + /* Create IMV manager */ + charon->imvs = tnc_imv_manager_create(); + + /* Load IMVs and abort if not all instances initalize successfully */ + if (!load_imvs(tnc_config)) { + charon->imvs->destroy(charon->imvs); + charon->imvs = NULL; free(this); - DBG1(DBG_TNC, "TNC IMV initialization failed"); return NULL; } - return &this->plugin; } diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c new file mode 100644 index 000000000..5cc6b0ced --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c @@ -0,0 +1,415 @@ +/* + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include +#include +#include + +typedef struct private_tnc_imv_recommendations_t private_tnc_imv_recommendations_t; +typedef struct recommendation_entry_t recommendation_entry_t; + +/** + * Recommendation entry + */ +struct recommendation_entry_t { + + /** + * IMV ID + */ + TNC_IMVID id; + + /** + * Received a recommendation message from this IMV? + */ + bool have_recommendation; + + /** + * Action Recommendation provided by IMV instance + */ + TNC_IMV_Action_Recommendation rec; + + /** + * Evaluation Result provided by IMV instance + */ + TNC_IMV_Evaluation_Result eval; + + /** + * Reason string provided by IMV instance + */ + chunk_t reason; + + /** + * Reason language provided by IMV instance + */ + chunk_t reason_language; +}; + +/** + * Private data of a recommendations_t object. + */ +struct private_tnc_imv_recommendations_t { + + /** + * Public members of recommendations_t. + */ + recommendations_t public; + + /** + * list of recommendations and evaluations provided by IMVs + */ + linked_list_t *recs; + + /** + * Preferred language for remediation messages + */ + chunk_t preferred_language; +}; + +METHOD(recommendations_t, provide_recommendation, TNC_Result, + private_tnc_imv_recommendations_t* this, TNC_IMVID id, + TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) +{ + enumerator_t *enumerator; + recommendation_entry_t *entry; + bool found = FALSE; + + DBG2(DBG_TNC, "IMV %u provides recommendation '%N' and evaluation '%N'", id, + TNC_IMV_Action_Recommendation_names, rec, + TNC_IMV_Evaluation_Result_names, eval); + + enumerator = this->recs->create_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->id == id) + { + found = TRUE; + entry->have_recommendation = TRUE; + entry->rec = rec; + entry->eval = eval; + break; + } + } + enumerator->destroy(enumerator); + return found ? TNC_RESULT_SUCCESS : TNC_RESULT_FATAL; +} + +METHOD(recommendations_t, have_recommendation, bool, + private_tnc_imv_recommendations_t *this, TNC_IMV_Action_Recommendation *rec, + TNC_IMV_Evaluation_Result *eval) +{ + enumerator_t *enumerator; + recommendation_entry_t *entry; + recommendation_policy_t policy; + TNC_IMV_Action_Recommendation final_rec; + TNC_IMV_Evaluation_Result final_eval; + bool first = TRUE, incomplete = FALSE; + + *rec = final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION; + *eval = final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW; + + if (this->recs->get_count(this->recs) == 0) + { + DBG1(DBG_TNC, "there are no IMVs to make a recommendation"); + return TRUE; + } + policy = charon->imvs->get_recommendation_policy(charon->imvs); + + enumerator = this->recs->create_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &entry)) + { + if (!entry->have_recommendation) + { + incomplete = TRUE; + break; + } + if (first) + { + final_rec = entry->rec; + final_eval = entry->eval; + first = FALSE; + continue; + } + switch (policy) + { + case RECOMMENDATION_POLICY_DEFAULT: + switch (entry->rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + final_rec = entry->rec; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS) + { + final_rec = entry->rec; + }; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION) + { + final_rec = entry->rec; + }; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + break; + } + switch (entry->eval) + { + case TNC_IMV_EVALUATION_RESULT_ERROR: + final_eval = entry->eval; + break; + case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR: + if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR: + if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR && + final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_COMPLIANT: + if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_DONT_KNOW: + break; + } + break; + + case RECOMMENDATION_POLICY_ALL: + if (entry->rec != final_rec) + { + final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION; + } + if (entry->eval != final_eval) + { + final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW; + } + break; + + case RECOMMENDATION_POLICY_ANY: + switch (entry->rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + final_rec = entry->rec; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW) + { + final_rec = entry->rec; + }; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION) + { + final_rec = entry->rec; + }; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + break; + } + switch (entry->eval) + { + case TNC_IMV_EVALUATION_RESULT_COMPLIANT: + final_eval = entry->eval; + break; + case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR: + if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR: + if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT && + final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_ERROR: + if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_DONT_KNOW: + break; + } + } + } + enumerator->destroy(enumerator); + + if (incomplete) + { + return FALSE; + } + *rec = final_rec; + *eval = final_eval; + return TRUE; +} + +METHOD(recommendations_t, get_preferred_language, chunk_t, + private_tnc_imv_recommendations_t *this) +{ + return this->preferred_language; +} + +METHOD(recommendations_t, set_preferred_language, void, + private_tnc_imv_recommendations_t *this, chunk_t pref_lang) +{ + free(this->preferred_language.ptr); + this->preferred_language = chunk_clone(pref_lang); +} + +METHOD(recommendations_t, set_reason_string, TNC_Result, + private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason) +{ + enumerator_t *enumerator; + recommendation_entry_t *entry; + bool found = FALSE; + + DBG2(DBG_TNC, "IMV %u is setting reason string to '%.*s'", + id, reason.len, reason.ptr); + + enumerator = this->recs->create_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->id == id) + { + found = TRUE; + free(entry->reason.ptr); + entry->reason = chunk_clone(reason); + break; + } + } + enumerator->destroy(enumerator); + return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER; +} + +METHOD(recommendations_t, set_reason_language, TNC_Result, + private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason_lang) +{ + enumerator_t *enumerator; + recommendation_entry_t *entry; + bool found = FALSE; + + DBG2(DBG_TNC, "IMV %u is setting reason language to '%.*s'", + id, reason_lang.len, reason_lang.ptr); + + enumerator = this->recs->create_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->id == id) + { + found = TRUE; + free(entry->reason_language.ptr); + entry->reason_language = chunk_clone(reason_lang); + break; + } + } + enumerator->destroy(enumerator); + return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER; +} + +/** + * Enumerate reason and reason_language, not recommendation entries + */ +static bool reason_filter(void *null, recommendation_entry_t **entry, + TNC_IMVID *id, void *i2, chunk_t *reason, void *i3, + chunk_t *reason_language) +{ + if ((*entry)->reason.len) + { + *id = (*entry)->id; + *reason = (*entry)->reason; + *reason_language = (*entry)->reason_language; + return TRUE; + } + else + { + return FALSE; + } +} + +METHOD(recommendations_t, create_reason_enumerator, enumerator_t*, + private_tnc_imv_recommendations_t *this) +{ + return enumerator_create_filter(this->recs->create_enumerator(this->recs), + (void*)reason_filter, NULL, NULL); +} + +METHOD(recommendations_t, destroy, void, + private_tnc_imv_recommendations_t *this) +{ + recommendation_entry_t *entry; + + while (this->recs->remove_last(this->recs, (void**)&entry) == SUCCESS) + { + free(entry->reason.ptr); + free(entry->reason_language.ptr); + free(entry); + } + this->recs->destroy(this->recs); + free(this->preferred_language.ptr); + free(this); +} + +/** + * Described in header. + */ +recommendations_t* tnc_imv_recommendations_create(linked_list_t *imv_list) +{ + private_tnc_imv_recommendations_t *this; + recommendation_entry_t *entry; + enumerator_t *enumerator; + imv_t *imv; + + INIT(this, + .public = { + .provide_recommendation = _provide_recommendation, + .have_recommendation = _have_recommendation, + .get_preferred_language = _get_preferred_language, + .set_preferred_language = _set_preferred_language, + .set_reason_string = _set_reason_string, + .set_reason_language = _set_reason_language, + .create_reason_enumerator = _create_reason_enumerator, + .destroy = _destroy, + }, + .recs = linked_list_create(), + ); + + enumerator = imv_list->create_enumerator(imv_list); + while (enumerator->enumerate(enumerator, &imv)) + { + entry = malloc_thing(recommendation_entry_t); + entry->id = imv->get_id(imv); + entry->have_recommendation = FALSE; + entry->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION; + entry->eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW; + entry->reason = chunk_empty; + entry->reason_language = chunk_empty; + this->recs->insert_last(this->recs, entry); + } + enumerator->destroy(enumerator); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h new file mode 100644 index 000000000..6d65a2521 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup tnc_imv_manager tnc_imv_manager + * @{ @ingroup tnc_imv + */ + +#ifndef TNC_IMV_RECOMMENDATIONS_H_ +#define TNC_IMV_RECOMMENDATIONS_H_ + +#include +#include + +/** + * Create an IMV empty recommendations instance + */ +recommendations_t *tnc_imv_recommendations_create(); + +#endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/Makefile.am b/src/libcharon/plugins/tnccs_11/Makefile.am index 7ccd0dfee..1042c3514 100644 --- a/src/libcharon/plugins/tnccs_11/Makefile.am +++ b/src/libcharon/plugins/tnccs_11/Makefile.am @@ -1,21 +1,27 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ - `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls ${xml_CFLAGS} AM_CFLAGS = -rdynamic -libstrongswan_tnccs_11_la_LIBADD = -ltnc +libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS} if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnccs-11.la else plugin_LTLIBRARIES = libstrongswan-tnccs-11.la -libstrongswan_tnccs_11_la_LIBADD += $(top_builddir)/src/libtls/libtls.la endif libstrongswan_tnccs_11_la_SOURCES = \ - tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c + tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c \ + batch/tnccs_batch.h batch/tnccs_batch.c \ + messages/tnccs_msg.h messages/tnccs_msg.c \ + messages/imc_imv_msg.h messages/imc_imv_msg.c \ + messages/tnccs_error_msg.h messages/tnccs_error_msg.c \ + messages/tnccs_preferred_language_msg.h messages/tnccs_preferred_language_msg.c \ + messages/tnccs_reason_strings_msg.h messages/tnccs_reason_strings_msg.c \ + messages/tnccs_recommendation_msg.h messages/tnccs_recommendation_msg.c \ + messages/tnccs_tncs_contact_info_msg.h messages/tnccs_tncs_contact_info_msg.c libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in index 200ff7a0a..5ab7ccbca 100644 --- a/src/libcharon/plugins/tnccs_11/Makefile.in +++ b/src/libcharon/plugins/tnccs_11/Makefile.in @@ -34,7 +34,6 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la subdir = src/libcharon/plugins/tnccs_11 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -75,8 +74,12 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__append_1) -am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo +am__DEPENDENCIES_1 = +libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo \ + tnccs_batch.lo tnccs_msg.lo imc_imv_msg.lo tnccs_error_msg.lo \ + tnccs_preferred_language_msg.lo tnccs_reason_strings_msg.lo \ + tnccs_recommendation_msg.lo tnccs_tncs_contact_info_msg.lo libstrongswan_tnccs_11_la_OBJECTS = \ $(am_libstrongswan_tnccs_11_la_OBJECTS) libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) --tag=CC \ @@ -223,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -275,15 +278,22 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ - `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls ${xml_CFLAGS} AM_CFLAGS = -rdynamic -libstrongswan_tnccs_11_la_LIBADD = -ltnc $(am__append_1) +libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS} @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-11.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-11.la libstrongswan_tnccs_11_la_SOURCES = \ - tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c + tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c \ + batch/tnccs_batch.h batch/tnccs_batch.c \ + messages/tnccs_msg.h messages/tnccs_msg.c \ + messages/imc_imv_msg.h messages/imc_imv_msg.c \ + messages/tnccs_error_msg.h messages/tnccs_error_msg.c \ + messages/tnccs_preferred_language_msg.h messages/tnccs_preferred_language_msg.c \ + messages/tnccs_reason_strings_msg.h messages/tnccs_reason_strings_msg.c \ + messages/tnccs_recommendation_msg.h messages/tnccs_recommendation_msg.c \ + messages/tnccs_tncs_contact_info_msg.h messages/tnccs_tncs_contact_info_msg.c libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version all: all-am @@ -369,8 +379,16 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_imv_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_batch.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_error_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_preferred_language_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_reason_strings_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_recommendation_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_tncs_contact_info_msg.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -393,6 +411,62 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +tnccs_batch.lo: batch/tnccs_batch.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_batch.lo -MD -MP -MF $(DEPDIR)/tnccs_batch.Tpo -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_batch.Tpo $(DEPDIR)/tnccs_batch.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='batch/tnccs_batch.c' object='tnccs_batch.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c + +tnccs_msg.lo: messages/tnccs_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_msg.Tpo -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_msg.Tpo $(DEPDIR)/tnccs_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_msg.c' object='tnccs_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c + +imc_imv_msg.lo: messages/imc_imv_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_imv_msg.lo -MD -MP -MF $(DEPDIR)/imc_imv_msg.Tpo -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/imc_imv_msg.Tpo $(DEPDIR)/imc_imv_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/imc_imv_msg.c' object='imc_imv_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c + +tnccs_error_msg.lo: messages/tnccs_error_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_error_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_error_msg.Tpo -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_error_msg.Tpo $(DEPDIR)/tnccs_error_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_error_msg.c' object='tnccs_error_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c + +tnccs_preferred_language_msg.lo: messages/tnccs_preferred_language_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_preferred_language_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_preferred_language_msg.Tpo -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_preferred_language_msg.Tpo $(DEPDIR)/tnccs_preferred_language_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_preferred_language_msg.c' object='tnccs_preferred_language_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c + +tnccs_reason_strings_msg.lo: messages/tnccs_reason_strings_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_reason_strings_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_reason_strings_msg.Tpo -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_reason_strings_msg.Tpo $(DEPDIR)/tnccs_reason_strings_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_reason_strings_msg.c' object='tnccs_reason_strings_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c + +tnccs_recommendation_msg.lo: messages/tnccs_recommendation_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_recommendation_msg.Tpo -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_recommendation_msg.Tpo $(DEPDIR)/tnccs_recommendation_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_recommendation_msg.c' object='tnccs_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c + +tnccs_tncs_contact_info_msg.lo: messages/tnccs_tncs_contact_info_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_tncs_contact_info_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo $(DEPDIR)/tnccs_tncs_contact_info_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_tncs_contact_info_msg.c' object='tnccs_tncs_contact_info_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c + mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c new file mode 100644 index 000000000..0f6f3a675 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c @@ -0,0 +1,323 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_batch.h" +#include "messages/tnccs_error_msg.h" + +#include +#include +#include + +#include + +typedef struct private_tnccs_batch_t private_tnccs_batch_t; + +/** + * Private data of a tnccs_batch_t object. + * + */ +struct private_tnccs_batch_t { + /** + * Public tnccs_batch_t interface. + */ + tnccs_batch_t public; + + /** + * Batch ID + */ + int batch_id; + + /** + * TNCC if TRUE, TNCS if FALSE + */ + bool is_server; + + /** + * linked list of TNCCS messages + */ + linked_list_t *messages; + + /** + * linked list of TNCCS error messages + */ + linked_list_t *errors; + + /** + * XML document + */ + xmlDocPtr doc; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(tnccs_batch_t, get_encoding, chunk_t, + private_tnccs_batch_t *this) +{ + return this->encoding; +} + +METHOD(tnccs_batch_t, add_msg, void, + private_tnccs_batch_t *this, tnccs_msg_t* msg) +{ + xmlNodePtr root; + + DBG2(DBG_TNC, "adding %N message", tnccs_msg_type_names, + msg->get_type(msg)); + this->messages->insert_last(this->messages, msg); + root = xmlDocGetRootElement(this->doc); + xmlAddChild(root, msg->get_node(msg)); +} + +METHOD(tnccs_batch_t, build, void, + private_tnccs_batch_t *this) +{ + xmlChar *xmlbuf; + int buf_size; + + xmlDocDumpFormatMemory(this->doc, &xmlbuf, &buf_size, 1); + this->encoding = chunk_create((u_char*)xmlbuf, buf_size); + this->encoding = chunk_clone(this->encoding); + xmlFree(xmlbuf); +} + +METHOD(tnccs_batch_t, process, status_t, + private_tnccs_batch_t *this) +{ + tnccs_msg_t *tnccs_msg, *msg; + tnccs_error_type_t error_type = TNCCS_ERROR_OTHER; + char *error_msg, buf[BUF_LEN]; + xmlNodePtr cur; + xmlNsPtr ns; + xmlChar *batchid, *recipient; + int batch_id; + + this->doc = xmlParseMemory(this->encoding.ptr, this->encoding.len); + if (!this->doc) + { + error_type = TNCCS_ERROR_MALFORMED_BATCH; + error_msg = "failed to parse XML message"; + goto fatal; + } + + /* check out the XML document */ + cur = xmlDocGetRootElement(this->doc); + if (!cur) + { + error_type = TNCCS_ERROR_MALFORMED_BATCH; + error_msg = "empty XML document"; + goto fatal; + } + + /* check TNCCS namespace */ + ns = xmlSearchNsByHref(this->doc, cur, (const xmlChar*) + "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#"); + if (!ns) + { + error_type = TNCCS_ERROR_MALFORMED_BATCH; + error_msg = "TNCCS namespace not found"; + goto fatal; + } + + /* check XML document type */ + if (xmlStrcmp(cur->name, (const xmlChar*)"TNCCS-Batch")) + { + error_type = TNCCS_ERROR_MALFORMED_BATCH; + error_msg = buf; + snprintf(buf, BUF_LEN, "wrong XML document type '%s', expected TNCCS-Batch", + cur->name); + goto fatal; + } + + /* check presence of BatchID property */ + batchid = xmlGetProp(cur, (const xmlChar*)"BatchId"); + if (!batchid) + { + error_type = TNCCS_ERROR_INVALID_BATCH_ID; + error_msg = "BatchId is missing"; + goto fatal; + } + + /* check BatchID */ + batch_id = atoi((char*)batchid); + xmlFree(batchid); + if (batch_id != this->batch_id) + { + error_type = TNCCS_ERROR_INVALID_BATCH_ID; + error_msg = buf; + snprintf(buf, BUF_LEN, "BatchId %d expected, got %d", this->batch_id, + batch_id); + goto fatal; + } + + /* check presence of Recipient property */ + recipient = xmlGetProp(cur, (const xmlChar*)"Recipient"); + if (!recipient) + { + error_type = TNCCS_ERROR_INVALID_RECIPIENT_TYPE; + error_msg = "Recipient is missing"; + goto fatal; + } + + /* check recipient */ + if (!streq((char*)recipient, this->is_server ? "TNCS" : "TNCC")) + { + error_type = TNCCS_ERROR_INVALID_RECIPIENT_TYPE; + error_msg = buf; + snprintf(buf, BUF_LEN, "message recipient expected '%s', got '%s'", + this->is_server ? "TNCS" : "TNCC", (char*)recipient); + xmlFree(recipient); + goto fatal; + } + xmlFree(recipient); + + DBG2(DBG_TNC, "processing TNCCS Batch #%d", batch_id); + + /* Now walk the tree, handling message nodes as we go */ + for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) + { + /* ignore empty or blank nodes */ + if (xmlIsBlankNode(cur)) + { + continue; + } + + /* ignore nodes with wrong namespace */ + if (cur->ns != ns) + { + DBG1(DBG_TNC, "ignoring message node '%s' having wrong namespace", + (char*)cur->name); + continue; + } + + tnccs_msg = tnccs_msg_create_from_node(cur, this->errors); + + /* exit if a message parsing error occurred */ + if (this->errors->get_count(this->errors) > 0) + { + return FAILED; + } + + /* ignore unrecognized messages */ + if (!tnccs_msg) + { + continue; + } + + this->messages->insert_last(this->messages, tnccs_msg); + } + return SUCCESS; + +fatal: + msg = tnccs_error_msg_create(error_type, error_msg); + this->errors->insert_last(this->errors, msg); + return FAILED; +} + +METHOD(tnccs_batch_t, create_msg_enumerator, enumerator_t*, + private_tnccs_batch_t *this) +{ + return this->messages->create_enumerator(this->messages); +} + +METHOD(tnccs_batch_t, create_error_enumerator, enumerator_t*, + private_tnccs_batch_t *this) +{ + return this->errors->create_enumerator(this->errors); +} + +METHOD(tnccs_batch_t, destroy, void, + private_tnccs_batch_t *this) +{ + this->messages->destroy_offset(this->messages, + offsetof(tnccs_msg_t, destroy)); + this->errors->destroy_offset(this->errors, + offsetof(tnccs_msg_t, destroy)); + xmlFreeDoc(this->doc); + free(this->encoding.ptr); + free(this); +} + +/** + * See header + */ +tnccs_batch_t* tnccs_batch_create(bool is_server, int batch_id) +{ + private_tnccs_batch_t *this; + xmlNodePtr n; + char buf[12]; + const char *recipient; + + INIT(this, + .public = { + .get_encoding = _get_encoding, + .add_msg = _add_msg, + .build = _build, + .process = _process, + .create_msg_enumerator = _create_msg_enumerator, + .create_error_enumerator = _create_error_enumerator, + .destroy = _destroy, + }, + .is_server = is_server, + .messages = linked_list_create(), + .errors = linked_list_create(), + .batch_id = batch_id, + .doc = xmlNewDoc(BAD_CAST "1.0"), + ); + + DBG2(DBG_TNC, "creating TNCCS Batch #%d", this->batch_id); + n = xmlNewNode(NULL, BAD_CAST "TNCCS-Batch"); + snprintf(buf, sizeof(buf), "%d", batch_id); + recipient = this->is_server ? "TNCC" : "TNCS"; + xmlNewProp(n, BAD_CAST "BatchId", BAD_CAST buf); + xmlNewProp(n, BAD_CAST "Recipient", BAD_CAST recipient); + xmlNewProp(n, BAD_CAST "xmlns", BAD_CAST "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#"); + xmlNewProp(n, BAD_CAST "xmlns:xsi", BAD_CAST "http://www.w3.org/2001/XMLSchema-instance"); + xmlNewProp(n, BAD_CAST "xsi:schemaLocation", BAD_CAST "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS# " + "https://www.trustedcomputinggroup.org/XML/SCHEMA/TNCCS_1.0.xsd"); + xmlDocSetRootElement(this->doc, n); + + return &this->public; +} + +/** + * See header + */ +tnccs_batch_t* tnccs_batch_create_from_data(bool is_server, int batch_id, chunk_t data) +{ + private_tnccs_batch_t *this; + + INIT(this, + .public = { + .get_encoding = _get_encoding, + .add_msg = _add_msg, + .build = _build, + .process = _process, + .create_msg_enumerator = _create_msg_enumerator, + .create_error_enumerator = _create_error_enumerator, + .destroy = _destroy, + }, + .is_server = is_server, + .batch_id = batch_id, + .messages = linked_list_create(), + .errors = linked_list_create(), + .encoding = chunk_clone(data), + ); + + return &this->public; +} + diff --git a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h new file mode 100644 index 000000000..25301f763 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_batch tnccs_batch + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_BATCH_H_ +#define TNCCS_BATCH_H_ + +typedef enum tnccs_batch_type_t tnccs_batch_type_t; +typedef struct tnccs_batch_t tnccs_batch_t; + +#include "messages/tnccs_msg.h" + +#include + +/** + * Interface for a TNCCS 1.x Batch. + */ +struct tnccs_batch_t { + + /** + * Get the encoding of the TNCCS 1.x Batch + * + * @return encoded TNCCS 1.x batch + */ + chunk_t (*get_encoding)(tnccs_batch_t *this); + + /** + * Add TNCCS message + * + * @param msg TNCCS message to be addedd + */ + void (*add_msg)(tnccs_batch_t *this, tnccs_msg_t* msg); + + /** + * Build the TNCCS 1.x Batch + */ + void (*build)(tnccs_batch_t *this); + + /** + * Process the TNCCS 1.x Batch + * + * @return return processing status + */ + status_t (*process)(tnccs_batch_t *this); + + /** + * Enumerates over all TNCCS Messages + * + * @return return message enumerator + */ + enumerator_t* (*create_msg_enumerator)(tnccs_batch_t *this); + + /** + * Enumerates over all parsing errors + * + * @return return error enumerator + */ + enumerator_t* (*create_error_enumerator)(tnccs_batch_t *this); + + /** + * Destroys a tnccs_batch_t object. + */ + void (*destroy)(tnccs_batch_t *this); +}; + +/** + * Create an empty TNCCS 1.x Batch + * + * @param is_server TRUE if server, FALSE if client + * @param batch_id number of the batch to be sent + */ +tnccs_batch_t* tnccs_batch_create(bool is_server, int batch_id); + +/** + * Create an unprocessed TNCCS 1.x Batch from data + * + * @param is_server TRUE if server, FALSE if client + * @param batch_id current Batch ID + * @param data encoded PB-TNC batch + */ +tnccs_batch_t* tnccs_batch_create_from_data(bool is_server, int batch_id, + chunk_t data); + +#endif /** TNCCS_BATCH_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c new file mode 100644 index 000000000..f24c0dac9 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c @@ -0,0 +1,242 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imc_imv_msg.h" + +#include +#include +#include + +typedef struct private_imc_imv_msg_t private_imc_imv_msg_t; + +#define BYTES_PER_LINE 57 + +/** + * Private data of a imc_imv_msg_t object. + * + */ +struct private_imc_imv_msg_t { + /** + * Public imc_imv_msg_t interface. + */ + imc_imv_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; + + /** + * IMC-IMV message type + */ + TNC_MessageType msg_type; + + /** + * IMC-IMV message body + */ + chunk_t msg_body; + +}; + +/** + * Encodes message data into multiple base64-encoded lines + */ +static chunk_t encode_base64(chunk_t data) +{ + chunk_t encoding; + u_char *pos; + size_t b64_chars, b64_lines; + + /* handle empty message data object */ + if (data.len == 0) + { + encoding = chunk_alloc(1); + *encoding.ptr = '\0'; + return encoding; + } + + /* compute and allocate maximum size of base64 object */ + b64_chars = 4 * ((data.len + 2) / 3); + b64_lines = (data.len + BYTES_PER_LINE - 1) / BYTES_PER_LINE; + encoding = chunk_alloc(b64_chars + b64_lines); + pos = encoding.ptr; + + /* encode lines */ + while (b64_lines--) + { + chunk_t data_line, b64_line; + + data_line = chunk_create(data.ptr, min(data.len, BYTES_PER_LINE)); + data.ptr += data_line.len; + data.len -= data_line.len; + b64_line = chunk_to_base64(data_line, pos); + pos += b64_line.len; + *pos = '\n'; + pos++; + } + /* terminate last line with NULL character instead of newline */ + *(pos-1) = '\0'; + + return encoding; +} + +/** + * Decodes message data from multiple base64-encoded lines + */ +static chunk_t decode_base64(chunk_t data) +{ + chunk_t decoding, data_line, b64_line; + u_char *pos; + + /* compute and allocate maximum size of decoded message data */ + decoding = chunk_alloc(3 * ((data.len + 3) / 4)); + pos = decoding.ptr; + decoding.len = 0; + + while (fetchline(&data, &b64_line)) + { + data_line = chunk_from_base64(b64_line, pos); + pos += data_line.len; + decoding.len += data_line.len; + } + + return decoding; +} + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_imc_imv_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_imc_imv_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, destroy, void, + private_imc_imv_msg_t *this) +{ + free(this->msg_body.ptr); + free(this); +} + +METHOD(imc_imv_msg_t, get_msg_type, TNC_MessageType, + private_imc_imv_msg_t *this) +{ + return this->msg_type; +} + +METHOD(imc_imv_msg_t, get_msg_body, chunk_t, + private_imc_imv_msg_t *this) +{ + return this->msg_body; +} + +/** + * See header + */ +tnccs_msg_t *imc_imv_msg_create_from_node(xmlNodePtr node, linked_list_t *errors) +{ + private_imc_imv_msg_t *this; + xmlNsPtr ns; + xmlNodePtr cur; + xmlChar *content; + chunk_t b64_body; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_msg_type = _get_msg_type, + .get_msg_body = _get_msg_body, + }, + .type = IMC_IMV_MSG, + .node = node, + ); + + ns = node->ns; + cur = node->xmlChildrenNode; + while (cur) + { + if (streq((char*)cur->name, "Type") && cur->ns == ns) + { + content = xmlNodeGetContent(cur); + this->msg_type = strtoul((char*)content, NULL, 16); + xmlFree(content); + } + else if (streq((char*)cur->name, "Base64") && cur->ns == ns) + { + content = xmlNodeGetContent(cur); + b64_body = chunk_create((char*)content, strlen((char*)content)); + this->msg_body = decode_base64(b64_body); + xmlFree(content); + } + cur = cur->next; + } + + return &this->public.tnccs_msg_interface; +} + +/** + * See header + */ +tnccs_msg_t *imc_imv_msg_create(TNC_MessageType msg_type, chunk_t msg_body) +{ + private_imc_imv_msg_t *this; + chunk_t b64_body; + char buf[10]; /* big enough for hex-encoded message type */ + xmlNodePtr n; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_msg_type = _get_msg_type, + .get_msg_body = _get_msg_body, + }, + .type = IMC_IMV_MSG, + .node = xmlNewNode(NULL, BAD_CAST "IMC-IMV-Message"), + .msg_type = msg_type, + .msg_body = chunk_clone(msg_body), + ); + + /* add the message type number in hex */ + n = xmlNewNode(NULL, BAD_CAST "Type"); + snprintf(buf, 10, "%08x", this->msg_type); + xmlNodeSetContent(n, BAD_CAST buf); + xmlAddChild(this->node, n); + + /* encode the message as a Base64 node */ + n = xmlNewNode(NULL, BAD_CAST "Base64"); + b64_body = encode_base64(this->msg_body); + xmlNodeSetContent(n, BAD_CAST b64_body.ptr); + xmlAddChild(this->node, n); + free(b64_body.ptr); + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h new file mode 100644 index 000000000..02f07199f --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imc_imv_msg imc_imv_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef IMC_IMV_MSG_H_ +#define IMC_IMV_MSG_H_ + +typedef struct imc_imv_msg_t imc_imv_msg_t; + +#include "tnccs_msg.h" + +#include + +/** + * Classs representing the PB-PA message type. + */ +struct imc_imv_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; + + /** + * Get IMC-IMV message type + * + * @return IMC-IMV message type + */ + TNC_MessageType (*get_msg_type)(imc_imv_msg_t *this); + + /** + * Get IMC-IMV message body + * + * @return IMC-IMV message body + */ + chunk_t (*get_msg_body)(imc_imv_msg_t *this); +}; + +/** + * Create an IMC-IMV message from XML-encoded message node + * + * @param node XML-encoded message node + * @param errors linked list of TNCCS error messages +*/ +tnccs_msg_t *imc_imv_msg_create_from_node(xmlNodePtr node, linked_list_t *errors); + +/** + * Create an IMC-IMV message from parameters + * + * @param msg_type IMC-IMV message type + * @param msg_body IMC-IMV message body + */ +tnccs_msg_t *imc_imv_msg_create(TNC_MessageType msg_type, chunk_t msg_body); + +#endif /** IMC_IMV_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c new file mode 100644 index 000000000..d0df4e7ca --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c @@ -0,0 +1,191 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_error_msg.h" + +#include + +ENUM(tnccs_error_type_names, TNCCS_ERROR_BATCH_TOO_LONG, TNCCS_ERROR_OTHER, + "batch-too-long", + "malformed-batch", + "invalid-batch-id", + "invalid-recipient-type", + "internal-error", + "other" +); + +typedef struct private_tnccs_error_msg_t private_tnccs_error_msg_t; + +/** + * Private data of a tnccs_error_msg_t object. + * + */ +struct private_tnccs_error_msg_t { + /** + * Public tnccs_error_msg_t interface. + */ + tnccs_error_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; + + /** + * Error type + */ + tnccs_error_type_t error_type; + + /** + * Error message + */ + char *error_msg; + + /** + * reference count + */ + refcount_t ref; +}; + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_tnccs_error_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_tnccs_error_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, get_ref, tnccs_msg_t*, + private_tnccs_error_msg_t *this) +{ + ref_get(&this->ref); + return &this->public.tnccs_msg_interface; +} + +METHOD(tnccs_msg_t, destroy, void, + private_tnccs_error_msg_t *this) +{ + if (ref_put(&this->ref)) + { + free(this->error_msg); + free(this); + } +} + +METHOD(tnccs_error_msg_t, get_message, char*, + private_tnccs_error_msg_t *this, tnccs_error_type_t *type) +{ + *type = this->error_type; + + return this->error_msg; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node) +{ + private_tnccs_error_msg_t *this; + xmlChar *error_type_name, *error_msg; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_message = _get_message, + }, + .type = TNCCS_MSG_ERROR, + .ref = 1, + .node = node, + .error_type = TNCCS_ERROR_OTHER, + ); + + error_type_name = xmlGetProp(node, (const xmlChar*)"type"); + if (error_type_name) + { + this->error_type = enum_from_name(tnccs_error_type_names, + (char*)error_type_name); + if (this->error_type == -1) + { + this->error_type = TNCCS_ERROR_OTHER; + } + xmlFree(error_type_name); + } + + error_msg = xmlNodeGetContent(node); + if (error_msg) + { + this->error_msg = strdup((char*)error_msg); + xmlFree(error_msg); + } + + return &this->public.tnccs_msg_interface; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_error_msg_create(tnccs_error_type_t type, char *msg) +{ + private_tnccs_error_msg_t *this; + xmlNodePtr n, n2; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_message = _get_message, + }, + .type = TNCCS_MSG_ERROR, + .ref = 1, + .node = xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"), + .error_type = type, + .error_msg = strdup(msg), + ); + + DBG1(DBG_TNC, "%s", msg); + + n = xmlNewNode(NULL, BAD_CAST "Type"); + xmlNodeSetContent(n, BAD_CAST "00000002"); + xmlAddChild(this->node, n); + + n = xmlNewNode(NULL, BAD_CAST "XML"); + xmlAddChild(this->node, n); + + n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type)); + xmlNewProp(n2, BAD_CAST "type", + BAD_CAST enum_to_name(tnccs_error_type_names, type)); + xmlNodeSetContent(n2, BAD_CAST msg); + xmlAddChild(n, n2); + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h new file mode 100644 index 000000000..ce2ce9755 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_error_msg tnccs_error_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_ERROR_MSG_H_ +#define TNCCS_ERROR_MSG_H_ + +typedef enum tnccs_error_type_t tnccs_error_type_t; +typedef struct tnccs_error_msg_t tnccs_error_msg_t; + +#include "tnccs_msg.h" + +/** + * TNCCS error types as defined in section 8.1.4 of TCG TNC IF-TNCCS v1.2 + */ +enum tnccs_error_type_t { + TNCCS_ERROR_BATCH_TOO_LONG, + TNCCS_ERROR_MALFORMED_BATCH, + TNCCS_ERROR_INVALID_BATCH_ID, + TNCCS_ERROR_INVALID_RECIPIENT_TYPE, + TNCCS_ERROR_INTERNAL_ERROR, + TNCCS_ERROR_OTHER +}; + +/** + * enum name for tnccs_error_type_t. + */ +extern enum_name_t *tnccs_error_type_names; + +/** + * Class representing the TNCCS-Error message type + */ +struct tnccs_error_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; + + /** + * Get error message and type + * + * @param type TNCCS error type + * @return arbitrary error message + */ + char* (*get_message)(tnccs_error_msg_t *this, tnccs_error_type_t *type); +}; + +/** + * Create a TNCCS-Error message from XML-encoded message node + * + * @param node XML-encoded message node + */ +tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node); + +/** + * Create a TNCCS-Error message from parameters + * + * @param type TNCCS error type + * @param msg arbitrary error message + */ +tnccs_msg_t *tnccs_error_msg_create(tnccs_error_type_t type, char *msg); + +#endif /** TNCCS_ERROR_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c new file mode 100644 index 000000000..5a050393a --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_msg.h" +#include "imc_imv_msg.h" +#include "tnccs_error_msg.h" +#include "tnccs_preferred_language_msg.h" +#include "tnccs_reason_strings_msg.h" +#include "tnccs_recommendation_msg.h" +#include "tnccs_tncs_contact_info_msg.h" + +#include +#include + +ENUM(tnccs_msg_type_names, IMC_IMV_MSG, TNCCS_MSG_ROOF, + "IMC-IMV", + "TNCCS-Recommendation", + "TNCCS-Error", + "TNCCS-PreferredLanguage", + "TNCCS-ReasonStrings", + "TNCCS-TNCSContactInfo" +); + +/** + * See header + */ +tnccs_msg_t* tnccs_msg_create_from_node(xmlNodePtr node, linked_list_t *errors) +{ + char *error_msg, buf[BUF_LEN]; + tnccs_error_type_t error_type = TNCCS_ERROR_MALFORMED_BATCH; + tnccs_msg_t *msg; + tnccs_msg_type_t type = IMC_IMV_MSG; + + if (streq((char*)node->name, "IMC-IMV-Message")) + { + DBG2(DBG_TNC, "processing %N message", tnccs_msg_type_names, type); + return imc_imv_msg_create_from_node(node, errors); + } + else if (streq((char*)node->name, "TNCC-TNCS-Message")) + { + bool found = FALSE; + xmlNsPtr ns = node->ns; + xmlNodePtr cur = node->xmlChildrenNode; + xmlNodePtr xml_msg_node = NULL; + + while (cur) + { + if (streq((char*)cur->name, "Type") && cur->ns == ns) + { + xmlChar *content = xmlNodeGetContent(cur); + + type = strtol((char*)content, NULL, 16); + xmlFree(content); + found = TRUE; + } + else if (streq((char*)cur->name, "XML") && cur->ns == ns) + { + xml_msg_node = cur->xmlChildrenNode; + } + cur = cur->next; + } + if (!found) + { + error_msg = "Type is missing in TNCC-TNCS-Message"; + goto fatal; + } + if (!xml_msg_node) + { + error_msg = "XML node is missing in TNCC-TNCS-Message"; + goto fatal; + } + cur = xml_msg_node; + + /* skip empty and blank nodes */ + while (cur && xmlIsBlankNode(cur)) + { + cur = cur->next; + } + if (!cur) + { + error_msg = "XML node is empty"; + goto fatal; + } + + /* check if TNCCS message type and node name agree */ + if (type >= TNCCS_MSG_RECOMMENDATION && type <= TNCCS_MSG_ROOF) + { + DBG2(DBG_TNC, "processing %N message", tnccs_msg_type_names, type); + if (cur->ns != ns) + { + error_msg = "node is not in the TNCCS message namespace"; + goto fatal; + } + if (type != enum_from_name(tnccs_msg_type_names, (char*)cur->name)) + { + error_msg = buf; + snprintf(buf, BUF_LEN, "expected '%N' node but was '%s'", + tnccs_msg_type_names, type, (char*)cur->name); + goto fatal; + } + } + + switch (type) + { + case TNCCS_MSG_RECOMMENDATION: + return tnccs_recommendation_msg_create_from_node(cur, errors); + case TNCCS_MSG_ERROR: + return tnccs_error_msg_create_from_node(cur); + case TNCCS_MSG_PREFERRED_LANGUAGE: + return tnccs_preferred_language_msg_create_from_node(cur, errors); + case TNCCS_MSG_REASON_STRINGS: + return tnccs_reason_strings_msg_create_from_node(cur, errors); + case TNCCS_MSG_TNCS_CONTACT_INFO: + return tnccs_tncs_contact_info_msg_create_from_node(cur, errors); + default: + DBG1(DBG_TNC, "ignoring TNCC-TNCS-Message with type %d", type); + return NULL; + } + } + DBG1(DBG_TNC, "ignoring unknown message node '%s'", (char*)node->name); + return NULL; + +fatal: + msg = tnccs_error_msg_create(error_type, error_msg); + errors->insert_last(errors, msg); + return NULL; +} + diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h new file mode 100644 index 000000000..e0b54449a --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_msg tnccs_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_MSG_H_ +#define TNCCS_MSG_H_ + +typedef enum tnccs_msg_type_t tnccs_msg_type_t; +typedef struct tnccs_msg_t tnccs_msg_t; + +#include +#include +#include + +/** + * TNCC-TNCS messages as defined in section 2.8.5 of TCG TNC IF-TNCCS v1.2 + */ +enum tnccs_msg_type_t { + IMC_IMV_MSG = 0, + TNCCS_MSG_RECOMMENDATION = 1, + TNCCS_MSG_ERROR = 2, + TNCCS_MSG_PREFERRED_LANGUAGE = 3, + TNCCS_MSG_REASON_STRINGS = 4, + TNCCS_MSG_TNCS_CONTACT_INFO = 5, + TNCCS_MSG_ROOF = 5 +}; + +/** + * enum name for tnccs_msg_type_t. + */ +extern enum_name_t *tnccs_msg_type_names; + +/** + * Generic interface for all TNCCS message types. + * + * To handle all messages in a generic way, this interface + * must be implemented by each message type. + */ +struct tnccs_msg_t { + + /** + * Get the TNCCS Message Type + * + * @return TNCCS Message Type + */ + tnccs_msg_type_t (*get_type)(tnccs_msg_t *this); + + /** + * Get the XML-encoded Message Node + * + * @return Message Node + */ + xmlNodePtr (*get_node)(tnccs_msg_t *this); + + /** + * Process the TNCCS Message + * + * @return return processing status + */ + status_t (*process)(tnccs_msg_t *this); + + /** + * Get a new reference to the message. + * + * @return this, with an increased refcount + */ + tnccs_msg_t* (*get_ref)(tnccs_msg_t *this); + + /** + * Destroys a tnccs_msg_t object. + */ + void (*destroy)(tnccs_msg_t *this); +}; + +/** + * Create a pre-processed TNCCS message + * + * Useful for the parser which wants a generic constructor for all + * tnccs_msg_t types. + * + * @param node TNCCS message node + * @param errors linked list of TNCCS error messages + */ +tnccs_msg_t* tnccs_msg_create_from_node(xmlNodePtr node, linked_list_t *errors); + +#endif /** TNCCS_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c new file mode 100644 index 000000000..fd85350b5 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c @@ -0,0 +1,137 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_preferred_language_msg.h" + +#include + +typedef struct private_tnccs_preferred_language_msg_t private_tnccs_preferred_language_msg_t; + +/** + * Private data of a tnccs_preferred_language_msg_t object. + * + */ +struct private_tnccs_preferred_language_msg_t { + /** + * Public tnccs_preferred_language_msg_t interface. + */ + tnccs_preferred_language_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; + + /** + * Preferred language + */ + char *preferred_language; +}; + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_tnccs_preferred_language_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_tnccs_preferred_language_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, destroy, void, + private_tnccs_preferred_language_msg_t *this) +{ + free(this->preferred_language); + free(this); +} + +METHOD(tnccs_preferred_language_msg_t, get_preferred_language, char*, + private_tnccs_preferred_language_msg_t *this) +{ + return this->preferred_language; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_preferred_language_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors) +{ + private_tnccs_preferred_language_msg_t *this; + xmlChar *language; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_preferred_language = _get_preferred_language, + }, + .type = TNCCS_MSG_PREFERRED_LANGUAGE, + .node = node, + ); + + language = xmlNodeGetContent(node); + this->preferred_language = strdup((char*)language); + xmlFree(language); + + return &this->public.tnccs_msg_interface; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_preferred_language_msg_create(char *language) +{ + private_tnccs_preferred_language_msg_t *this; + xmlNodePtr n, n2; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_preferred_language = _get_preferred_language, + }, + .type = TNCCS_MSG_PREFERRED_LANGUAGE, + .node = xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"), + .preferred_language = strdup(language), + ); + + /* add the message type number in hex */ + n = xmlNewNode(NULL, BAD_CAST "Type"); + xmlNodeSetContent(n, BAD_CAST "00000003"); + xmlAddChild(this->node, n); + + n = xmlNewNode(NULL, BAD_CAST "XML"); + xmlAddChild(this->node, n); + + n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type)); + xmlNodeSetContent(n2, BAD_CAST language); + xmlAddChild(n, n2); + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h new file mode 100644 index 000000000..d301ab2bb --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_preferred_language_msg tnccs_preferred_language_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_PREFERRED_LANGUAGE_MSG_H_ +#define TNCCS_PREFERRED_LANGUAGE_MSG_H_ + +typedef struct tnccs_preferred_language_msg_t tnccs_preferred_language_msg_t; + +#include "tnccs_msg.h" + +#include + +/** + * Class representing the TNCCS-PreferredLanguage message type + */ +struct tnccs_preferred_language_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; + + /** + * Get preferred language string + * + * @return preferred language string + */ + char* (*get_preferred_language)(tnccs_preferred_language_msg_t *this); +}; + +/** + * Create a TNCCS-PreferredLanguage message from XML-encoded message node + * + * @param node XML-encoded message node + * @param errors linked list of TNCCS error messages + */ +tnccs_msg_t *tnccs_preferred_language_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors); + +/** + * Create a TNCCS-PreferredLanguage message from parameters + * + * @param language preferred language string + */ +tnccs_msg_t *tnccs_preferred_language_msg_create(char *language); + +#endif /** TNCCS_PREFERRED_LANGUAGE_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c new file mode 100644 index 000000000..d4b5d9bf9 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c @@ -0,0 +1,149 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_reason_strings_msg.h" + +#include + +typedef struct private_tnccs_reason_strings_msg_t private_tnccs_reason_strings_msg_t; + +/** + * Private data of a tnccs_reason_strings_msg_t object. + * + */ +struct private_tnccs_reason_strings_msg_t { + /** + * Public tnccs_reason_strings_msg_t interface. + */ + tnccs_reason_strings_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; + + /** + * Reason String + */ + chunk_t reason; + + /** + * Reason Language + */ + chunk_t language; +}; + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_tnccs_reason_strings_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_tnccs_reason_strings_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, destroy, void, + private_tnccs_reason_strings_msg_t *this) +{ + free(this->reason.ptr); + free(this->language.ptr); + free(this); +} + +METHOD(tnccs_reason_strings_msg_t, get_reason, chunk_t, + private_tnccs_reason_strings_msg_t *this, chunk_t *language) +{ + *language = this->language; + + return this->reason; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors) +{ + private_tnccs_reason_strings_msg_t *this; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_reason = _get_reason, + }, + .type = TNCCS_MSG_REASON_STRINGS, + .node = node, + ); + + return &this->public.tnccs_msg_interface; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_reason_strings_msg_create(chunk_t reason, chunk_t language) +{ + private_tnccs_reason_strings_msg_t *this; + xmlNodePtr n, n2, n3; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_reason = _get_reason, + }, + .type = TNCCS_MSG_REASON_STRINGS, + .node = xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"), + .reason = chunk_create_clone(malloc(reason.len + 1), reason), + .language = chunk_create_clone(malloc(language.len + 1), language), + ); + + /* add NULL termination for XML string representation */ + this->reason.ptr[this->reason.len] = '\0'; + this->language.ptr[this->language.len] = '\0'; + + /* add the message type number in hex */ + n = xmlNewNode(NULL, BAD_CAST "Type"); + xmlNodeSetContent(n, BAD_CAST "00000004"); + xmlAddChild(this->node, n); + + n = xmlNewNode(NULL, BAD_CAST "XML"); + xmlAddChild(this->node, n); + + n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type)); + + /* could add multiple reasons here, if we had them */ + n3 = xmlNewNode(NULL, BAD_CAST "ReasonString"); + xmlNewProp(n3, BAD_CAST "xml:lang", BAD_CAST this->language.ptr); + xmlNodeSetContent(n3, BAD_CAST this->reason.ptr); + xmlAddChild(n2, n3); + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h new file mode 100644 index 000000000..0046a5789 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_reason_strings_msg tnccs_reason_strings_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_REASON_STRINGS_MSG_H_ +#define TNCCS_REASON_STRINGS_MSG_H_ + +typedef struct tnccs_reason_strings_msg_t tnccs_reason_strings_msg_t; + +#include "tnccs_msg.h" + +/** + * Class representing the TNCCS-ReasonStrings message type + */ +struct tnccs_reason_strings_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; + + /** + * Get reason string and language + * + * @param language reason language + * @return reason string + */ + chunk_t (*get_reason)(tnccs_reason_strings_msg_t *this, chunk_t *language); +}; + +/** + * Create a TNCCS-ReasonStrings message from XML-encoded message node + * + * @param node XML-encoded message node + * @param errors linked list of TNCCS error messages + */ +tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors); + +/** + * Create a TNCCS-ReasonStrings message from parameters + * + * @param reason reason string + * @param language reason language + */ +tnccs_msg_t *tnccs_reason_strings_msg_create(chunk_t reason, chunk_t language); + +#endif /** TNCCS_REASON_STRINGS_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c new file mode 100644 index 000000000..adc7b54b9 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c @@ -0,0 +1,186 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_recommendation_msg.h" +#include "tnccs_error_msg.h" + +#include + +typedef struct private_tnccs_recommendation_msg_t private_tnccs_recommendation_msg_t; + +/** + * Private data of a tnccs_recommendation_msg_t object. + * + */ +struct private_tnccs_recommendation_msg_t { + /** + * Public tnccs_recommendation_msg_t interface. + */ + tnccs_recommendation_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; + + /** + * Action Recommendation + */ + TNC_IMV_Action_Recommendation rec; +}; + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_tnccs_recommendation_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_tnccs_recommendation_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, destroy, void, + private_tnccs_recommendation_msg_t *this) +{ + free(this); +} + +METHOD(tnccs_recommendation_msg_t, get_recommendation, TNC_IMV_Action_Recommendation, + private_tnccs_recommendation_msg_t *this) +{ + return this->rec; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_recommendation_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors) +{ + private_tnccs_recommendation_msg_t *this; + xmlChar *rec_string; + char *error_msg, buf[BUF_LEN]; + tnccs_error_type_t error_type = TNCCS_ERROR_MALFORMED_BATCH; + tnccs_msg_t *msg; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_recommendation = _get_recommendation, + }, + .type = TNCCS_MSG_RECOMMENDATION, + .node = node, + ); + + rec_string = xmlGetProp(node, (const xmlChar*)"type"); + if (!rec_string) + { + error_msg = "type property in TNCCS-Recommendation is missing"; + goto fatal; + } + else if (streq((char*)rec_string, "allow")) + { + this->rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW; + } + else if (streq((char*)rec_string, "isolate")) + { + this->rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE; + } + else if (streq((char*)rec_string, "none")) + { + this->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS; + } + else + { + error_msg = buf; + snprintf(buf, BUF_LEN, "unsupported type property value '%s' " + "in TNCCS-Recommendation", rec_string); + xmlFree(rec_string); + goto fatal; + } + xmlFree(rec_string); + + return &this->public.tnccs_msg_interface; + +fatal: + msg = tnccs_error_msg_create(error_type, error_msg); + errors->insert_last(errors, msg); + _destroy(this); + return NULL; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_recommendation_msg_create(TNC_IMV_Action_Recommendation rec) +{ + private_tnccs_recommendation_msg_t *this; + xmlNodePtr n, n2; + char *rec_string; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_recommendation = _get_recommendation, + }, + .type = TNCCS_MSG_RECOMMENDATION, + .node = xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"), + .rec = rec, + ); + + /* add the message type number in hex */ + n = xmlNewNode(NULL, BAD_CAST "Type"); + xmlNodeSetContent(n, BAD_CAST "00000001"); + xmlAddChild(this->node, n); + + n = xmlNewNode(NULL, BAD_CAST "XML"); + xmlAddChild(this->node, n); + + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + rec_string = "allow"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + rec_string = "isolate"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + default: + rec_string = "none"; + } + + n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type)); + xmlNewProp(n2, BAD_CAST "type", BAD_CAST rec_string); + xmlNodeSetContent(n2, ""); + xmlAddChild(n, n2); + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h new file mode 100644 index 000000000..685049e95 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_recommendation_msg tnccs_recommendation_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_RECOMMENDATION_MSG_H_ +#define TNCCS_RECOMMENDATION_MSG_H_ + +typedef struct tnccs_recommendation_msg_t tnccs_recommendation_msg_t; + +#include "tnccs_msg.h" + +#include + +/** + * Class representing the TNCCS-Recommendation message type + */ +struct tnccs_recommendation_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; + + /** + * Get Action Recommendation + * + * @return Action Recommendation + */ + TNC_IMV_Action_Recommendation (*get_recommendation)(tnccs_recommendation_msg_t *this); +}; + +/** + * Create a TNCCS-Recommendation message from XML-encoded message node + * + * @param node XML-encoded message node + * @param errors linked list of TNCCS error messages + */ +tnccs_msg_t *tnccs_recommendation_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors); + +/** + * Create a TNCCS-Recommendation message from parameters + * + * @param rec Action Recommendation + */ +tnccs_msg_t *tnccs_recommendation_msg_create(TNC_IMV_Action_Recommendation rec); + +#endif /** TNCCS_RECOMMENDATION_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c new file mode 100644 index 000000000..b8aac30fa --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c @@ -0,0 +1,118 @@ +/* + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_tncs_contact_info_msg.h" + +#include + +typedef struct private_tnccs_tncs_contact_info_msg_t private_tnccs_tncs_contact_info_msg_t; + +/** + * Private data of a tnccs_tncs_contact_info_msg_t object. + * + */ +struct private_tnccs_tncs_contact_info_msg_t { + /** + * Public tnccs_tncs_contact_info_msg_t interface. + */ + tnccs_tncs_contact_info_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; +}; + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_tnccs_tncs_contact_info_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_tnccs_tncs_contact_info_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, destroy, void, + private_tnccs_tncs_contact_info_msg_t *this) +{ + free(this); +} + +/** + * See header + */ +tnccs_msg_t *tnccs_tncs_contact_info_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors) +{ + private_tnccs_tncs_contact_info_msg_t *this; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + }, + .type = TNCCS_MSG_TNCS_CONTACT_INFO, + .node = node, + ); + + return &this->public.tnccs_msg_interface; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_tncs_contact_info_msg_create(void) +{ + private_tnccs_tncs_contact_info_msg_t *this; + xmlNodePtr n /*, n2 */; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + }, + .type = TNCCS_MSG_TNCS_CONTACT_INFO, + .node = xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"), + ); + + /* add the message type number in hex */ + n = xmlNewNode(NULL, BAD_CAST "Type"); + xmlNodeSetContent(n, BAD_CAST "00000005"); + xmlAddChild(this->node, n); + + n = xmlNewNode(NULL, BAD_CAST "XML"); + xmlAddChild(this->node, n); + +/* TODO + n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type)); + xmlNodeSetContent(n2, BAD_CAST language); + xmlAddChild(n, n2); +*/ + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h new file mode 100644 index 000000000..8ed210a57 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_tncs_contact_info_msg tnccs_tncs_contact_info_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_TNCS_CONTACT_INFO_MSG_H_ +#define TNCCS_TNCS_CONTACT_INFO_MSG_H_ + +typedef struct tnccs_tncs_contact_info_msg_t tnccs_tncs_contact_info_msg_t; + +#include "tnccs_msg.h" + +/** + * Class representing the TNCCS-TNCSContactInfo message type + */ +struct tnccs_tncs_contact_info_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; +}; + +/** + * Create a TNCCS-TNCSContactInfo message from XML-encoded message node + * + * @param node XML-encoded message node + * @param errors linked list of TNCCS error messages + */ +tnccs_msg_t *tnccs_tncs_contact_info_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors); + +/** + * Create a TNCCS-TNCSContactInfo message from parameters + * + */ +tnccs_msg_t *tnccs_tncs_contact_info_msg_create(void); + +#endif /** TNCCS_TNCS_CONTACT_INFO_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c index 704bf64ed..2104bf401 100644 --- a/src/libcharon/plugins/tnccs_11/tnccs_11.c +++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c @@ -14,81 +14,20 @@ */ #include "tnccs_11.h" - -#include -#include +#include "batch/tnccs_batch.h" +#include "messages/tnccs_msg.h" +#include "messages/imc_imv_msg.h" +#include "messages/tnccs_error_msg.h" +#include "messages/tnccs_preferred_language_msg.h" +#include "messages/tnccs_reason_strings_msg.h" +#include "messages/tnccs_recommendation_msg.h" #include #include - -#define TNC_SEND_BUFFER_SIZE 32 - -static chunk_t tnc_send_buffer[TNC_SEND_BUFFER_SIZE]; - -/** - * Buffers TNCCS batch to be sent (TODO make the buffer scalable) - */ -static TNC_Result buffer_batch(u_int32_t id, const char *data, size_t len) -{ - if (id >= TNC_SEND_BUFFER_SIZE) - { - DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be stored in " - "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE); - return TNC_RESULT_FATAL; - } - if (tnc_send_buffer[id].ptr) - { - DBG1(DBG_TNC, "send buffer slot for Connection ID %u is already " - "occupied", id); - return TNC_RESULT_FATAL; - } - tnc_send_buffer[id] = chunk_alloc(len); - memcpy(tnc_send_buffer[id].ptr, data, len); - - return TNC_RESULT_SUCCESS; -} - -/** - * Retrieves TNCCS batch to be sent - */ -static bool retrieve_batch(u_int32_t id, chunk_t *batch) -{ - if (id >= TNC_SEND_BUFFER_SIZE) - { - DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be retrieved from " - "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE); - return FALSE; - } - - *batch = tnc_send_buffer[id]; - return TRUE; -} - -/** - * Frees TNCCS batch that was sent - */ -static void free_batch(u_int32_t id) -{ - if (id < TNC_SEND_BUFFER_SIZE) - { - chunk_free(&tnc_send_buffer[id]); - } -} - -/** - * Define callback functions called by the libtnc library - */ -TNC_Result TNC_TNCC_SendBatch(libtnc_tncc_connection* conn, - const char* messageBuffer, size_t messageLength) -{ - return buffer_batch(conn->connectionID, messageBuffer, messageLength); -} - -TNC_Result TNC_TNCS_SendBatch(libtnc_tncs_connection* conn, - const char* messageBuffer, size_t messageLength) -{ - return buffer_batch(conn->connectionID, messageBuffer, messageLength); -} +#include +#include +#include +#include typedef struct private_tnccs_11_t private_tnccs_11_t; @@ -108,116 +47,372 @@ struct private_tnccs_11_t { bool is_server; /** - * TNCC Connection to IMCs + * Connection ID assigned to this TNCCS connection + */ + TNC_ConnectionID connection_id; + + /** + * Last TNCCS batch ID + */ + int batch_id; + + /** + * TNCCS batch being constructed + */ + tnccs_batch_t *batch; + + /** + * Mutex locking the batch in construction */ - libtnc_tncc_connection* tncc_connection; + mutex_t *mutex; /** - * TNCS Connection to IMVs + * Flag set while processing */ - libtnc_tncs_connection* tncs_connection; + bool fatal_error; + + /** + * Flag set by TNCCS-Recommendation message + */ + bool delete_state; + + /** + * Flag set by IMC/IMV RequestHandshakeRetry() function + */ + bool request_handshake_retry; + + /** + * Set of IMV recommendations (TNC Server only) + */ + recommendations_t *recs; }; -METHOD(tls_t, process, status_t, - private_tnccs_11_t *this, void *buf, size_t buflen) +METHOD(tnccs_t, send_msg, void, + private_tnccs_11_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) { - u_int32_t conn_id; + tnccs_msg_t *tnccs_msg; - if (this->is_server && !this->tncs_connection) + tnccs_msg = imc_imv_msg_create(msg_type, chunk_create(msg, msg_len)); + + /* adding an IMC-IMV Message to TNCCS batch */ + this->mutex->lock(this->mutex); + if (!this->batch) { - this->tncs_connection = libtnc_tncs_CreateConnection(NULL); - if (!this->tncs_connection) + this->batch = tnccs_batch_create(this->is_server, ++this->batch_id); + } + this->batch->add_msg(this->batch, tnccs_msg); + this->mutex->unlock(this->mutex); +} + +/** + * Handle a single TNCCS message according to its type + */ +static void handle_message(private_tnccs_11_t *this, tnccs_msg_t *msg) +{ + switch (msg->get_type(msg)) + { + case IMC_IMV_MSG: { - DBG1(DBG_TNC, "TNCS CreateConnection failed"); - return FAILED; + imc_imv_msg_t *imc_imv_msg; + TNC_MessageType msg_type; + chunk_t msg_body; + + imc_imv_msg = (imc_imv_msg_t*)msg; + msg_type = imc_imv_msg->get_msg_type(imc_imv_msg); + msg_body = imc_imv_msg->get_msg_body(imc_imv_msg); + + DBG2(DBG_TNC, "handling IMC_IMV message type 0x%08x", msg_type); + + if (this->is_server) + { + charon->imvs->receive_message(charon->imvs, + this->connection_id, msg_body.ptr, msg_body.len, msg_type); + } + else + { + charon->imcs->receive_message(charon->imcs, + this->connection_id, msg_body.ptr, msg_body.len,msg_type); + } + break; + } + case TNCCS_MSG_RECOMMENDATION: + { + tnccs_recommendation_msg_t *rec_msg; + TNC_IMV_Action_Recommendation rec; + TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE; + + rec_msg = (tnccs_recommendation_msg_t*)msg; + rec = rec_msg->get_recommendation(rec_msg); + if (this->is_server) + { + DBG1(DBG_TNC, "ignoring NCCS-Recommendation message from " + " TNC client"); + break; + } + DBG1(DBG_TNC, "TNC recommendation is '%N'", + TNC_IMV_Action_Recommendation_names, rec); + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + state = TNC_CONNECTION_STATE_ACCESS_ALLOWED; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + state = TNC_CONNECTION_STATE_ACCESS_ISOLATED; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + default: + state = TNC_CONNECTION_STATE_ACCESS_NONE; + } + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, state); + this->delete_state = TRUE; + break; + } + case TNCCS_MSG_ERROR: + { + tnccs_error_msg_t *err_msg; + tnccs_error_type_t error_type; + char *error_msg; + + err_msg = (tnccs_error_msg_t*)msg; + error_msg = err_msg->get_message(err_msg, &error_type); + DBG1(DBG_TNC, "received '%N' TNCCS-Error: %s", + tnccs_error_type_names, error_type, error_msg); + + /* we assume that all errors are fatal */ + this->fatal_error = TRUE; + break; } - DBG1(DBG_TNC, "assigned TNCS Connection ID %u", - this->tncs_connection->connectionID); - if (libtnc_tncs_BeginSession(this->tncs_connection) != TNC_RESULT_SUCCESS) + case TNCCS_MSG_PREFERRED_LANGUAGE: + { + tnccs_preferred_language_msg_t *lang_msg; + char *lang; + + lang_msg = (tnccs_preferred_language_msg_t*)msg; + lang = lang_msg->get_preferred_language(lang_msg); + + DBG2(DBG_TNC, "setting preferred language to '%s'", lang); + this->recs->set_preferred_language(this->recs, + chunk_create(lang, strlen(lang))); + break; + } + case TNCCS_MSG_REASON_STRINGS: + { + tnccs_reason_strings_msg_t *reason_msg; + chunk_t reason_string, reason_lang; + + reason_msg = (tnccs_reason_strings_msg_t*)msg; + reason_string = reason_msg->get_reason(reason_msg, &reason_lang); + DBG2(DBG_TNC, "reason string is '%.*s", reason_string.len, + reason_string.ptr); + DBG2(DBG_TNC, "reason language is '%.*s", reason_lang.len, + reason_lang.ptr); + break; + } + default: + break; + } +} + +METHOD(tls_t, process, status_t, + private_tnccs_11_t *this, void *buf, size_t buflen) +{ + chunk_t data; + tnccs_batch_t *batch; + tnccs_msg_t *msg; + enumerator_t *enumerator; + status_t status; + + if (this->is_server && !this->connection_id) + { + this->connection_id = charon->tnccs->create_connection(charon->tnccs, + (tnccs_t*)this, _send_msg, + &this->request_handshake_retry, &this->recs); + if (!this->connection_id) { - DBG1(DBG_TNC, "TNCS BeginSession failed"); return FAILED; } + charon->imvs->notify_connection_change(charon->imvs, + this->connection_id, TNC_CONNECTION_STATE_CREATE); } - conn_id = this->is_server ? this->tncs_connection->connectionID - : this->tncc_connection->connectionID; + data = chunk_create(buf, buflen); DBG1(DBG_TNC, "received TNCCS Batch (%u bytes) for Connection ID %u", - buflen, conn_id); - DBG3(DBG_TNC, "%.*s", buflen, buf); + data.len, this->connection_id); + DBG3(DBG_TNC, "%.*s", data.len, data.ptr); + batch = tnccs_batch_create_from_data(this->is_server, ++this->batch_id, data); + status = batch->process(batch); - if (this->is_server) + if (status == FAILED) { - if (libtnc_tncs_ReceiveBatch(this->tncs_connection, buf, buflen) != - TNC_RESULT_SUCCESS) + this->fatal_error = TRUE; + this->mutex->lock(this->mutex); + if (this->batch) { - DBG1(DBG_TNC, "TNCS ReceiveBatch failed"); - return FAILED; + DBG1(DBG_TNC, "cancelling TNCCS batch"); + this->batch->destroy(this->batch); + this->batch_id--; + } + this->batch = tnccs_batch_create(this->is_server, ++this->batch_id); + + /* add error messages to outbound batch */ + enumerator = batch->create_error_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) + { + this->batch->add_msg(this->batch, msg->get_ref(msg)); } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); } else { - if (libtnc_tncc_ReceiveBatch(this->tncc_connection, buf, buflen) != - TNC_RESULT_SUCCESS) + enumerator = batch->create_msg_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) { - DBG1(DBG_TNC, "TNCC ReceiveBatch failed"); + handle_message(this, msg); + } + enumerator->destroy(enumerator); + + /* received any TNCCS-Error messages */ + if (this->fatal_error) + { + DBG1(DBG_TNC, "a fatal TNCCS-Error occurred, terminating connection"); + batch->destroy(batch); return FAILED; } + + if (this->is_server) + { + charon->imvs->batch_ending(charon->imvs, this->connection_id); + } + else + { + charon->imcs->batch_ending(charon->imcs, this->connection_id); + } } + batch->destroy(batch); + return NEED_MORE; } -METHOD(tls_t, build, status_t, - private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen) +/** + * Add a recommendation message if a final recommendation is available + */ +static void check_and_build_recommendation(private_tnccs_11_t *this) { - chunk_t batch; - u_int32_t conn_id; - size_t len; + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + TNC_IMVID id; + chunk_t reason, language; + enumerator_t *enumerator; + tnccs_msg_t *msg; - if (!this->is_server && !this->tncc_connection) + if (!this->recs->have_recommendation(this->recs, &rec, &eval)) + { + charon->imvs->solicit_recommendation(charon->imvs, this->connection_id); + } + if (this->recs->have_recommendation(this->recs, &rec, &eval)) { - this->tncc_connection = libtnc_tncc_CreateConnection(NULL); - if (!this->tncc_connection) + if (!this->batch) { - DBG1(DBG_TNC, "TNCC CreateConnection failed"); - return FAILED; + this->batch = tnccs_batch_create(this->is_server, ++this->batch_id); } - DBG1(DBG_TNC, "assigned TNCC Connection ID %u", - this->tncc_connection->connectionID); - if (libtnc_tncc_BeginSession(this->tncc_connection) != TNC_RESULT_SUCCESS) + + msg = tnccs_recommendation_msg_create(rec); + this->batch->add_msg(this->batch, msg); + + /* currently we just send the first Reason String */ + enumerator = this->recs->create_reason_enumerator(this->recs); + if (enumerator->enumerate(enumerator, &id, &reason, &language)) { - DBG1(DBG_TNC, "TNCC BeginSession failed"); - return FAILED; + msg = tnccs_reason_strings_msg_create(reason, language); + this->batch->add_msg(this->batch, msg); } + enumerator->destroy(enumerator); + + /* we have reache the final state */ + this->delete_state = TRUE; } - conn_id = this->is_server ? this->tncs_connection->connectionID - : this->tncc_connection->connectionID; - - if (!retrieve_batch(conn_id, &batch)) +} + +METHOD(tls_t, build, status_t, + private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + status_t status; + + /* Initialize the connection */ + if (!this->is_server && !this->connection_id) { - return FAILED; + tnccs_msg_t *msg; + char *pref_lang; + + this->connection_id = charon->tnccs->create_connection(charon->tnccs, + (tnccs_t*)this, _send_msg, + &this->request_handshake_retry, NULL); + if (!this->connection_id) + { + return FAILED; + } + + /* Create TNCCS-PreferredLanguage message */ + pref_lang = charon->imcs->get_preferred_language(charon->imcs); + msg = tnccs_preferred_language_msg_create(pref_lang); + this->mutex->lock(this->mutex); + this->batch = tnccs_batch_create(this->is_server, ++this->batch_id); + this->batch->add_msg(this->batch, msg); + this->mutex->unlock(this->mutex); + + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_CREATE); + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); + charon->imcs->begin_handshake(charon->imcs, this->connection_id); } - len = *buflen; - len = min(len, batch.len); - *buflen = len; - if (msglen) + + /* Do not allow any asynchronous IMCs or IMVs to add additional messages */ + this->mutex->lock(this->mutex); + + if (this->is_server && !this->delete_state && + (!this->batch || this->fatal_error)) { - *msglen = batch.len; + check_and_build_recommendation(this); } - if (batch.len) + if (this->batch) { + chunk_t data; + + this->batch->build(this->batch); + data = this->batch->get_encoding(this->batch); DBG1(DBG_TNC, "sending TNCCS Batch (%d bytes) for Connection ID %u", - batch.len, conn_id); - DBG3(DBG_TNC, "%.*s", batch.len, batch.ptr); - memcpy(buf, batch.ptr, len); - free_batch(conn_id); - return ALREADY_DONE; + data.len, this->connection_id); + DBG3(DBG_TNC, "%.*s", data.len, data.ptr); + *msglen = data.len; + + if (data.len > *buflen) + { + DBG1(DBG_TNC, "fragmentation of TNCCS batch not supported yet"); + } + else + { + *buflen = data.len; + } + memcpy(buf, data.ptr, *buflen); + this->batch->destroy(this->batch); + this->batch = NULL; + status = ALREADY_DONE; } else { - return INVALID_STATE; + DBG1(DBG_TNC, "no TNCCS Batch to send"); + status = INVALID_STATE; } + this->mutex->unlock(this->mutex); + + return status; } METHOD(tls_t, is_server, bool, @@ -237,39 +432,14 @@ METHOD(tls_t, is_complete, bool, { TNC_IMV_Action_Recommendation rec; TNC_IMV_Evaluation_Result eval; - char *group; - identification_t *id; - ike_sa_t *ike_sa; - auth_cfg_t *auth; - - if (libtnc_tncs_HaveRecommendation(this->tncs_connection, &rec, &eval) == - TNC_RESULT_SUCCESS) + + if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval)) { - switch (rec) - { - case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: - DBG1(DBG_TNC, "TNC recommendation is allow"); - group = "allow"; - break; - case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: - DBG1(DBG_TNC, "TNC recommendation is isolate"); - group = "isolate"; - break; - case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: - case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: - default: - DBG1(DBG_TNC, "TNC recommendation is none"); - return FALSE; - } - ike_sa = charon->bus->get_sa(charon->bus); - if (ike_sa) - { - auth = ike_sa->get_auth_cfg(ike_sa, FALSE); - id = identification_create_from_string(group); - auth->add(auth, AUTH_RULE_GROUP, id); - DBG1(DBG_TNC, "added group membership '%s' based on TNC recommendation", group); - } - return TRUE; + DBG2(DBG_TNC, "Final recommendation is '%N' and evaluation is '%N'", + TNC_IMV_Action_Recommendation_names, rec, + TNC_IMV_Evaluation_Result_names, eval); + + return charon->imvs->enforce_recommendation(charon->imvs, rec); } else { @@ -288,19 +458,17 @@ METHOD(tls_t, destroy, void, { if (this->is_server) { - if (this->tncs_connection) - { - libtnc_tncs_DeleteConnection(this->tncs_connection); - } + charon->imvs->notify_connection_change(charon->imvs, + this->connection_id, TNC_CONNECTION_STATE_DELETE); } else { - if (this->tncc_connection) - { - libtnc_tncc_DeleteConnection(this->tncc_connection); - } - libtnc_tncc_Terminate(); + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_DELETE); } + charon->tnccs->remove_connection(charon->tnccs, this->connection_id); + this->mutex->destroy(this->mutex); + DESTROY_IF(this->batch); free(this); } @@ -322,6 +490,7 @@ tls_t *tnccs_11_create(bool is_server) .destroy = _destroy, }, .is_server = is_server, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); return &this->public; diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am index 3018121e3..d72fd3e34 100644 --- a/src/libcharon/plugins/tnccs_20/Makefile.am +++ b/src/libcharon/plugins/tnccs_20/Makefile.am @@ -1,21 +1,28 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ - `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls AM_CFLAGS = -rdynamic -libstrongswan_tnccs_20_la_LIBADD = -ltnc - if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnccs-20.la else plugin_LTLIBRARIES = libstrongswan-tnccs-20.la -libstrongswan_tnccs_20_la_LIBADD += $(top_builddir)/src/libtls/libtls.la +libstrongswan_tnccs_20_la_LIBADD = $(top_builddir)/src/libtls/libtls.la endif libstrongswan_tnccs_20_la_SOURCES = \ - tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c + tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \ + batch/pb_tnc_batch.h batch/pb_tnc_batch.c \ + messages/pb_tnc_msg.h messages/pb_tnc_msg.c \ + messages/pb_experimental_msg.h messages/pb_experimental_msg.c \ + messages/pb_pa_msg.h messages/pb_pa_msg.c \ + messages/pb_assessment_result_msg.h messages/pb_assessment_result_msg.c \ + messages/pb_access_recommendation_msg.h messages/pb_access_recommendation_msg.c \ + messages/pb_error_msg.h messages/pb_error_msg.c \ + messages/pb_language_preference_msg.h messages/pb_language_preference_msg.c \ + messages/pb_reason_string_msg.h messages/pb_reason_string_msg.c \ + messages/pb_remediation_parameters_msg.h messages/pb_remediation_parameters_msg.c \ + state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version - diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in index 6101f91df..9853be338 100644 --- a/src/libcharon/plugins/tnccs_20/Makefile.in +++ b/src/libcharon/plugins/tnccs_20/Makefile.in @@ -34,7 +34,6 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la subdir = src/libcharon/plugins/tnccs_20 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -75,8 +74,14 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_tnccs_20_la_DEPENDENCIES = $(am__append_1) -am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo +@MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_DEPENDENCIES = \ +@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la +am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \ + pb_tnc_batch.lo pb_tnc_msg.lo pb_experimental_msg.lo \ + pb_pa_msg.lo pb_assessment_result_msg.lo \ + pb_access_recommendation_msg.lo pb_error_msg.lo \ + pb_language_preference_msg.lo pb_reason_string_msg.lo \ + pb_remediation_parameters_msg.lo pb_tnc_state_machine.lo libstrongswan_tnccs_20_la_OBJECTS = \ $(am_libstrongswan_tnccs_20_la_OBJECTS) libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \ @@ -223,9 +228,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +267,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -275,15 +280,25 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ - `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls AM_CFLAGS = -rdynamic -libstrongswan_tnccs_20_la_LIBADD = -ltnc $(am__append_1) @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-20.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-20.la +@MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_LIBADD = $(top_builddir)/src/libtls/libtls.la libstrongswan_tnccs_20_la_SOURCES = \ - tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c + tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \ + batch/pb_tnc_batch.h batch/pb_tnc_batch.c \ + messages/pb_tnc_msg.h messages/pb_tnc_msg.c \ + messages/pb_experimental_msg.h messages/pb_experimental_msg.c \ + messages/pb_pa_msg.h messages/pb_pa_msg.c \ + messages/pb_assessment_result_msg.h messages/pb_assessment_result_msg.c \ + messages/pb_access_recommendation_msg.h messages/pb_access_recommendation_msg.c \ + messages/pb_error_msg.h messages/pb_error_msg.c \ + messages/pb_language_preference_msg.h messages/pb_language_preference_msg.c \ + messages/pb_reason_string_msg.h messages/pb_reason_string_msg.c \ + messages/pb_remediation_parameters_msg.h messages/pb_remediation_parameters_msg.c \ + state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version all: all-am @@ -369,6 +384,17 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_access_recommendation_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_assessment_result_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_error_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_experimental_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_language_preference_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_pa_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_reason_string_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_remediation_parameters_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_batch.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_state_machine.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@ @@ -393,6 +419,83 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +pb_tnc_batch.lo: batch/pb_tnc_batch.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_batch.lo -MD -MP -MF $(DEPDIR)/pb_tnc_batch.Tpo -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_tnc_batch.Tpo $(DEPDIR)/pb_tnc_batch.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='batch/pb_tnc_batch.c' object='pb_tnc_batch.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c + +pb_tnc_msg.lo: messages/pb_tnc_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pb_tnc_msg.Tpo -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_tnc_msg.Tpo $(DEPDIR)/pb_tnc_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_tnc_msg.c' object='pb_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c + +pb_experimental_msg.lo: messages/pb_experimental_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_experimental_msg.lo -MD -MP -MF $(DEPDIR)/pb_experimental_msg.Tpo -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_experimental_msg.Tpo $(DEPDIR)/pb_experimental_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_experimental_msg.c' object='pb_experimental_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c + +pb_pa_msg.lo: messages/pb_pa_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_pa_msg.lo -MD -MP -MF $(DEPDIR)/pb_pa_msg.Tpo -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_pa_msg.Tpo $(DEPDIR)/pb_pa_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_pa_msg.c' object='pb_pa_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c + +pb_assessment_result_msg.lo: messages/pb_assessment_result_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_assessment_result_msg.lo -MD -MP -MF $(DEPDIR)/pb_assessment_result_msg.Tpo -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_assessment_result_msg.Tpo $(DEPDIR)/pb_assessment_result_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_assessment_result_msg.c' object='pb_assessment_result_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c + +pb_access_recommendation_msg.lo: messages/pb_access_recommendation_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_access_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/pb_access_recommendation_msg.Tpo -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_access_recommendation_msg.Tpo $(DEPDIR)/pb_access_recommendation_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_access_recommendation_msg.c' object='pb_access_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c + +pb_error_msg.lo: messages/pb_error_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_error_msg.lo -MD -MP -MF $(DEPDIR)/pb_error_msg.Tpo -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_error_msg.Tpo $(DEPDIR)/pb_error_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_error_msg.c' object='pb_error_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c + +pb_language_preference_msg.lo: messages/pb_language_preference_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_language_preference_msg.lo -MD -MP -MF $(DEPDIR)/pb_language_preference_msg.Tpo -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_language_preference_msg.Tpo $(DEPDIR)/pb_language_preference_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_language_preference_msg.c' object='pb_language_preference_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c + +pb_reason_string_msg.lo: messages/pb_reason_string_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_reason_string_msg.lo -MD -MP -MF $(DEPDIR)/pb_reason_string_msg.Tpo -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_reason_string_msg.Tpo $(DEPDIR)/pb_reason_string_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_reason_string_msg.c' object='pb_reason_string_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c + +pb_remediation_parameters_msg.lo: messages/pb_remediation_parameters_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_remediation_parameters_msg.lo -MD -MP -MF $(DEPDIR)/pb_remediation_parameters_msg.Tpo -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_remediation_parameters_msg.Tpo $(DEPDIR)/pb_remediation_parameters_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_remediation_parameters_msg.c' object='pb_remediation_parameters_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c + +pb_tnc_state_machine.lo: state_machine/pb_tnc_state_machine.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_state_machine.lo -MD -MP -MF $(DEPDIR)/pb_tnc_state_machine.Tpo -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_tnc_state_machine.Tpo $(DEPDIR)/pb_tnc_state_machine.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='state_machine/pb_tnc_state_machine.c' object='pb_tnc_state_machine.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c + mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c new file mode 100644 index 000000000..3f38543ed --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c @@ -0,0 +1,543 @@ +/* + * Copyright (C) 2010 Sansar Choinyanbuu + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_tnc_batch.h" +#include "messages/pb_error_msg.h" +#include "state_machine/pb_tnc_state_machine.h" + +#include +#include +#include +#include +#include + +ENUM(pb_tnc_batch_type_names, PB_BATCH_CDATA, PB_BATCH_CLOSE, + "CDATA", + "SDATA", + "RESULT", + "CRETRY", + "SRETRY", + "CLOSE" +); + +typedef struct private_pb_tnc_batch_t private_pb_tnc_batch_t; + +/** + * PB-Batch Header (see section 4.1 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Version |D| Reserved | B-Type| + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Batch Length | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PB_TNC_BATCH_FLAG_NONE 0x00 +#define PB_TNC_BATCH_FLAG_D (1<<7) +#define PB_TNC_BATCH_HEADER_SIZE 8 + +/** + * PB-TNC Message (see section 4.2 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Flags | PB-TNC Vendor ID | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PB-TNC Message Type | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PB-TNC Message Length | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PB-TNC Message Value (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PB_TNC_FLAG_NONE 0x00 +#define PB_TNC_FLAG_NOSKIP (1<<7) +#define PB_TNC_HEADER_SIZE 12 + +#define PB_TNC_RESERVED_MSG_TYPE 0xffffffff + +/** + * Private data of a pb_tnc_batch_t object. + * + */ +struct private_pb_tnc_batch_t { + /** + * Public pb_pa_msg_t interface. + */ + pb_tnc_batch_t public; + + /** + * TNCC if TRUE, TNCS if FALSE + */ + bool is_server; + + /** + * PB-TNC Batch type + */ + pb_tnc_batch_type_t type; + + /** + * linked list of PB-TNC messages + */ + linked_list_t *messages; + + /** + * linked list of PB-TNC error messages + */ + linked_list_t *errors; + + /** + * Encoded message + */ + chunk_t encoding; + + /** + * Offset into encoding (used for error reporting) + */ + u_int32_t offset; +}; + +METHOD(pb_tnc_batch_t, get_type, pb_tnc_batch_type_t, + private_pb_tnc_batch_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_batch_t, get_encoding, chunk_t, + private_pb_tnc_batch_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_batch_t, add_msg, void, + private_pb_tnc_batch_t *this, pb_tnc_msg_t* msg) +{ + DBG2(DBG_TNC, "adding %N message", pb_tnc_msg_type_names, + msg->get_type(msg)); + this->messages->insert_last(this->messages, msg); +} + +METHOD(pb_tnc_batch_t, build, void, + private_pb_tnc_batch_t *this) +{ + u_int32_t batch_len, msg_len; + chunk_t msg_value; + enumerator_t *enumerator; + pb_tnc_msg_type_t msg_type; + pb_tnc_msg_t *msg; + tls_writer_t *writer; + + /* compute total PB-TNC batch size by summing over all messages */ + batch_len = PB_TNC_BATCH_HEADER_SIZE; + enumerator = this->messages->create_enumerator(this->messages); + while (enumerator->enumerate(enumerator, &msg)) + { + msg->build(msg); + msg_value = msg->get_encoding(msg); + batch_len += PB_TNC_HEADER_SIZE + msg_value.len; + } + enumerator->destroy(enumerator); + + /* build PB-TNC batch header */ + writer = tls_writer_create(batch_len); + writer->write_uint8 (writer, PB_TNC_VERSION); + writer->write_uint8 (writer, this->is_server ? + PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE); + writer->write_uint16(writer, this->type); + writer->write_uint32(writer, batch_len); + + /* build PB-TNC messages */ + enumerator = this->messages->create_enumerator(this->messages); + while (enumerator->enumerate(enumerator, &msg)) + { + u_int8_t flags = PB_TNC_FLAG_NONE; + + /* build PB-TNC message */ + msg_value = msg->get_encoding(msg); + msg_len = PB_TNC_HEADER_SIZE + msg_value.len; + msg_type = msg->get_type(msg); + if (pb_tnc_msg_infos[msg_type].has_noskip_flag) + { + flags |= PB_TNC_FLAG_NOSKIP; + } + writer->write_uint8 (writer, flags); + writer->write_uint24(writer, IETF_VENDOR_ID); + writer->write_uint32(writer, msg_type); + writer->write_uint32(writer, msg_len); + writer->write_data (writer, msg_value); + } + enumerator->destroy(enumerator); + + this->encoding = chunk_clone(writer->get_buf(writer)); + writer->destroy(writer); +} + +static status_t process_batch_header(private_pb_tnc_batch_t *this, + pb_tnc_state_machine_t *state_machine) +{ + tls_reader_t *reader; + pb_tnc_msg_t *msg; + pb_error_msg_t *err_msg; + u_int8_t version, flags, reserved, type; + u_int32_t batch_len; + bool directionality; + + if (this->encoding.len < PB_TNC_BATCH_HEADER_SIZE) + { + DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC batch header", + this->encoding.len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, 0); + goto fatal; + } + + reader = tls_reader_create(this->encoding); + reader->read_uint8 (reader, &version); + reader->read_uint8 (reader, &flags); + reader->read_uint8 (reader, &reserved); + reader->read_uint8 (reader, &type); + reader->read_uint32(reader, &batch_len); + reader->destroy(reader); + + /* Version */ + if (version != PB_TNC_VERSION) + { + DBG1(DBG_TNC, "unsupported TNCCS batch version 0x%01x", version); + msg = pb_error_msg_create(TRUE, IETF_VENDOR_ID, + PB_ERROR_VERSION_NOT_SUPPORTED); + err_msg = (pb_error_msg_t*)msg; + err_msg->set_bad_version(err_msg, version); + goto fatal; + } + + /* Directionality */ + directionality = (flags & PB_TNC_BATCH_FLAG_D) != PB_TNC_BATCH_FLAG_NONE; + if (directionality == this->is_server) + { + DBG1(DBG_TNC, "wrong Directionality: batch is from a PB %s", + directionality ? "server" : "client"); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, 1); + goto fatal; + } + + /* Batch Type */ + this->type = type & 0x0F; + if (this->type > PB_BATCH_ROOF) + { + DBG1(DBG_TNC, "unknown PB-TNC batch type: %d", this->type); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, 3); + goto fatal; + } + + if (!state_machine->receive_batch(state_machine, this->type)) + { + DBG1(DBG_TNC, "unexpected PB-TNC batch type: %N", + pb_tnc_batch_type_names, this->type); + msg = pb_error_msg_create(TRUE, IETF_VENDOR_ID, + PB_ERROR_UNEXPECTED_BATCH_TYPE); + goto fatal; + } + + /* Batch Length */ + if (this->encoding.len != batch_len) + { + DBG1(DBG_TNC, "%u bytes of data is not equal to batch length of %u bytes", + this->encoding.len, batch_len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, 4); + goto fatal; + } + + this->offset = PB_TNC_BATCH_HEADER_SIZE; + return SUCCESS; + +fatal: + this->errors->insert_last(this->errors, msg); + return FAILED; +} + +static status_t process_tnc_msg(private_pb_tnc_batch_t *this) +{ + tls_reader_t *reader; + pb_tnc_msg_t *pb_tnc_msg, *msg; + u_int8_t flags; + u_int32_t vendor_id, msg_type, msg_len, offset; + chunk_t data, msg_value; + bool noskip_flag; + status_t status; + + data = chunk_skip(this->encoding, this->offset); + + if (data.len < PB_TNC_HEADER_SIZE) + { + DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message header", + data.len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset); + goto fatal; + } + + reader = tls_reader_create(data); + reader->read_uint8 (reader, &flags); + reader->read_uint24(reader, &vendor_id); + reader->read_uint32(reader, &msg_type); + reader->read_uint32(reader, &msg_len); + reader->destroy(reader); + + noskip_flag = (flags & PB_TNC_FLAG_NOSKIP) != PB_TNC_FLAG_NONE; + + if (msg_len > data.len) + { + DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message", data.len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset + 8); + goto fatal; + } + + if (vendor_id == RESERVED_VENDOR_ID) + { + DBG1(DBG_TNC, "Vendor ID 0x%06x is reserved", RESERVED_VENDOR_ID); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset + 1); + goto fatal; + + } + + if (msg_type == PB_TNC_RESERVED_MSG_TYPE) + { + DBG1(DBG_TNC, "PB-TNC message Type 0x%08x is reserved", + PB_TNC_RESERVED_MSG_TYPE); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset + 4); + goto fatal; + } + + + if (vendor_id != IETF_VENDOR_ID || msg_type > PB_MSG_ROOF) + { + if (msg_len < PB_TNC_HEADER_SIZE) + { + DBG1(DBG_TNC, "%u bytes too small for PB-TNC message length", + msg_len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset + 8); + goto fatal; + } + + if (noskip_flag) + { + DBG1(DBG_TNC, "reject PB-TNC message (Vendor ID 0x%06x / " + "Type 0x%08x)", vendor_id, msg_type); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset); + goto fatal; + } + else + { + DBG1(DBG_TNC, "ignore PB-TNC message (Vendor ID 0x%06x / " + "Type 0x%08x)", vendor_id, msg_type); + this->offset += msg_len; + return SUCCESS; + } + } + else + { + if (pb_tnc_msg_infos[msg_type].has_noskip_flag != TRUE_OR_FALSE && + pb_tnc_msg_infos[msg_type].has_noskip_flag != noskip_flag) + { + DBG1(DBG_TNC, "%N message must%s have NOSKIP flag set", + pb_tnc_msg_type_names, msg_type, + pb_tnc_msg_infos[msg_type].has_noskip_flag ? "" : " not"); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset); + goto fatal; + } + + if (msg_len < pb_tnc_msg_infos[msg_type].min_size || + (pb_tnc_msg_infos[msg_type].exact_size && + msg_len != pb_tnc_msg_infos[msg_type].min_size)) + { + DBG1(DBG_TNC, "%N message length must be %s %u bytes but is %u bytes", + pb_tnc_msg_type_names, msg_type, + pb_tnc_msg_infos[msg_type].exact_size ? "exactly" : "at least", + pb_tnc_msg_infos[msg_type].min_size, msg_len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset); + goto fatal; + } + } + + if (pb_tnc_msg_infos[msg_type].in_result_batch && + this->type != PB_BATCH_RESULT) + { + if (this->is_server) + { + DBG1(DBG_TNC,"reject %N message received from a PB-TNC client", + pb_tnc_msg_type_names, msg_type); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset); + goto fatal; + } + else + { + DBG1(DBG_TNC,"ignore %N message not received within RESULT batch", + pb_tnc_msg_type_names, msg_type); + this->offset += msg_len; + return SUCCESS; + } + } + + DBG2(DBG_TNC, "processing %N message (%u bytes)", pb_tnc_msg_type_names, + msg_type, msg_len); + data.len = msg_len; + msg_value = chunk_skip(data, PB_TNC_HEADER_SIZE); + pb_tnc_msg = pb_tnc_msg_create_from_data(msg_type, msg_value); + + status = pb_tnc_msg->process(pb_tnc_msg, &offset); + if (status == FAILED || status == VERIFY_ERROR) + { + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset); + this->errors->insert_last(this->errors, msg); + } + if (status == FAILED) + { + pb_tnc_msg->destroy(pb_tnc_msg); + return FAILED; + } + this->messages->insert_last(this->messages, pb_tnc_msg); + this->offset += msg_len; + return status; + +fatal: + this->errors->insert_last(this->errors, msg); + return FAILED; +} + +METHOD(pb_tnc_batch_t, process, status_t, + private_pb_tnc_batch_t *this, pb_tnc_state_machine_t *state_machine) +{ + status_t status; + + status = process_batch_header(this, state_machine); + if (status != SUCCESS) + { + return FAILED; + } + DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names, + this->type); + while (this->offset < this->encoding.len) + { + switch (process_tnc_msg(this)) + { + case FAILED: + return FAILED; + case VERIFY_ERROR: + status = VERIFY_ERROR; + break; + case SUCCESS: + default: + break; + } + } + return status; +} + +METHOD(pb_tnc_batch_t, create_msg_enumerator, enumerator_t*, + private_pb_tnc_batch_t *this) +{ + return this->messages->create_enumerator(this->messages); +} + +METHOD(pb_tnc_batch_t, create_error_enumerator, enumerator_t*, + private_pb_tnc_batch_t *this) +{ + return this->errors->create_enumerator(this->errors); +} + +METHOD(pb_tnc_batch_t, destroy, void, + private_pb_tnc_batch_t *this) +{ + this->messages->destroy_offset(this->messages, + offsetof(pb_tnc_msg_t, destroy)); + this->errors->destroy_offset(this->errors, + offsetof(pb_tnc_msg_t, destroy)); + free(this->encoding.ptr); + free(this); +} + +/** + * See header + */ +pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type) +{ + private_pb_tnc_batch_t *this; + + INIT(this, + .public = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .add_msg = _add_msg, + .build = _build, + .process = _process, + .create_msg_enumerator = _create_msg_enumerator, + .create_error_enumerator = _create_error_enumerator, + .destroy = _destroy, + }, + .is_server = is_server, + .type = type, + .messages = linked_list_create(), + .errors = linked_list_create(), + ); + + DBG2(DBG_TNC, "creating PB-TNC %N batch", pb_tnc_batch_type_names, type); + + return &this->public; +} + +/** + * See header + */ +pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data) +{ + private_pb_tnc_batch_t *this; + + INIT(this, + .public = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .add_msg = _add_msg, + .build = _build, + .process = _process, + .create_msg_enumerator = _create_msg_enumerator, + .create_error_enumerator = _create_error_enumerator, + .destroy = _destroy, + }, + .is_server = is_server, + .messages = linked_list_create(), + .errors = linked_list_create(), + .encoding = chunk_clone(data), + ); + + return &this->public; +} + diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h new file mode 100644 index 000000000..17e5fff4c --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h @@ -0,0 +1,126 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_tnc_batch pb_tnc_batch + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_TNC_BATCH_H_ +#define PB_TNC_BATCH_H_ + +typedef enum pb_tnc_batch_type_t pb_tnc_batch_type_t; +typedef struct pb_tnc_batch_t pb_tnc_batch_t; + +#include "messages/pb_tnc_msg.h" +#include "state_machine/pb_tnc_state_machine.h" + +#include + +/** + * PB-TNC Batch Types as defined in section 4.1 of RFC 5793 + */ +enum pb_tnc_batch_type_t { + PB_BATCH_CDATA = 1, + PB_BATCH_SDATA = 2, + PB_BATCH_RESULT = 3, + PB_BATCH_CRETRY = 4, + PB_BATCH_SRETRY = 5, + PB_BATCH_CLOSE = 6, + PB_BATCH_ROOF = 6 +}; + +/** + * enum name for pb_tnc_batch_type_t. + */ +extern enum_name_t *pb_tnc_batch_type_names; + +/** + * Interface for all PB-TNC Batch Types. + */ +struct pb_tnc_batch_t { + + /** + * Get the PB-TNC Message Type + * + * @return PB-TNC batch type + */ + pb_tnc_batch_type_t (*get_type)(pb_tnc_batch_t *this); + + /** + * Get the encoding of the PB-TNC Batch + * + * @return encoded PB-TNC batch + */ + chunk_t (*get_encoding)(pb_tnc_batch_t *this); + + /** + * Add a PB-TNC Message + * + * @param msg PB-TNC message to be addedd + */ + void (*add_msg)(pb_tnc_batch_t *this, pb_tnc_msg_t* msg); + + /** + * Build the PB-TNC Batch + */ + void (*build)(pb_tnc_batch_t *this); + + /** + * Process the PB-TNC Batch + * + * @param PB-TNC state machine + * @return return processing status + */ + status_t (*process)(pb_tnc_batch_t *this, + pb_tnc_state_machine_t *state_machine); + + /** + * Enumerates over all PB-TNC Messages + * + * @return return message enumerator + */ + enumerator_t* (*create_msg_enumerator)(pb_tnc_batch_t *this); + + /** + * Enumerates over all parsing errors + * + * @return return error enumerator + */ + enumerator_t* (*create_error_enumerator)(pb_tnc_batch_t *this); + + /** + * Destroys a pb_tnc_batch_t object. + */ + void (*destroy)(pb_tnc_batch_t *this); +}; + +/** + * Create an empty PB-TNC Batch of a given type + * + * @param is_server TRUE if server, FALSE if client + * @param type PB-TNC batch type + */ +pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type); + +/** + * Create an unprocessed PB-TNC Batch from data + * + * @param is_server TRUE if server, FALSE if client + * @param data encoded PB-TNC batch + */ +pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data); + +#endif /** PB_TNC_BATCH_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c new file mode 100644 index 000000000..41b9e31f6 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c @@ -0,0 +1,180 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_access_recommendation_msg.h" + +#include +#include +#include + +ENUM(pb_access_recommendation_code_names, PB_REC_ACCESS_ALLOWED, PB_REC_QUARANTINED, + "Access Allowed", + "Access Denied", + "Quarantined" +); + +typedef struct private_pb_access_recommendation_msg_t private_pb_access_recommendation_msg_t; + +/** + * PB-Access-Recommendation message (see section 4.7 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Reserved | Access Recommendation Code | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define ACCESS_RECOMMENDATION_RESERVED 0x0000 +#define ACCESS_RECOMMENDATION_MSG_SIZE 4 +/** + * Private data of a pb_access_recommendation_msg_t object. + * + */ +struct private_pb_access_recommendation_msg_t { + /** + * Public pb_access_recommendation_msg_t interface. + */ + pb_access_recommendation_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Access recommendation code + */ + u_int16_t recommendation; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_access_recommendation_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_access_recommendation_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_access_recommendation_msg_t *this) +{ + tls_writer_t *writer; + + /* build message */ + writer = tls_writer_create(ACCESS_RECOMMENDATION_MSG_SIZE); + writer->write_uint16(writer, ACCESS_RECOMMENDATION_RESERVED); + writer->write_uint16(writer, this->recommendation); + free(this->encoding.ptr); + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_access_recommendation_msg_t *this, u_int32_t *offset) +{ + tls_reader_t *reader; + u_int16_t reserved; + + /* process message */ + reader = tls_reader_create(this->encoding); + reader->read_uint16(reader, &reserved); + reader->read_uint16(reader, &this->recommendation); + reader->destroy(reader); + + if (this->recommendation < PB_REC_ACCESS_ALLOWED || + this->recommendation > PB_REC_QUARANTINED) + { + DBG1(DBG_TNC, "invalid access recommendation code (%u)", + this->recommendation); + *offset = 2; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_access_recommendation_msg_t *this) +{ + free(this->encoding.ptr); + free(this); +} + +METHOD(pb_access_recommendation_msg_t, get_access_recommendation, u_int16_t, + private_pb_access_recommendation_msg_t *this) +{ + return this->recommendation; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_access_recommendation_msg_create_from_data(chunk_t data) +{ + private_pb_access_recommendation_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_access_recommendation = _get_access_recommendation, + }, + .type = PB_MSG_ACCESS_RECOMMENDATION, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_access_recommendation_msg_create(u_int16_t recommendation) +{ + private_pb_access_recommendation_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_access_recommendation = _get_access_recommendation, + }, + .type = PB_MSG_ACCESS_RECOMMENDATION, + .recommendation = recommendation, + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h new file mode 100644 index 000000000..01b83cfd7 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_access_recommendation_msg pb_access_recommendation_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_ACCESS_RECOMMENDATION_MSG_H_ +#define PB_ACCESS_RECOMMENDATION_MSG_H_ + +typedef enum pb_access_recommendation_code_t pb_access_recommendation_code_t; +typedef struct pb_access_recommendation_msg_t pb_access_recommendation_msg_t; + +#include "pb_tnc_msg.h" + +/** + * PB Access Recommendation Codes as defined in section 4.7 of RFC 5793 + */ +enum pb_access_recommendation_code_t { + PB_REC_ACCESS_ALLOWED = 1, + PB_REC_ACCESS_DENIED = 2, + PB_REC_QUARANTINED = 3, +}; + +/** + * enum name for pb_access_recommendation_code_t. + */ +extern enum_name_t *pb_access_recommendation_code_names; + + +/** + * Class representing the PB-Access-Recommendation message type. + */ +struct pb_access_recommendation_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get PB Access Recommendation + * + * @return PB Access Recommendation + */ + u_int16_t (*get_access_recommendation)(pb_access_recommendation_msg_t *this); +}; + +/** + * Create a PB-Access-Recommendation message from parameters + * + * @param recommendation Access Recommendation code + */ +pb_tnc_msg_t* pb_access_recommendation_msg_create(u_int16_t recommendation); + +/** + * Create an unprocessed PB-Access-Recommendation message from raw data + * + * @param data PB-Access-Recommendation message data + */ +pb_tnc_msg_t* pb_access_recommendation_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c new file mode 100644 index 000000000..c91e54176 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c @@ -0,0 +1,172 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_assessment_result_msg.h" + +#include +#include +#include +#include + +typedef struct private_pb_assessment_result_msg_t private_pb_assessment_result_msg_t; + +/** + * PB-Assessment-Result message (see section 4.6 of RFC 5793) + * + * 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Assessment Result | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define ASSESSMENT_RESULT_MSG_SIZE 4 + +/** + * Private data of a pb_assessment_result_msg_t object. + * + */ +struct private_pb_assessment_result_msg_t { + /** + * Public pb_assessment_result_msg_t interface. + */ + pb_assessment_result_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Assessment result code + */ + u_int32_t assessment_result; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_assessment_result_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_assessment_result_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_assessment_result_msg_t *this) +{ + tls_writer_t *writer; + + /* build message */ + writer = tls_writer_create(ASSESSMENT_RESULT_MSG_SIZE); + writer->write_uint32(writer, this->assessment_result); + free(this->encoding.ptr); + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_assessment_result_msg_t *this, u_int32_t *offset) +{ + tls_reader_t *reader; + + /* process message */ + reader = tls_reader_create(this->encoding); + reader->read_uint32(reader, &this->assessment_result); + reader->destroy(reader); + + if (this->assessment_result < TNC_IMV_EVALUATION_RESULT_COMPLIANT || + this->assessment_result > TNC_IMV_EVALUATION_RESULT_DONT_KNOW) + { + DBG1(DBG_TNC, "invalid assessment result (%u)", + this->assessment_result); + *offset = 0; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_assessment_result_msg_t *this) +{ + free(this->encoding.ptr); + free(this); +} + +METHOD(pb_assessment_result_msg_t, get_assessment_result, u_int32_t, + private_pb_assessment_result_msg_t *this) +{ + return this->assessment_result; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_assessment_result_msg_create_from_data(chunk_t data) +{ + private_pb_assessment_result_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_assessment_result = _get_assessment_result, + }, + .type = PB_MSG_ASSESSMENT_RESULT, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_assessment_result_msg_create(u_int32_t assessment_result) +{ + private_pb_assessment_result_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_assessment_result = _get_assessment_result, + }, + .type = PB_MSG_ASSESSMENT_RESULT, + .assessment_result = assessment_result, + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h new file mode 100644 index 000000000..d2b005114 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_assessment_result_msg pb_assessment_result_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_ASSESSMENT_RESULT_MSG_H_ +#define PB_ASSESSMENT_RESULT_MSG_H_ + +typedef struct pb_assessment_result_msg_t pb_assessment_result_msg_t; + +#include "pb_tnc_msg.h" + +/** + * Class representing the PB-Assessment-Result message type. + */ +struct pb_assessment_result_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get PB Assessment result + * + * @return PB Assessment result + */ + u_int32_t (*get_assessment_result)(pb_assessment_result_msg_t *this); +}; + +/** + * Create a PB-Assessment-Result message from parameters + * + * @param assessment_result Assessment result code + */ +pb_tnc_msg_t* pb_assessment_result_msg_create(u_int32_t assessment_result); + +/** + * Create an unprocessed PB-Assessment-Result message from raw data + * + * @param data PB-Assessment-Result message data + */ +pb_tnc_msg_t* pb_assessment_result_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c new file mode 100644 index 000000000..e1755c512 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c @@ -0,0 +1,346 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_error_msg.h" + +#include +#include +#include +#include + +ENUM(pb_tnc_error_code_names, PB_ERROR_UNEXPECTED_BATCH_TYPE, + PB_ERROR_VERSION_NOT_SUPPORTED, + "Unexpected Batch Type", + "Invalid Parameter", + "Local Error", + "Unsupported Mandatory Message", + "Version Not Supported" +); + +typedef struct private_pb_error_msg_t private_pb_error_msg_t; + +/** + * PB-Error message (see section 4.9 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Flags | Error Code Vendor ID | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Error Code | Reserved | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Error Parameters (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define ERROR_FLAG_NONE 0x00 +#define ERROR_FLAG_FATAL (1<<7) +#define ERROR_RESERVED 0x0000 +#define ERROR_HEADER_SIZE 8 + +/** + * Private data of a pb_error_msg_t object. + * + */ +struct private_pb_error_msg_t { + /** + * Public pb_error_msg_t interface. + */ + pb_error_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Fatal flag + */ + bool fatal; + + /** + * PB Error Code Vendor ID + */ + u_int32_t vendor_id; + + /** + * PB Error Code + */ + u_int16_t error_code; + + /** + * PB Error Offset + */ + u_int32_t error_offset; + + /** + * Bad PB-TNC version received + */ + u_int8_t bad_version; + + /** + * Encoded message + */ + chunk_t encoding; + + /** + * reference count + */ + refcount_t ref; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_error_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_error_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_error_msg_t *this) +{ + tls_writer_t *writer; + + /* build message header */ + writer = tls_writer_create(ERROR_HEADER_SIZE); + writer->write_uint8 (writer, this->fatal ? + ERROR_FLAG_FATAL : ERROR_FLAG_NONE); + writer->write_uint24(writer, this->vendor_id); + writer->write_uint16(writer, this->error_code); + writer->write_uint16(writer, ERROR_RESERVED); + + /* build message body */ + if (this->error_code == PB_ERROR_VERSION_NOT_SUPPORTED) + { + /* Bad version */ + writer->write_uint8(writer, this->bad_version); + writer->write_uint8(writer, PB_TNC_VERSION); /* Max version */ + writer->write_uint8(writer, PB_TNC_VERSION); /* Min version */ + writer->write_uint8(writer, 0x00); /* Reserved */ + } + else + { + /* Error Offset */ + writer->write_uint32(writer, this->error_offset); + } + + free(this->encoding.ptr); + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_error_msg_t *this, u_int32_t *offset) +{ + u_int8_t flags, max_version, min_version; + u_int16_t reserved; + tls_reader_t *reader; + + if (this->encoding.len < ERROR_HEADER_SIZE) + { + DBG1(DBG_TNC,"%N message is shorter than header size of %u bytes", + pb_tnc_msg_type_names, PB_MSG_ERROR, ERROR_HEADER_SIZE); + return FAILED; + } + + /* process message header */ + reader = tls_reader_create(this->encoding); + reader->read_uint8 (reader, &flags); + reader->read_uint24(reader, &this->vendor_id); + reader->read_uint16(reader, &this->error_code); + reader->read_uint16(reader, &reserved); + this->fatal = (flags & ERROR_FLAG_FATAL) != ERROR_FLAG_NONE; + + if (this->vendor_id == IETF_VENDOR_ID && reader->remaining(reader) == 4) + { + if (this->error_code == PB_ERROR_VERSION_NOT_SUPPORTED) + { + reader->read_uint8(reader, &this->bad_version); + reader->read_uint8(reader, &max_version); + reader->read_uint8(reader, &min_version); + } + else + { + reader->read_uint32(reader, &this->error_offset); + } + } + reader->destroy(reader); + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, get_ref, pb_tnc_msg_t*, + private_pb_error_msg_t *this) +{ + ref_get(&this->ref); + return &this->public.pb_interface; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_error_msg_t *this) +{ + if (ref_put(&this->ref)) + { + free(this->encoding.ptr); + free(this); + } +} + +METHOD(pb_error_msg_t, get_fatal_flag, bool, + private_pb_error_msg_t *this) +{ + return this->fatal; +} + +METHOD(pb_error_msg_t, get_vendor_id, u_int32_t, + private_pb_error_msg_t *this) +{ + return this->vendor_id; +} + +METHOD(pb_error_msg_t, get_error_code, u_int16_t, + private_pb_error_msg_t *this) +{ + return this->error_code; +} + +METHOD(pb_error_msg_t, get_offset, u_int32_t, + private_pb_error_msg_t *this) +{ + return this->error_offset; +} + +METHOD(pb_error_msg_t, get_bad_version, u_int8_t, + private_pb_error_msg_t *this) +{ + return this->bad_version; +} + +METHOD(pb_error_msg_t, set_bad_version, void, + private_pb_error_msg_t *this, u_int8_t version) +{ + this->bad_version = version; +} + +/** + * See header + */ +pb_tnc_msg_t* pb_error_msg_create(bool fatal, u_int32_t vendor_id, + pb_tnc_error_code_t error_code) +{ + private_pb_error_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_fatal_flag = _get_fatal_flag, + .get_vendor_id = _get_vendor_id, + .get_error_code = _get_error_code, + .get_offset = _get_offset, + .get_bad_version = _get_bad_version, + .set_bad_version = _set_bad_version, + }, + .type = PB_MSG_ERROR, + .ref = 1, + .fatal = fatal, + .vendor_id = vendor_id, + .error_code = error_code, + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t* pb_error_msg_create_with_offset(bool fatal, u_int32_t vendor_id, + pb_tnc_error_code_t error_code, + u_int32_t error_offset) +{ + private_pb_error_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_fatal_flag = _get_fatal_flag, + .get_vendor_id = _get_vendor_id, + .get_error_code = _get_error_code, + .get_offset = _get_offset, + .get_bad_version = _get_bad_version, + .set_bad_version = _set_bad_version, + }, + .type = PB_MSG_ERROR, + .ref = 1, + .fatal = fatal, + .vendor_id = vendor_id, + .error_code = error_code, + .error_offset = error_offset, + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_error_msg_create_from_data(chunk_t data) +{ + private_pb_error_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_fatal_flag = _get_fatal_flag, + .get_vendor_id = _get_vendor_id, + .get_error_code = _get_error_code, + .get_offset = _get_offset, + .get_bad_version = _get_bad_version, + .set_bad_version = _set_bad_version, + }, + .type = PB_MSG_ERROR, + .ref = 1, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h new file mode 100644 index 000000000..8b92742b5 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h @@ -0,0 +1,127 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_error_msg pb_error_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_ERROR_MSG_H_ +#define PB_ERROR_MSG_H_ + +typedef enum pb_tnc_error_code_t pb_tnc_error_code_t; +typedef struct pb_error_msg_t pb_error_msg_t; + +#include "pb_tnc_msg.h" + +/** + * PB-TNC Error Codes as defined in section 4.9.1 of RFC 5793 + */ +enum pb_tnc_error_code_t { + PB_ERROR_UNEXPECTED_BATCH_TYPE = 0, + PB_ERROR_INVALID_PARAMETER = 1, + PB_ERROR_LOCAL_ERROR = 2, + PB_ERROR_UNSUPPORTED_MANDATORY_MSG = 3, + PB_ERROR_VERSION_NOT_SUPPORTED = 4 +}; + +/** + * enum name for pb_tnc_error_code_t. + */ +extern enum_name_t *pb_tnc_error_code_names; + +/** + * Class representing the PB-Error message type. + */ +struct pb_error_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get the fatal flag + * + * @return fatal flag + */ + bool (*get_fatal_flag)(pb_error_msg_t *this); + + /** + * Get PB Error code Vendor ID + * + * @return PB Error Code Vendor ID + */ + u_int32_t (*get_vendor_id)(pb_error_msg_t *this); + + /** + * Get PB Error Code + * + * @return PB Error Code + */ + u_int16_t (*get_error_code)(pb_error_msg_t *this); + + /** + * Get the PB Error Offset + * + * @return PB Error Offset + */ + u_int32_t (*get_offset)(pb_error_msg_t *this); + + /** + * Get the PB Bad Version + * + * @return PB Bad Version + */ + u_int8_t (*get_bad_version)(pb_error_msg_t *this); + + /** + * Set the PB Bad Version + * + * @param version PB Bad Version + */ + void (*set_bad_version)(pb_error_msg_t *this, u_int8_t version); +}; + +/** + * Create a PB-Error message from parameters + * + * @param fatal fatal flag + * @param vendor_id Error Code Vendor ID + * @param error_code Error Code + */ +pb_tnc_msg_t* pb_error_msg_create(bool fatal, u_int32_t vendor_id, + pb_tnc_error_code_t error_code); + +/** + * Create a PB-Error message from parameters with offset field + * + * @param fatal fatal flag + * @param vendor_id Error Code Vendor ID + * @param error_code Error Code + * @param error_offset Error Offset + */ +pb_tnc_msg_t* pb_error_msg_create_with_offset(bool fatal, u_int32_t vendor_id, + pb_tnc_error_code_t error_code, + u_int32_t error_offset); + +/** + * Create an unprocessed PB-Error message from raw data + * + * @param data PB-Error message data + */ +pb_tnc_msg_t* pb_error_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c new file mode 100644 index 000000000..7dfba136f --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_experimental_msg.h" + +typedef struct private_pb_experimental_msg_t private_pb_experimental_msg_t; + +/** + * Private data of a pb_experimental_msg_t object. + * + */ +struct private_pb_experimental_msg_t { + /** + * Public pb_experimental_msg_t interface. + */ + pb_experimental_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_experimental_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_experimental_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_experimental_msg_t *this) +{ + /* nothing to do since message contents equal encoding */ +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_experimental_msg_t *this, u_int32_t *offset) +{ + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_experimental_msg_t *this) +{ + free(this->encoding.ptr); + free(this); +} + +/** + * See header + */ +pb_tnc_msg_t *pb_experimental_msg_create_from_data(chunk_t data) +{ + private_pb_experimental_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + }, + .type = PB_MSG_EXPERIMENTAL, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_experimental_msg_create(chunk_t body) +{ + return pb_experimental_msg_create_from_data(body); +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h new file mode 100644 index 000000000..b1cc4f46e --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h @@ -0,0 +1,53 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_experimental_msg pb_experimental_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_EXPERIMENTAL_MSG_H_ +#define PB_EXPERIMENTAL_MSG_H_ + +typedef struct pb_experimental_msg_t pb_experimental_msg_t; + +#include "pb_tnc_msg.h" + +/** + * Class representing the PB-Experimental message type. + */ +struct pb_experimental_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; +}; + +/** + * Create a PB-Experimental message from parameters + * + * @param body message body + */ +pb_tnc_msg_t* pb_experimental_msg_create(chunk_t body); + +/** + * Create an unprocessed PB-Experimental message from raw data + * + * @param data PB-Experimental message data + */ +pb_tnc_msg_t* pb_experimental_msg_create_from_data(chunk_t data); + +#endif /** PB_EXPERIMENTAL_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c new file mode 100644 index 000000000..9a94edf30 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c @@ -0,0 +1,175 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_language_preference_msg.h" + +#include +#include +#include + +typedef struct private_pb_language_preference_msg_t private_pb_language_preference_msg_t; + +/** + * PB-Language-Preference message (see section 4.10 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Language Preference (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PB_LANG_PREFIX "Accept-Language: " +#define PB_LANG_PREFIX_LEN strlen(PB_LANG_PREFIX) + +/** + * Private data of a pb_language_preference_msg_t object. + * + */ +struct private_pb_language_preference_msg_t { + /** + * Public pb_access_recommendation_msg_t interface. + */ + pb_language_preference_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Language preference + */ + chunk_t language_preference; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_language_preference_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_language_preference_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_language_preference_msg_t *this) +{ + this->encoding = chunk_cat("cc", + chunk_create(PB_LANG_PREFIX, PB_LANG_PREFIX_LEN), + this->language_preference); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_language_preference_msg_t *this, u_int32_t *offset) +{ + chunk_t lang; + + if (this->encoding.len >= PB_LANG_PREFIX_LEN && + memeq(this->encoding.ptr, PB_LANG_PREFIX, PB_LANG_PREFIX_LEN)) + { + lang = chunk_skip(this->encoding, PB_LANG_PREFIX_LEN); + this->language_preference = lang.len ? chunk_clone(lang) : chunk_empty; + } + else + { + DBG1(DBG_TNC, "language preference must be preceded by '%s'", + PB_LANG_PREFIX); + *offset = 0; + return FAILED; + } + + if (this->language_preference.len && + this->language_preference.ptr[this->language_preference.len-1] == '\0') + { + DBG1(DBG_TNC, "language preference must not be null terminated"); + *offset = PB_LANG_PREFIX_LEN + this->language_preference.len - 1; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_language_preference_msg_t *this) +{ + free(this->encoding.ptr); + free(this->language_preference.ptr); + free(this); +} + +METHOD(pb_language_preference_msg_t, get_language_preference, chunk_t, + private_pb_language_preference_msg_t *this) +{ + return this->language_preference; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_language_preference_msg_create_from_data(chunk_t data) +{ + private_pb_language_preference_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_language_preference = _get_language_preference, + }, + .type = PB_MSG_LANGUAGE_PREFERENCE, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_language_preference_msg_create(chunk_t language_preference) +{ + private_pb_language_preference_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_language_preference = _get_language_preference, + }, + .type = PB_MSG_LANGUAGE_PREFERENCE, + .language_preference = chunk_clone(language_preference), + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h new file mode 100644 index 000000000..17106f6fa --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_language_preference_msg pb_language_preference_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_LANGUAGE_PREFERENCE_MSG_H_ +#define PB_LANGUAGE_PREFERENCE_MSG_H_ + +typedef struct pb_language_preference_msg_t pb_language_preference_msg_t; + +#include "pb_tnc_msg.h" + +/** + * Class representing the PB-Language-Preference message type. + */ +struct pb_language_preference_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get PB Language Preference + * + * @return Language preference + */ + chunk_t (*get_language_preference)(pb_language_preference_msg_t *this); +}; + +/** + * Create a PB-Language-Preference message from parameters + * + * @param language_preference Preferred language(s) + */ +pb_tnc_msg_t* pb_language_preference_msg_create(chunk_t language_preference); + +/** + * Create an unprocessed PB-Language-Preference message from raw data + * + * @param data PB-Language-Preference message data + */ +pb_tnc_msg_t* pb_language_preference_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c new file mode 100644 index 000000000..8315bfb76 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c @@ -0,0 +1,293 @@ +/* + * Copyright (C) 2010 Sansar Choinyanbuu + * Copyright (C) 2010 Andreas Steffen + * + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_pa_msg.h" + +#include +#include +#include +#include + +ENUM(pa_tnc_subtype_names, PA_SUBTYPE_TESTING, PA_SUBTYPE_NEA_CLIENT, + "Testing", + "Operating System", + "Anti-Virus", + "Anti-Spyware", + "Anti-Malware", + "Firewall", + "IDPS", + "VPN", + "NEA Client" +); + +typedef struct private_pb_pa_msg_t private_pb_pa_msg_t; + +/** + * PB-PA message + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Flags | PA Message Vendor ID | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PA Subtype | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Posture Collector Identifier | Posture Validator Identifier | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PA Message Body (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PA_FLAG_NONE 0x00 +#define PA_FLAG_EXCL (1<<7) +#define PA_RESERVED_SUBTYPE 0xffffffff + + +/** + * Private data of a pb_pa_msg_t object. + * + */ +struct private_pb_pa_msg_t { + /** + * Public pb_pa_msg_t interface. + */ + pb_pa_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Exclusive flag + */ + bool excl; + + /** + * PA Message Vendor ID + */ + u_int32_t vendor_id; + + /** + * PA Subtype + */ + u_int32_t subtype; + + /** + * Posture Validator Identifier + */ + u_int16_t collector_id; + + /** + * Posture Validator Identifier + */ + u_int16_t validator_id; + + /** + * PA Message Body + */ + chunk_t msg_body; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_pa_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_pa_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_pa_msg_t *this) +{ + chunk_t msg_header; + tls_writer_t *writer; + + /* build message header */ + writer = tls_writer_create(64); + writer->write_uint8 (writer, this->excl ? PA_FLAG_EXCL : PA_FLAG_NONE); + writer->write_uint24(writer, this->vendor_id); + writer->write_uint32(writer, this->subtype); + writer->write_uint16(writer, this->collector_id); + writer->write_uint16(writer, this->validator_id); + msg_header = writer->get_buf(writer); + + /* create encoding by concatenating message header and message body */ + free(this->encoding.ptr); + this->encoding = chunk_cat("cc", msg_header, this->msg_body); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_pa_msg_t *this, u_int32_t *offset) +{ + u_int8_t flags; + size_t msg_body_len; + tls_reader_t *reader; + + /* process message header */ + reader = tls_reader_create(this->encoding); + reader->read_uint8 (reader, &flags); + reader->read_uint24(reader, &this->vendor_id); + reader->read_uint32(reader, &this->subtype); + reader->read_uint16(reader, &this->collector_id); + reader->read_uint16(reader, &this->validator_id); + this->excl = ((flags & PA_FLAG_EXCL) != PA_FLAG_NONE); + + /* process message body */ + msg_body_len = reader->remaining(reader); + if (msg_body_len) + { + reader->read_data(reader, msg_body_len, &this->msg_body); + this->msg_body = chunk_clone(this->msg_body); + } + reader->destroy(reader); + + if (this->vendor_id == RESERVED_VENDOR_ID) + { + DBG1(DBG_TNC, "Vendor ID 0x%06x is reserved", RESERVED_VENDOR_ID); + *offset = 1; + return FAILED; + } + + if (this->subtype == PA_RESERVED_SUBTYPE) + { + DBG1(DBG_TNC, "PA Subtype 0x%08x is reserved", PA_RESERVED_SUBTYPE); + *offset = 4; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_pa_msg_t *this) +{ + free(this->encoding.ptr); + free(this->msg_body.ptr); + free(this); +} + +METHOD(pb_pa_msg_t, get_vendor_id, u_int32_t, + private_pb_pa_msg_t *this, u_int32_t *subtype) +{ + *subtype = this->subtype; + return this->vendor_id; +} + +METHOD(pb_pa_msg_t, get_collector_id, u_int16_t, + private_pb_pa_msg_t *this) +{ + return this->collector_id; +} + +METHOD(pb_pa_msg_t, get_validator_id, u_int16_t, + private_pb_pa_msg_t *this) +{ + return this->validator_id; +} + +METHOD(pb_pa_msg_t, get_body, chunk_t, + private_pb_pa_msg_t *this) +{ + return this->msg_body; +} + +METHOD(pb_pa_msg_t, get_exclusive_flag, bool, + private_pb_pa_msg_t *this) +{ + return this->excl; +} + +METHOD(pb_pa_msg_t, set_exclusive_flag, void, + private_pb_pa_msg_t *this, bool excl) +{ + this->excl = excl; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_pa_msg_create_from_data(chunk_t data) +{ + private_pb_pa_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .process = _process, + .destroy = _destroy, + }, + .get_vendor_id = _get_vendor_id, + .get_collector_id = _get_collector_id, + .get_validator_id = _get_validator_id, + .get_body = _get_body, + .get_exclusive_flag = _get_exclusive_flag, + .set_exclusive_flag = _set_exclusive_flag, + }, + .type = PB_MSG_PA, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_pa_msg_create(u_int32_t vendor_id, u_int32_t subtype, + u_int16_t collector_id, u_int16_t validator_id, + chunk_t msg_body) +{ + private_pb_pa_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_vendor_id = _get_vendor_id, + .get_collector_id = _get_collector_id, + .get_validator_id = _get_validator_id, + .get_body = _get_body, + .get_exclusive_flag = _get_exclusive_flag, + .set_exclusive_flag = _set_exclusive_flag, + }, + .type = PB_MSG_PA, + .vendor_id = vendor_id, + .subtype = subtype, + .collector_id = collector_id, + .validator_id = validator_id, + .msg_body = chunk_clone(msg_body), + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h new file mode 100644 index 000000000..366d790f6 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h @@ -0,0 +1,123 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_pa_msg pb_pa_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_PA_MSG_H_ +#define PB_PA_MSG_H_ + +typedef enum pa_tnc_subtype_t pa_tnc_subtype_t; +typedef struct pb_pa_msg_t pb_pa_msg_t; + +#include "pb_tnc_msg.h" + +/** + * PA-TNC Subtypes as defined in section 3.5 of RFC 5792 + */ + enum pa_tnc_subtype_t { + PA_SUBTYPE_TESTING = 0, + PA_SUBTYPE_OPERATING_SYSTEM = 1, + PA_SUBTYPE_ANTI_VIRUS = 2, + PA_SUBTYPE_ANTI_SPYWARE = 3, + PA_SUBTYPE_ANTI_MALWARE = 4, + PA_SUBTYPE_FIREWALL = 5, + PA_SUBTYPE_IDPS = 6, + PA_SUBTYPE_VPN = 7, + PA_SUBTYPE_NEA_CLIENT = 8 +}; + +/** + * enum name for pa_tnc_subtype_t. + */ +extern enum_name_t *pa_tnc_subtype_names; + +/** + * Class representing the PB-PA message type. + */ +struct pb_pa_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get PA Message Vendor ID and Subtype + * + * @param subtype PA Subtype + * @return PA Message Vendor ID + */ + u_int32_t (*get_vendor_id)(pb_pa_msg_t *this, u_int32_t *subtype); + + /** + * Get Posture Collector ID + * + * @return Posture Collector ID + */ + u_int16_t (*get_collector_id)(pb_pa_msg_t *this); + + /** + * Get Posture Validator ID + * + * @return Posture Validator ID + */ + u_int16_t (*get_validator_id)(pb_pa_msg_t *this); + + /** + * Get the PA Message Body + * + * @return PA Message Body + */ + chunk_t (*get_body)(pb_pa_msg_t *this); + + /** + * Get the exclusive flag + * + * @return exclusive flag + */ + bool (*get_exclusive_flag)(pb_pa_msg_t *this); + + /** + * Set the exclusive flag + * + * @param excl vexclusive flag + */ + void (*set_exclusive_flag)(pb_pa_msg_t *this, bool excl); +}; + +/** + * Create a PB-PA message from parameters + * + * @param vendor_id PA Message Vendor ID + * @param subtype PA Subtype + * @param collector_id Posture Collector ID + * @param validator_id Posture Validator ID + * @param msg_body PA Message Body + */ +pb_tnc_msg_t *pb_pa_msg_create(u_int32_t vendor_id, u_int32_t subtype, + u_int16_t collector_id, u_int16_t validator_id, + chunk_t msg_body); + +/** + * Create an unprocessed PB-PA message from raw data + * + * @param data PB-PA message data + */ +pb_tnc_msg_t* pb_pa_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c new file mode 100644 index 000000000..e361cf2b2 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c @@ -0,0 +1,216 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_reason_string_msg.h" + +#include +#include +#include + +typedef struct private_pb_reason_string_msg_t private_pb_reason_string_msg_t; + +/** + * PB-Language-Preference message (see section 4.11 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Reason String Length | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Reason String (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Lang Code Len | Reason String Language Code (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +/** + * Private data of a pb_reason_string_msg_t object. + * + */ +struct private_pb_reason_string_msg_t { + /** + * Public pb_reason_string_msg_t interface. + */ + pb_reason_string_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Reason string + */ + chunk_t reason_string; + + /** + * Language code + */ + chunk_t language_code; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_reason_string_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_reason_string_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_reason_string_msg_t *this) +{ + tls_writer_t *writer; + + /* build message */ + writer = tls_writer_create(64); + writer->write_data32(writer, this->reason_string); + writer->write_data8 (writer, this->language_code); + + free(this->encoding.ptr); + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_reason_string_msg_t *this, u_int32_t *offset) +{ + tls_reader_t *reader; + + /* process message */ + reader = tls_reader_create(this->encoding); + if (!reader->read_data32(reader, &this->reason_string)) + { + DBG1(DBG_TNC, "could not parse reason string"); + reader->destroy(reader); + *offset = 0; + return FAILED; + }; + this->reason_string = chunk_clone(this->reason_string); + + if (this->reason_string.len && + this->reason_string.ptr[this->reason_string.len-1] == '\0') + { + DBG1(DBG_TNC, "reason string must not be null terminated"); + reader->destroy(reader); + *offset = 3 + this->reason_string.len; + return FAILED; + } + + if (!reader->read_data8(reader, &this->language_code)) + { + DBG1(DBG_TNC, "could not parse language code"); + reader->destroy(reader); + *offset = 4 + this->reason_string.len; + return FAILED; + }; + this->language_code = chunk_clone(this->language_code); + reader->destroy(reader); + + if (this->language_code.len && + this->language_code.ptr[this->language_code.len-1] == '\0') + { + DBG1(DBG_TNC, "language code must not be null terminated"); + *offset = 4 + this->reason_string.len + this->language_code.len; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_reason_string_msg_t *this) +{ + free(this->encoding.ptr); + free(this->reason_string.ptr); + free(this->language_code.ptr); + free(this); +} + +METHOD(pb_reason_string_msg_t, get_reason_string, chunk_t, + private_pb_reason_string_msg_t *this) +{ + return this->reason_string; +} + +METHOD(pb_reason_string_msg_t, get_language_code, chunk_t, + private_pb_reason_string_msg_t *this) +{ + return this->language_code; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_reason_string_msg_create_from_data(chunk_t data) +{ + private_pb_reason_string_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_reason_string = _get_reason_string, + .get_language_code = _get_language_code, + }, + .type = PB_MSG_REASON_STRING, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_reason_string_msg_create(chunk_t reason_string, + chunk_t language_code) +{ + private_pb_reason_string_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_reason_string = _get_reason_string, + .get_language_code = _get_language_code, + }, + .type = PB_MSG_REASON_STRING, + .reason_string = chunk_clone(reason_string), + .language_code = chunk_clone(language_code), + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h new file mode 100644 index 000000000..bb296a90c --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_reason_string_msg pb_reason_string_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_REASON_STRING_MSG_H_ +#define PB_REASON_STRING_MSG_H_ + +typedef struct pb_reason_string_msg_t pb_reason_string_msg_t; + +#include "pb_tnc_msg.h" + +/** + * Class representing the PB-Reason-String message type. + */ +struct pb_reason_string_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get Reason String + * + * @return Reason string + */ + chunk_t (*get_reason_string)(pb_reason_string_msg_t *this); + + /** + * Get Reason String Language Code + * + * @return Language code + */ + chunk_t (*get_language_code)(pb_reason_string_msg_t *this); +}; + +/** + * Create a PB-Reason-String message from parameters + * + * @param reason_string Reason string + * @param language_code Language code + */ +pb_tnc_msg_t* pb_reason_string_msg_create(chunk_t reason_string, + chunk_t language_code); + +/** + * Create an unprocessed PB-Reason-String message from raw data + * + * @param data PB-Reason-String message data + */ +pb_tnc_msg_t* pb_reason_string_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c new file mode 100644 index 000000000..79381a7b1 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c @@ -0,0 +1,259 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_remediation_parameters_msg.h" + +#include +#include +#include + +ENUM(pb_tnc_remed_param_type_names, PB_REMEDIATION_URI, PB_REMEDIATION_STRING, + "Remediation-URI", + "Remediation-String" +); + +typedef struct private_pb_remediation_parameters_msg_t private_pb_remediation_parameters_msg_t; + +/** + * PB-Remediation-Parameters message (see section 4.8 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Reserved | Remediation Parameters Vendor ID | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Remediation Parameters Type | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Remediation Parameters (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Remediation String Length | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Remediation String (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Lang Code Len | Remediation String Lang Code (Variable Len) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +/** + * Private data of a pb_remediation_parameters_msg_t object. + * + */ +struct private_pb_remediation_parameters_msg_t { + /** + * Public pb_remediation_parameters_msg_t interface. + */ + pb_remediation_parameters_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Remediation Parameters Vendor ID + */ + u_int32_t vendor_id; + + /** + * Remediation Parameters Type + */ + u_int32_t parameters_type; + + /** + * Remediation Parameters string + */ + chunk_t remediation_string; + + /** + * Language code + */ + chunk_t language_code; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_remediation_parameters_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_remediation_parameters_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_remediation_parameters_msg_t *this) +{ + tls_writer_t *writer; + + /* build message */ + writer = tls_writer_create(64); + writer->write_uint32(writer, this->vendor_id); + writer->write_uint32(writer, this->parameters_type); + writer->write_data32(writer, this->remediation_string); + writer->write_data8 (writer, this->language_code); + + free(this->encoding.ptr); + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_remediation_parameters_msg_t *this, u_int32_t *offset) +{ + tls_reader_t *reader; + + /* process message */ + reader = tls_reader_create(this->encoding); + reader->read_uint32(reader, &this->vendor_id); + reader->read_uint32(reader, &this->parameters_type); + + if (!reader->read_data32(reader, &this->remediation_string)) + { + DBG1(DBG_TNC, "could not parse remediation string"); + reader->destroy(reader); + *offset = 8; + return FAILED; + }; + this->remediation_string = chunk_clone(this->remediation_string); + + if (this->remediation_string.len && + this->remediation_string.ptr[this->remediation_string.len-1] == '\0') + { + DBG1(DBG_TNC, "remediation string must not be null terminated"); + reader->destroy(reader); + *offset = 11 + this->remediation_string.len; + return FAILED; + } + + if (!reader->read_data8(reader, &this->language_code)) + { + DBG1(DBG_TNC, "could not parse language code"); + reader->destroy(reader); + *offset = 12 + this->remediation_string.len; + return FAILED; + }; + this->language_code = chunk_clone(this->language_code); + reader->destroy(reader); + + if (this->language_code.len && + this->language_code.ptr[this->language_code.len-1] == '\0') + { + DBG1(DBG_TNC, "language code must not be null terminated"); + *offset = 12 + this->remediation_string.len + this->language_code.len; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_remediation_parameters_msg_t *this) +{ + free(this->encoding.ptr); + free(this->remediation_string.ptr); + free(this->language_code.ptr); + free(this); +} + +METHOD(pb_remediation_parameters_msg_t, get_vendor_id, u_int32_t, + private_pb_remediation_parameters_msg_t *this, u_int32_t *type) +{ + *type = this->parameters_type; + return this->vendor_id; +} + +METHOD(pb_remediation_parameters_msg_t, get_remediation_string, chunk_t, + private_pb_remediation_parameters_msg_t *this) +{ + return this->remediation_string; +} + +METHOD(pb_remediation_parameters_msg_t, get_language_code, chunk_t, + private_pb_remediation_parameters_msg_t *this) +{ + return this->language_code; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data) +{ + private_pb_remediation_parameters_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_vendor_id = _get_vendor_id, + .get_remediation_string = _get_remediation_string, + .get_language_code = _get_language_code, + }, + .type = PB_MSG_REASON_STRING, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id, + u_int32_t type, + chunk_t remediation_string, + chunk_t language_code) +{ + private_pb_remediation_parameters_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_vendor_id = _get_vendor_id, + .get_remediation_string = _get_remediation_string, + .get_language_code = _get_language_code, + }, + .type = PB_MSG_REASON_STRING, + .vendor_id = vendor_id, + .parameters_type = type, + .remediation_string = chunk_clone(remediation_string), + .language_code = chunk_clone(language_code), + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h new file mode 100644 index 000000000..258d495ec --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h @@ -0,0 +1,96 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_remediation_parameters_msg pb_remediation_parameters_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_REMEDIATION_PARAMETERS_MSG_H_ +#define PB_REMEDIATION_PARAMETERS_MSG_H_ + +typedef enum pb_tnc_remed_param_type_t pb_tnc_remed_param_type_t; +typedef struct pb_remediation_parameters_msg_t pb_remediation_parameters_msg_t; + +#include "pb_tnc_msg.h" + +/** + * PB-TNC Remediation Parameter Types as defined in section 4.8.1 of RFC 5793 + */ +enum pb_tnc_remed_param_type_t { + PB_REMEDIATION_URI = 1, + PB_REMEDIATION_STRING = 2, +}; + +/** + * enum name for pb_tnc_remed_param_type_t. + */ +extern enum_name_t *pb_tnc_remed_param_type_names; + +/** + * Class representing the PB-Remediation-Parameters message type. + */ +struct pb_remediation_parameters_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get Remediation Parameters Vendor ID and Type + * + * @param type Remediation Parameters Type + * @return Remediation Parameters Vendor ID + */ + u_int32_t (*get_vendor_id)(pb_remediation_parameters_msg_t *this, + u_int32_t *type); + + /** + * Get Remediation String + * + * @return Remediation String + */ + chunk_t (*get_remediation_string)(pb_remediation_parameters_msg_t *this); + + /** + * Get Reason String Language Code + * + * @return Language Code + */ + chunk_t (*get_language_code)(pb_remediation_parameters_msg_t *this); +}; + +/** + * Create a PB-Remediation-Parameters message from parameters + * + * @param vendor_id Remediation Parameters Vendor ID + * @param type Remediation Parameters Type + * @param remediation_string Remediation String + * @param language_code Language Code + */ +pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id, + u_int32_t type, + chunk_t remediation_string, + chunk_t language_code); + +/** + * Create an unprocessed PB-Remediation-Parameters message from raw data + * + * @param data PB-Remediation-Parameters message data + */ +pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c new file mode 100644 index 000000000..3565c2d84 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_tnc_msg.h" +#include "pb_experimental_msg.h" +#include "pb_pa_msg.h" +#include "pb_error_msg.h" +#include "pb_language_preference_msg.h" +#include "pb_assessment_result_msg.h" +#include "pb_access_recommendation_msg.h" +#include "pb_remediation_parameters_msg.h" +#include "pb_reason_string_msg.h" + +#include + +ENUM(pb_tnc_msg_type_names, PB_MSG_EXPERIMENTAL, PB_MSG_REASON_STRING, + "PB-Experimental", + "PB-PA", + "PB-Assessment-Result", + "PB-Access-Recommendation", + "PB-Remediation-Parameters", + "PB-Error", + "PB-Language-Preference", + "PB-Reason-String" +); + +pb_tnc_msg_info_t pb_tnc_msg_infos[] = { + { 12, FALSE, FALSE, TRUE_OR_FALSE }, + { 24, FALSE, FALSE, TRUE }, + { 16, TRUE, TRUE, TRUE }, + { 16, TRUE, TRUE, FALSE }, + { 20, FALSE, TRUE, FALSE }, + { 20, FALSE, FALSE, TRUE }, + { 12, FALSE, FALSE, FALSE }, + { 17, FALSE, TRUE, FALSE }, +}; + +/** + * See header + */ +pb_tnc_msg_t* pb_tnc_msg_create_from_data(pb_tnc_msg_type_t type, chunk_t value) +{ + switch (type) + { + case PB_MSG_PA: + return pb_pa_msg_create_from_data(value); + case PB_MSG_ERROR: + return pb_error_msg_create_from_data(value); + case PB_MSG_EXPERIMENTAL: + return pb_experimental_msg_create_from_data(value); + case PB_MSG_LANGUAGE_PREFERENCE: + return pb_language_preference_msg_create_from_data(value); + case PB_MSG_ASSESSMENT_RESULT: + return pb_assessment_result_msg_create_from_data(value); + case PB_MSG_ACCESS_RECOMMENDATION: + return pb_access_recommendation_msg_create_from_data(value); + case PB_MSG_REMEDIATION_PARAMETERS: + return pb_remediation_parameters_msg_create_from_data(value); + case PB_MSG_REASON_STRING: + return pb_reason_string_msg_create_from_data(value); + } + return NULL; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h new file mode 100644 index 000000000..e20c8d8ff --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h @@ -0,0 +1,128 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_tnc_msg pb_tnc_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_TNC_MSG_H_ +#define PB_TNC_MSG_H_ + +typedef enum pb_tnc_msg_type_t pb_tnc_msg_type_t; +typedef struct pb_tnc_msg_info_t pb_tnc_msg_info_t; +typedef struct pb_tnc_msg_t pb_tnc_msg_t; + +#include + +#define PB_TNC_VERSION 2 + +/** + * PB-TNC Message Types as defined in section 4.3 of RFC 5793 + */ +enum pb_tnc_msg_type_t { + PB_MSG_EXPERIMENTAL = 0, + PB_MSG_PA = 1, + PB_MSG_ASSESSMENT_RESULT = 2, + PB_MSG_ACCESS_RECOMMENDATION = 3, + PB_MSG_REMEDIATION_PARAMETERS = 4, + PB_MSG_ERROR = 5, + PB_MSG_LANGUAGE_PREFERENCE = 6, + PB_MSG_REASON_STRING = 7, + PB_MSG_ROOF = 7 +}; + +/** + * enum name for pb_tnc_msg_type_t. + */ +extern enum_name_t *pb_tnc_msg_type_names; + +/** + * Information entry describing a PB-TNC Message Type + */ +struct pb_tnc_msg_info_t { + u_int32_t min_size; + bool exact_size; + bool in_result_batch; + bool has_noskip_flag; +}; + +#define TRUE_OR_FALSE 2 + +/** + * Information on PB-TNC Message Types + */ +extern pb_tnc_msg_info_t pb_tnc_msg_infos[]; + +/** + * Generic interface for all PB-TNC message types. + * + * To handle all messages in a generic way, this interface + * must be implemented by each message type. + */ +struct pb_tnc_msg_t { + + /** + * Get the PB-TNC Message Type + * + * @return PB-TNC Message Type + */ + pb_tnc_msg_type_t (*get_type)(pb_tnc_msg_t *this); + + /** + * Get the encoding of the PB-TNC Message Value + * + * @return encoded PB-TNC Message Value + */ + chunk_t (*get_encoding)(pb_tnc_msg_t *this); + + /** + * Build the PB-TNC Message Value + */ + void (*build)(pb_tnc_msg_t *this); + + /** + * Process the PB-TNC Message Value + * + * @param relative offset where an error occurred + * @return return processing status + */ + status_t (*process)(pb_tnc_msg_t *this, u_int32_t *offset); + + /** + * Get a new reference to the message. + * + * @return this, with an increased refcount + */ + pb_tnc_msg_t* (*get_ref)(pb_tnc_msg_t *this); + + /** + * Destroys a pb_tnc_msg_t object. + */ + void (*destroy)(pb_tnc_msg_t *this); +}; + +/** + * Create an unprocessed PB-TNC message + * + * Useful for the parser which wants a generic constructor for all + * pb_tnc_message_t types. + * + * @param type PB-TNC message type + * @param value PB-TNC message value + */ +pb_tnc_msg_t* pb_tnc_msg_create_from_data(pb_tnc_msg_type_t type, chunk_t value); + +#endif /** PB_TNC_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c new file mode 100644 index 000000000..a46dc0ab9 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c @@ -0,0 +1,287 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_tnc_state_machine.h" + +#include + +ENUM(pb_tnc_state_names, PB_STATE_INIT, PB_STATE_END, + "Init", + "Server Working", + "Client Working", + "Decided", + "End" +); + +/** + * PB-TNC State Machine (see section 3.2 of RFC 5793) + * + * Receive CRETRY SRETRY + * or SRETRY +----------------+ + * +--+ | | + * v | v | + * +---------+ CRETRY +---------+ + * CDATA | Server |<---------| Decided | CLOSE + * +----------->| Working |--------->| |-------+ + * | +---------+ RESULT +---------+ | + * | ^ | | v + * | | | +---------------------->======= + * ======== | | CLOSE " End " + * " Init " CDATA| |SDATA ======= + * ======== | | ^ ^ + * | | | v | | + * | | SDATA +---------+ CLOSE | | + * | +-------->| Client |----------------------+ | + * | | Working | | + * | +---------+ | + * | | ^ | + * | +--+ | + * | Receive CRETRY | + * | CLOSE | + * +--------------------------------------------------+ + */ + +typedef struct private_pb_tnc_state_machine_t private_pb_tnc_state_machine_t; + +/** + * Private data of a pb_tnc_state_machine_t object. + * + */ +struct private_pb_tnc_state_machine_t { + /** + * Public pb_pa_message_t interface. + */ + pb_tnc_state_machine_t public; + + /** + * PB-TNC Server if TRUE, PB-TNC Client if FALSE + */ + bool is_server; + + /** + * Current PB-TNC state + */ + pb_tnc_state_t state; +}; + +METHOD(pb_tnc_state_machine_t, get_state, pb_tnc_state_t, + private_pb_tnc_state_machine_t *this) +{ + return this->state; +} + +METHOD(pb_tnc_state_machine_t, receive_batch, bool, + private_pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type) +{ + pb_tnc_state_t old_state = this->state; + + switch (this->state) + { + case PB_STATE_INIT: + if (this->is_server && type == PB_BATCH_CDATA) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (!this->is_server && type == PB_BATCH_SDATA) + { + this->state = PB_STATE_CLIENT_WORKING; + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_SERVER_WORKING: + if (!this->is_server && type == PB_BATCH_SDATA) + { + this->state = PB_STATE_CLIENT_WORKING; + break; + } + if (!this->is_server && type == PB_BATCH_RESULT) + { + this->state = PB_STATE_DECIDED; + break; + } + if ((this->is_server && type == PB_BATCH_CRETRY) || + (!this->is_server && type == PB_BATCH_SRETRY)) + { + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_CLIENT_WORKING: + if (this->is_server && type == PB_BATCH_CDATA) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (this->is_server && type == PB_BATCH_CRETRY) + { + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_DECIDED: + if ((this->is_server && type == PB_BATCH_CRETRY) || + (!this->is_server && type == PB_BATCH_SRETRY)) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_END: + if (type == PB_BATCH_CLOSE) + { + break; + } + return FALSE; + } + + if (this->state != old_state) + { + DBG2(DBG_TNC, "PB-TNC state transition from '%N' to '%N'", + pb_tnc_state_names, old_state, pb_tnc_state_names, this->state); + } + return TRUE; +} + +METHOD(pb_tnc_state_machine_t, send_batch, bool, + private_pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type) +{ + pb_tnc_state_t old_state = this->state; + + switch (this->state) + { + case PB_STATE_INIT: + if (!this->is_server && type == PB_BATCH_CDATA) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (this->is_server && type == PB_BATCH_SDATA) + { + this->state = PB_STATE_CLIENT_WORKING; + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_SERVER_WORKING: + if (this->is_server && type == PB_BATCH_SDATA) + { + this->state = PB_STATE_CLIENT_WORKING; + break; + } + if (this->is_server && type == PB_BATCH_RESULT) + { + this->state = PB_STATE_DECIDED; + break; + } + if (this->is_server && type == PB_BATCH_SRETRY) + { + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_CLIENT_WORKING: + if (!this->is_server && type == PB_BATCH_CDATA) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_DECIDED: + if ((this->is_server && type == PB_BATCH_SRETRY) || + (!this->is_server && type == PB_BATCH_CRETRY)) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_END: + if (type == PB_BATCH_CLOSE) + { + break; + } + return FALSE; + } + + if (this->state != old_state) + { + DBG2(DBG_TNC, "PB-TNC state transition from '%N' to '%N'", + pb_tnc_state_names, old_state, pb_tnc_state_names, this->state); + } + return TRUE; +} + +METHOD(pb_tnc_state_machine_t, destroy, void, + private_pb_tnc_state_machine_t *this) +{ + free(this); +} + +/** + * See header + */ +pb_tnc_state_machine_t* pb_tnc_state_machine_create(bool is_server) +{ + private_pb_tnc_state_machine_t *this; + + INIT(this, + .public = { + .get_state = _get_state, + .receive_batch = _receive_batch, + .send_batch = _send_batch, + .destroy = _destroy, + }, + .is_server = is_server, + .state = PB_STATE_INIT, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h new file mode 100644 index 000000000..8076b6ded --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_tnc_state_machine pb_tnc_state_machine + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_TNC_STATE_MACHINE_H_ +#define PB_TNC_STATE_MACHINE_H_ + +typedef struct pb_tnc_state_machine_t pb_tnc_state_machine_t; +typedef enum pb_tnc_state_t pb_tnc_state_t; + +#include "batch/pb_tnc_batch.h" + +#include + +/** + * PB-TNC States (state machine) as defined in section 3.2 of RFC 5793 + */ +enum pb_tnc_state_t { + PB_STATE_INIT, + PB_STATE_SERVER_WORKING, + PB_STATE_CLIENT_WORKING, + PB_STATE_DECIDED, + PB_STATE_END, +}; + +/** + * enum name for pb_tnc_state_t. + */ +extern enum_name_t *pb_tnc_state_names; + +/** + * Interface for the PB-TNC state machine. + */ +struct pb_tnc_state_machine_t { + + /** + * Get the current PB-TNC STATE + * + * @return current state + */ + pb_tnc_state_t (*get_state)(pb_tnc_state_machine_t *this); + + /** + * Compute state transition due to received PB-TNC Batch + * + * @param type type of received batch + * @result TRUE if a valid transition was found, FALSE otherwise + */ + bool (*receive_batch)(pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type); + + /** + * Compute state transition due to sent PB-TNC Batch + * + * @param type type of sent batch + * @result TRUE if a valid transition was found, FALSE otherwise + */ + bool (*send_batch)(pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type); + + /** + * Destroys a pb_tnc_state_machine_t object. + */ + void (*destroy)(pb_tnc_state_machine_t *this); +}; + +/** + * Create and initialize a PB-TNC state machine + * + * @param is_server TRUE if PB-TNC server, FALSE if PB-TNC client + */ +pb_tnc_state_machine_t* pb_tnc_state_machine_create(bool is_server); + +#endif /** PB_TNC_STATE_MACHINE_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c index 2bd1bc476..d53fd8eb7 100644 --- a/src/libcharon/plugins/tnccs_20/tnccs_20.c +++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2010 Sansar Choinyanbuu * Copyright (C) 2010 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -14,10 +15,23 @@ */ #include "tnccs_20.h" +#include "batch/pb_tnc_batch.h" +#include "messages/pb_tnc_msg.h" +#include "messages/pb_pa_msg.h" +#include "messages/pb_error_msg.h" +#include "messages/pb_assessment_result_msg.h" +#include "messages/pb_access_recommendation_msg.h" +#include "messages/pb_remediation_parameters_msg.h" +#include "messages/pb_reason_string_msg.h" +#include "messages/pb_language_preference_msg.h" +#include "state_machine/pb_tnc_state_machine.h" #include - -static chunk_t tncc_output; +#include +#include +#include +#include +#include typedef struct private_tnccs_20_t private_tnccs_20_t; @@ -35,18 +49,541 @@ struct private_tnccs_20_t { * TNCC if TRUE, TNCS if FALSE */ bool is_server; + + /** + * PB-TNC State Machine + */ + pb_tnc_state_machine_t *state_machine; + + /** + * Connection ID assigned to this TNCCS connection + */ + TNC_ConnectionID connection_id; + + /** + * PB-TNC batch being constructed + */ + pb_tnc_batch_t *batch; + + /** + * Mutex locking the batch in construction + */ + mutex_t *mutex; + + /** + * Flag set while processing + */ + bool fatal_error; + + /** + * Flag set by IMC/IMV RequestHandshakeRetry() function + */ + bool request_handshake_retry; + + /** + * Set of IMV recommendations (TNC Server only) + */ + recommendations_t *recs; }; +METHOD(tnccs_t, send_msg, void, + private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) +{ + TNC_MessageSubtype msg_sub_type; + TNC_VendorID msg_vendor_id; + pb_tnc_msg_t *pb_tnc_msg; + pb_tnc_batch_type_t batch_type; + + msg_sub_type = msg_type & TNC_SUBTYPE_ANY; + msg_vendor_id = (msg_type >> 8) & TNC_VENDORID_ANY; + + pb_tnc_msg = pb_pa_msg_create(msg_vendor_id, msg_sub_type, imc_id, imv_id, + chunk_create(msg, msg_len)); + + /* adding PA message to SDATA or CDATA batch only */ + batch_type = this->is_server ? PB_BATCH_SDATA : PB_BATCH_CDATA; + this->mutex->lock(this->mutex); + if (!this->batch) + { + this->batch = pb_tnc_batch_create(this->is_server, batch_type); + } + if (this->batch->get_type(this->batch) == batch_type) + { + this->batch->add_msg(this->batch, pb_tnc_msg); + } + else + { + pb_tnc_msg->destroy(pb_tnc_msg); + } + this->mutex->unlock(this->mutex); +} + +/** + * Handle a single PB-TNC message according to its type + */ +static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) +{ + switch (msg->get_type(msg)) + { + case PB_MSG_EXPERIMENTAL: + /* nothing to do */ + break; + case PB_MSG_PA: + { + pb_pa_msg_t *pa_msg; + TNC_MessageType msg_type; + u_int32_t vendor_id, subtype; + chunk_t msg_body; + + pa_msg = (pb_pa_msg_t*)msg; + vendor_id = pa_msg->get_vendor_id(pa_msg, &subtype); + msg_type = (vendor_id << 8) | (subtype & 0xff); + msg_body = pa_msg->get_body(pa_msg); + + DBG2(DBG_TNC, "handling PB-PA message type 0x%08x", msg_type); + + if (this->is_server) + { + charon->imvs->receive_message(charon->imvs, + this->connection_id, msg_body.ptr, msg_body.len, msg_type); + } + else + { + charon->imcs->receive_message(charon->imcs, + this->connection_id, msg_body.ptr, msg_body.len,msg_type); + } + break; + } + case PB_MSG_ASSESSMENT_RESULT: + { + pb_assessment_result_msg_t *assess_msg; + u_int32_t result; + + assess_msg = (pb_assessment_result_msg_t*)msg; + result = assess_msg->get_assessment_result(assess_msg); + DBG1(DBG_TNC, "PB-TNC assessment result is '%N'", + TNC_IMV_Evaluation_Result_names, result); + break; + } + case PB_MSG_ACCESS_RECOMMENDATION: + { + pb_access_recommendation_msg_t *rec_msg; + pb_access_recommendation_code_t rec; + TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE; + + rec_msg = (pb_access_recommendation_msg_t*)msg; + rec = rec_msg->get_access_recommendation(rec_msg); + DBG1(DBG_TNC, "PB-TNC access recommendation is '%N'", + pb_access_recommendation_code_names, rec); + switch (rec) + { + case PB_REC_ACCESS_ALLOWED: + state = TNC_CONNECTION_STATE_ACCESS_ALLOWED; + break; + case PB_REC_ACCESS_DENIED: + state = TNC_CONNECTION_STATE_ACCESS_NONE; + break; + case PB_REC_QUARANTINED: + state = TNC_CONNECTION_STATE_ACCESS_ISOLATED; + } + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, state); + break; + } + case PB_MSG_REMEDIATION_PARAMETERS: + { + /* TODO : Remediation parameters message processing */ + break; + } + case PB_MSG_ERROR: + { + pb_error_msg_t *err_msg; + bool fatal; + u_int32_t vendor_id; + u_int16_t error_code; + + err_msg = (pb_error_msg_t*)msg; + fatal = err_msg->get_fatal_flag(err_msg); + vendor_id = err_msg->get_vendor_id(err_msg); + error_code = err_msg->get_error_code(err_msg); + + if (fatal) + { + this->fatal_error = TRUE; + } + + if (vendor_id == IETF_VENDOR_ID) + { + switch (error_code) + { + case PB_ERROR_INVALID_PARAMETER: + case PB_ERROR_UNSUPPORTED_MANDATORY_MSG: + DBG1(DBG_TNC, "received %s PB-TNC error '%N' " + "(offset %u bytes)", + fatal ? "fatal" : "non-fatal", + pb_tnc_error_code_names, error_code, + err_msg->get_offset(err_msg)); + break; + case PB_ERROR_VERSION_NOT_SUPPORTED: + DBG1(DBG_TNC, "received %s PB-TNC error '%N' " + "caused by bad version 0x%02x", + fatal ? "fatal" : "non-fatal", + pb_tnc_error_code_names, error_code, + err_msg->get_bad_version(err_msg)); + break; + case PB_ERROR_UNEXPECTED_BATCH_TYPE: + case PB_ERROR_LOCAL_ERROR: + default: + DBG1(DBG_TNC, "received %s PB-TNC error '%N'", + fatal ? "fatal" : "non-fatal", + pb_tnc_error_code_names, error_code); + break; + } + } + else + { + DBG1(DBG_TNC, "received %s PB-TNC error (%u) " + "with Vendor ID 0x%06x", + fatal ? "fatal" : "non-fatal", + error_code, vendor_id); + } + break; + } + case PB_MSG_LANGUAGE_PREFERENCE: + { + pb_language_preference_msg_t *lang_msg; + chunk_t lang; + + lang_msg = (pb_language_preference_msg_t*)msg; + lang = lang_msg->get_language_preference(lang_msg); + + DBG2(DBG_TNC, "setting language preference to '%.*s'", + lang.len, lang.ptr); + this->recs->set_preferred_language(this->recs, lang); + break; + } + case PB_MSG_REASON_STRING: + { + pb_reason_string_msg_t *reason_msg; + chunk_t reason_string, language_code; + + reason_msg = (pb_reason_string_msg_t*)msg; + reason_string = reason_msg->get_reason_string(reason_msg); + language_code = reason_msg->get_language_code(reason_msg); + DBG2(DBG_TNC, "reason string is '%.*s", reason_string.len, + reason_string.ptr); + DBG2(DBG_TNC, "language code is '%.*s", language_code.len, + language_code.ptr); + break; + } + default: + break; + } +} + +/** + * Build a CRETRY or SRETRY batch + */ +static void build_retry_batch(private_tnccs_20_t *this) +{ + if (this->batch) + { + DBG1(DBG_TNC, "cancelling PB-TNC %N batch", + pb_tnc_batch_type_names, this->batch->get_type(this->batch)); + this->batch->destroy(this->batch); + } + this->batch = pb_tnc_batch_create(this->is_server, + this->is_server ? PB_BATCH_SRETRY : PB_BATCH_CRETRY); +} + METHOD(tls_t, process, status_t, private_tnccs_20_t *this, void *buf, size_t buflen) { + chunk_t data; + pb_tnc_batch_t *batch; + pb_tnc_msg_t *msg; + enumerator_t *enumerator; + status_t status; + + if (this->is_server && !this->connection_id) + { + this->connection_id = charon->tnccs->create_connection(charon->tnccs, + (tnccs_t*)this, _send_msg, + &this->request_handshake_retry, &this->recs); + if (!this->connection_id) + { + return FAILED; + } + charon->imvs->notify_connection_change(charon->imvs, + this->connection_id, TNC_CONNECTION_STATE_CREATE); + } + + data = chunk_create(buf, buflen); + DBG1(DBG_TNC, "received TNCCS batch (%u bytes) for Connection ID %u", + data.len, this->connection_id); + DBG3(DBG_TNC, "%B", &data); + batch = pb_tnc_batch_create_from_data(this->is_server, data); + status = batch->process(batch, this->state_machine); + + if (status != FAILED) + { + enumerator_t *enumerator; + pb_tnc_msg_t *msg; + pb_tnc_batch_type_t batch_type; + bool empty = TRUE; + + batch_type = batch->get_type(batch); + + if (batch_type == PB_BATCH_CRETRY) + { + /* Send an SRETRY batch in response */ + this->mutex->lock(this->mutex); + build_retry_batch(this); + this->mutex->unlock(this->mutex); + } + else if (batch_type == PB_BATCH_SRETRY) + { + /* Restart the measurements */ + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); + charon->imcs->begin_handshake(charon->imcs, this->connection_id); + } + + enumerator = batch->create_msg_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) + { + handle_message(this, msg); + empty = FALSE; + } + enumerator->destroy(enumerator); + + /* received an empty CLOSE batch from PB-TNC client */ + if (this->is_server && batch_type == PB_BATCH_CLOSE && empty) + { + batch->destroy(batch); + if (this->fatal_error) + { + DBG1(DBG_TNC, "a fatal PB-TNC error occurred, " + "terminating connection"); + return FAILED; + } + else + { + return SUCCESS; + } + } + + if (this->is_server) + { + charon->imvs->batch_ending(charon->imvs, this->connection_id); + } + else + { + charon->imcs->batch_ending(charon->imcs, this->connection_id); + } + } + + switch (status) + { + case FAILED: + this->fatal_error = TRUE; + this->mutex->lock(this->mutex); + if (this->batch) + { + DBG1(DBG_TNC, "cancelling PB-TNC %N batch", + pb_tnc_batch_type_names, this->batch->get_type(this->batch)); + this->batch->destroy(this->batch); + } + this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CLOSE); + this->mutex->unlock(this->mutex); + /* fall through to add error messages to outbound batch */ + case VERIFY_ERROR: + enumerator = batch->create_error_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) + { + this->mutex->lock(this->mutex); + this->batch->add_msg(this->batch, msg->get_ref(msg)); + this->mutex->unlock(this->mutex); + } + enumerator->destroy(enumerator); + break; + case SUCCESS: + default: + break; + } + batch->destroy(batch); + return NEED_MORE; } +/** + * Build a RESULT batch if a final recommendation is available + */ +static void check_and_build_recommendation(private_tnccs_20_t *this) +{ + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + TNC_IMVID id; + chunk_t reason, language; + enumerator_t *enumerator; + pb_tnc_msg_t *msg; + + if (!this->recs->have_recommendation(this->recs, &rec, &eval)) + { + charon->imvs->solicit_recommendation(charon->imvs, this->connection_id); + } + if (this->recs->have_recommendation(this->recs, &rec, &eval)) + { + this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_RESULT); + + msg = pb_assessment_result_msg_create(eval); + this->batch->add_msg(this->batch, msg); + + /** + * IMV Action Recommendation and PB Access Recommendation codes + * are shifted by one. + */ + msg = pb_access_recommendation_msg_create(rec + 1); + this->batch->add_msg(this->batch, msg); + + enumerator = this->recs->create_reason_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &id, &reason, &language)) + { + msg = pb_reason_string_msg_create(reason, language); + this->batch->add_msg(this->batch, msg); + } + enumerator->destroy(enumerator); + } +} + METHOD(tls_t, build, status_t, private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen) { - return ALREADY_DONE; + status_t status; + + /* Initialize the connection */ + if (!this->is_server && !this->connection_id) + { + pb_tnc_msg_t *msg; + char *pref_lang; + + this->connection_id = charon->tnccs->create_connection(charon->tnccs, + (tnccs_t*)this, _send_msg, + &this->request_handshake_retry, NULL); + if (!this->connection_id) + { + return FAILED; + } + + /* Create PB-TNC Language Preference message */ + pref_lang = charon->imcs->get_preferred_language(charon->imcs); + msg = pb_language_preference_msg_create(chunk_create(pref_lang, + strlen(pref_lang))); + this->mutex->lock(this->mutex); + this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CDATA); + this->batch->add_msg(this->batch, msg); + this->mutex->unlock(this->mutex); + + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_CREATE); + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); + charon->imcs->begin_handshake(charon->imcs, this->connection_id); + } + + if (this->is_server && this->fatal_error && + this->state_machine->get_state(this->state_machine) == PB_STATE_END) + { + DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection"); + return FAILED; + } + + /* Do not allow any asynchronous IMCs or IMVs to add additional messages */ + this->mutex->lock(this->mutex); + + if (this->request_handshake_retry) + { + build_retry_batch(this); + + /* Reset the flag for the next handshake retry request */ + this->request_handshake_retry = FALSE; + } + + if (!this->batch) + { + pb_tnc_state_t state; + + state = this->state_machine->get_state(this->state_machine); + if (this->is_server) + { + if (state == PB_STATE_SERVER_WORKING) + { + check_and_build_recommendation(this); + } + } + else + { + /** + * if the DECIDED state has been reached and no CRETRY is under way + * or if a CLOSE batch with error messages has been received, + * a PB-TNC client replies with an empty CLOSE batch. + */ + if (state == PB_STATE_DECIDED || state == PB_STATE_END) + { + this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CLOSE); + } + } + } + + if (this->batch) + { + pb_tnc_batch_type_t batch_type; + chunk_t data; + + batch_type = this->batch->get_type(this->batch); + + if (this->state_machine->send_batch(this->state_machine, batch_type)) + { + this->batch->build(this->batch); + data = this->batch->get_encoding(this->batch); + DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u", + pb_tnc_batch_type_names, batch_type, data.len, + this->connection_id); + DBG3(DBG_TNC, "%B", &data); + *msglen = data.len; + + if (data.len > *buflen) + { + DBG1(DBG_TNC, "fragmentation of PB-TNC batch not supported yet"); + } + else + { + *buflen = data.len; + } + memcpy(buf, data.ptr, *buflen); + status = ALREADY_DONE; + } + else + { + DBG1(DBG_TNC, "cancelling unexpected PB-TNC batch type: %N", + pb_tnc_batch_type_names, batch_type); + status = INVALID_STATE; + } + + this->batch->destroy(this->batch); + this->batch = NULL; + } + else + { + DBG1(DBG_TNC, "no PB-TNC batch to send"); + status = INVALID_STATE; + } + this->mutex->unlock(this->mutex); + + return status; } METHOD(tls_t, is_server, bool, @@ -64,7 +601,21 @@ METHOD(tls_t, get_purpose, tls_purpose_t, METHOD(tls_t, is_complete, bool, private_tnccs_20_t *this) { - return FALSE; + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + + if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval)) + { + DBG2(DBG_TNC, "Final recommendation is '%N' and evaluation is '%N'", + TNC_IMV_Action_Recommendation_names, rec, + TNC_IMV_Evaluation_Result_names, eval); + + return charon->imvs->enforce_recommendation(charon->imvs, rec); + } + else + { + return FALSE; + } } METHOD(tls_t, get_eap_msk, chunk_t, @@ -76,6 +627,20 @@ METHOD(tls_t, get_eap_msk, chunk_t, METHOD(tls_t, destroy, void, private_tnccs_20_t *this) { + if (this->is_server) + { + charon->imvs->notify_connection_change(charon->imvs, + this->connection_id, TNC_CONNECTION_STATE_DELETE); + } + else + { + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_DELETE); + } + charon->tnccs->remove_connection(charon->tnccs, this->connection_id); + this->state_machine->destroy(this->state_machine); + this->mutex->destroy(this->mutex); + DESTROY_IF(this->batch); free(this); } @@ -97,6 +662,8 @@ tls_t *tnccs_20_create(bool is_server) .destroy = _destroy, }, .is_server = is_server, + .state_machine = pb_tnc_state_machine_create(is_server), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); return &this->public; diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.am b/src/libcharon/plugins/tnccs_dynamic/Makefile.am new file mode 100644 index 000000000..9a81d065f --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.am @@ -0,0 +1,17 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-tnccs-dynamic.la +else +plugin_LTLIBRARIES = libstrongswan-tnccs-dynamic.la +libstrongswan_tnccs_dynamic_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_tnccs_dynamic_la_SOURCES = \ + tnccs_dynamic_plugin.h tnccs_dynamic_plugin.c tnccs_dynamic.h tnccs_dynamic.c + +libstrongswan_tnccs_dynamic_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in new file mode 100644 index 000000000..722da2830 --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in @@ -0,0 +1,607 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/tnccs_dynamic +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +@MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_DEPENDENCIES = \ +@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la +am_libstrongswan_tnccs_dynamic_la_OBJECTS = tnccs_dynamic_plugin.lo \ + tnccs_dynamic.lo +libstrongswan_tnccs_dynamic_la_OBJECTS = \ + $(am_libstrongswan_tnccs_dynamic_la_OBJECTS) +libstrongswan_tnccs_dynamic_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_tnccs_dynamic_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_tnccs_dynamic_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_tnccs_dynamic_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES) +DIST_SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-dynamic.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-dynamic.la +@MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libstrongswan_tnccs_dynamic_la_SOURCES = \ + tnccs_dynamic_plugin.h tnccs_dynamic_plugin.c tnccs_dynamic.h tnccs_dynamic.c + +libstrongswan_tnccs_dynamic_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_dynamic/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_dynamic/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-tnccs-dynamic.la: $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_DEPENDENCIES) + $(libstrongswan_tnccs_dynamic_la_LINK) $(am_libstrongswan_tnccs_dynamic_la_rpath) $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_dynamic.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_dynamic_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c new file mode 100644 index 000000000..b7985fa51 --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c @@ -0,0 +1,146 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_dynamic.h" + +#include +#include + +typedef struct private_tnccs_dynamic_t private_tnccs_dynamic_t; + +/** + * Private data of a tnccs_dynamic_t object. + */ +struct private_tnccs_dynamic_t { + + /** + * Public tls_t interface. + */ + tls_t public; + + /** + * Detected TNC IF-TNCCS stack + */ + tls_t *tls; +}; + +/** + * Determine the version of the IF-TNCCS protocol used by analyzing the first + * byte of the TNCCS batch received from a TNC Client according to the rules + * defined by section 3.5 "Interoperability with older IF-TNCCS versions" of + * the TCG TNC IF-TNCCS TLV Bindings Version 2.0 standard. + */ +tnccs_type_t determine_tnccs_protocol(char version) +{ + switch (version) + { + case '\t': + case '\n': + case '\r': + case ' ': + case '<': + return TNCCS_1_1; + case 0x00: + return TNCCS_SOH; + case 0x02: + return TNCCS_2_0; + default: + return TNCCS_UNKNOWN; + } +} + +METHOD(tls_t, process, status_t, + private_tnccs_dynamic_t *this, void *buf, size_t buflen) +{ + tnccs_type_t type; + + if (!this->tls) + { + if (buflen == 0) + { + return FAILED; + } + type = determine_tnccs_protocol(*(char*)buf); + DBG1(DBG_TNC, "%N protocol detected dynamically", + tnccs_type_names, type); + this->tls = (tls_t*)charon->tnccs->create_instance(charon->tnccs, + type, TRUE); + if (!this->tls) + { + DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type); + return FAILED; + } + } + return this->tls->process(this->tls, buf, buflen); +} + +METHOD(tls_t, build, status_t, + private_tnccs_dynamic_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + return this->tls->build(this->tls, buf, buflen, msglen); +} + +METHOD(tls_t, is_server, bool, + private_tnccs_dynamic_t *this) +{ + return TRUE; +} + +METHOD(tls_t, get_purpose, tls_purpose_t, + private_tnccs_dynamic_t *this) +{ + return TLS_PURPOSE_EAP_TNC; +} + +METHOD(tls_t, is_complete, bool, + private_tnccs_dynamic_t *this) +{ + return this->tls ? this->tls->is_complete(this->tls) : FALSE; +} + +METHOD(tls_t, get_eap_msk, chunk_t, + private_tnccs_dynamic_t *this) +{ + return chunk_empty; +} + +METHOD(tls_t, destroy, void, + private_tnccs_dynamic_t *this) +{ + DESTROY_IF(this->tls); + free(this); +} + +/** + * See header + */ +tls_t *tnccs_dynamic_create(bool is_server) +{ + private_tnccs_dynamic_t *this; + + INIT(this, + .public = { + .process = _process, + .build = _build, + .is_server = _is_server, + .get_purpose = _get_purpose, + .is_complete = _is_complete, + .get_eap_msk = _get_eap_msk, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h new file mode 100644 index 000000000..42410b17f --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_dynamic_h tnccs_dynamic + * @{ @ingroup tnccs_dynamic + */ + +#ifndef TNCCS_DYNAMIC_H_ +#define TNCCS_DYNAMIC_H_ + +#include + +#include + +/** + * Create an instance of a dynamic TNC IF-TNCCS protocol handler. + * + * @param is_server TRUE to act as TNC Server, FALSE for TNC Client + * @return dynamic TNC IF-TNCCS protocol stack + */ +tls_t *tnccs_dynamic_create(bool is_server); + +#endif /** TNCCS_DYNAMIC_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c new file mode 100644 index 000000000..dbbf222e0 --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_dynamic_plugin.h" +#include "tnccs_dynamic.h" + +#include + +METHOD(plugin_t, destroy, void, + tnccs_dynamic_plugin_t *this) +{ + charon->tnccs->remove_method(charon->tnccs, + (tnccs_constructor_t)tnccs_dynamic_create); + free(this); +} + +/* + * see header file + */ +plugin_t *tnccs_dynamic_plugin_create() +{ + tnccs_dynamic_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->tnccs->add_method(charon->tnccs, TNCCS_DYNAMIC, + (tnccs_constructor_t)tnccs_dynamic_create); + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h new file mode 100644 index 000000000..b518e1278 --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_dynamic tnccs_dynamic + * @ingroup cplugins + * + * @defgroup tnccs_dynamic_plugin tnccs_dynamic_plugin + * @{ @ingroup tnccs_dynamic + */ + +#ifndef TNCCS_DYNAMIC_PLUGIN_H_ +#define TNCCS_DYNAMIC_PLUGIN_H_ + +#include + +typedef struct tnccs_dynamic_plugin_t tnccs_dynamic_plugin_t; + +/** + * EAP-TNC plugin + */ +struct tnccs_dynamic_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** TNCCS_DYNAMIC_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index 9cb5f794a..f7162d800 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c index ddddae782..4e43388ec 100644 --- a/src/libcharon/plugins/uci/uci_config.c +++ b/src/libcharon/plugins/uci/uci_config.c @@ -196,8 +196,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, + FALSE, 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net)); diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in index 47fff7e1d..5fa749e56 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.in +++ b/src/libcharon/plugins/unit_tester/Makefile.in @@ -226,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index e93955d71..5dd2dc843 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/processing/jobs/acquire_job.c b/src/libcharon/processing/jobs/acquire_job.c index 45ace9312..3544dd332 100644 --- a/src/libcharon/processing/jobs/acquire_job.c +++ b/src/libcharon/processing/jobs/acquire_job.c @@ -45,20 +45,16 @@ struct private_acquire_job_t { traffic_selector_t *dst_ts; }; -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_acquire_job_t *this) +METHOD(job_t, destroy, void, + private_acquire_job_t *this) { DESTROY_IF(this->src_ts); DESTROY_IF(this->dst_ts); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_acquire_job_t *this) +METHOD(job_t, execute, void, + private_acquire_job_t *this) { charon->traps->acquire(charon->traps, this->reqid, this->src_ts, this->dst_ts); @@ -72,14 +68,19 @@ acquire_job_t *acquire_job_create(u_int32_t reqid, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { - private_acquire_job_t *this = malloc_thing(private_acquire_job_t); - - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + private_acquire_job_t *this; - this->reqid = reqid; - this->src_ts = src_ts; - this->dst_ts = dst_ts; + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .reqid = reqid, + .src_ts = src_ts, + .dst_ts = dst_ts, + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c index ca55721f2..29122cd03 100644 --- a/src/libcharon/processing/jobs/delete_child_sa_job.c +++ b/src/libcharon/processing/jobs/delete_child_sa_job.c @@ -46,18 +46,14 @@ struct private_delete_child_sa_job_t { u_int32_t spi; }; -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_delete_child_sa_job_t *this) +METHOD(job_t, destroy, void, + private_delete_child_sa_job_t *this) { free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_delete_child_sa_job_t *this) +METHOD(job_t, execute, void, + private_delete_child_sa_job_t *this) { ike_sa_t *ike_sa; @@ -84,16 +80,19 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, protocol_id_t protocol, u_int32_t spi) { - private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; - - /* private variables */ - this->reqid = reqid; - this->protocol = protocol; - this->spi = spi; + private_delete_child_sa_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .reqid = reqid, + .protocol = protocol, + .spi = spi, + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c index dffd08ba3..da3ecf06f 100644 --- a/src/libcharon/processing/jobs/delete_ike_sa_job.c +++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c @@ -41,19 +41,15 @@ struct private_delete_ike_sa_job_t { }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_delete_ike_sa_job_t *this) +METHOD(job_t, destroy, void, + private_delete_ike_sa_job_t *this) { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_delete_ike_sa_job_t *this) +METHOD(job_t, execute, void, + private_delete_ike_sa_job_t *this) { ike_sa_t *ike_sa; @@ -102,15 +98,18 @@ static void execute(private_delete_ike_sa_job_t *this) delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool delete_if_established) { - private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t *)) destroy;; + private_delete_ike_sa_job_t *this; - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - this->delete_if_established = delete_if_established; + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + .delete_if_established = delete_if_established, + ); return &(this->public); } diff --git a/src/libcharon/processing/jobs/migrate_job.c b/src/libcharon/processing/jobs/migrate_job.c index 05f47340c..5e7c7ae88 100644 --- a/src/libcharon/processing/jobs/migrate_job.c +++ b/src/libcharon/processing/jobs/migrate_job.c @@ -57,10 +57,8 @@ struct private_migrate_job_t { host_t *remote; }; -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_migrate_job_t *this) +METHOD(job_t, destroy, void, + private_migrate_job_t *this) { DESTROY_IF(this->src_ts); DESTROY_IF(this->dst_ts); @@ -69,10 +67,8 @@ static void destroy(private_migrate_job_t *this) free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_migrate_job_t *this) +METHOD(job_t, execute, void, + private_migrate_job_t *this) { ike_sa_t *ike_sa = NULL; @@ -133,18 +129,21 @@ migrate_job_t *migrate_job_create(u_int32_t reqid, policy_dir_t dir, host_t *local, host_t *remote) { - private_migrate_job_t *this = malloc_thing(private_migrate_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; - - /* private variables */ - this->reqid = reqid; - this->src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts; - this->dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts; - this->local = local; - this->remote = remote; + private_migrate_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .reqid = reqid, + .src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts, + .dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts, + .local = local, + .remote = remote, + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c index a47d48e38..b6de4fc0f 100644 --- a/src/libcharon/processing/jobs/process_message_job.c +++ b/src/libcharon/processing/jobs/process_message_job.c @@ -35,19 +35,15 @@ struct private_process_message_job_t { message_t *message; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_process_message_job_t *this) +METHOD(job_t, destroy, void, + private_process_message_job_t *this) { this->message->destroy(this->message); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_process_message_job_t *this) +METHOD(job_t, execute, void, + private_process_message_job_t *this) { ike_sa_t *ike_sa; @@ -93,14 +89,17 @@ static void execute(private_process_message_job_t *this) */ process_message_job_t *process_message_job_create(message_t *message) { - private_process_message_job_t *this = malloc_thing(private_process_message_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void(*)(job_t*))destroy; + private_process_message_job_t *this; - /* private variables */ - this->message = message; + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .message = message, + ); return &(this->public); } diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c index b797d181e..2bcee2ddf 100644 --- a/src/libcharon/processing/jobs/rekey_child_sa_job.c +++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c @@ -45,18 +45,14 @@ struct private_rekey_child_sa_job_t { u_int32_t spi; }; -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_rekey_child_sa_job_t *this) +METHOD(job_t, destroy, void, + private_rekey_child_sa_job_t *this) { free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_rekey_child_sa_job_t *this) +METHOD(job_t, execute, void, + private_rekey_child_sa_job_t *this) { ike_sa_t *ike_sa; @@ -82,16 +78,19 @@ rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, protocol_id_t protocol, u_int32_t spi) { - private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + private_rekey_child_sa_job_t *this; - /* private variables */ - this->reqid = reqid; - this->protocol = protocol; - this->spi = spi; + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .reqid = reqid, + .protocol = protocol, + .spi = spi, + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.c b/src/libcharon/processing/jobs/rekey_ike_sa_job.c index 5ec0b1b88..dc86ba9b3 100644 --- a/src/libcharon/processing/jobs/rekey_ike_sa_job.c +++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.c @@ -39,19 +39,15 @@ struct private_rekey_ike_sa_job_t { bool reauth; }; -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_rekey_ike_sa_job_t *this) +METHOD(job_t, destroy, void, + private_rekey_ike_sa_job_t *this) { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_rekey_ike_sa_job_t *this) +METHOD(job_t, execute, void, + private_rekey_ike_sa_job_t *this) { ike_sa_t *ike_sa; status_t status = SUCCESS; @@ -90,15 +86,18 @@ static void execute(private_rekey_ike_sa_job_t *this) */ rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth) { - private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + private_rekey_ike_sa_job_t *this; - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - this->reauth = reauth; + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + .reauth = reauth, + ); return &(this->public); } diff --git a/src/libcharon/processing/jobs/retransmit_job.c b/src/libcharon/processing/jobs/retransmit_job.c index fc787f208..1c78abd27 100644 --- a/src/libcharon/processing/jobs/retransmit_job.c +++ b/src/libcharon/processing/jobs/retransmit_job.c @@ -40,19 +40,15 @@ struct private_retransmit_job_t { ike_sa_id_t *ike_sa_id; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_retransmit_job_t *this) +METHOD(job_t, destroy, void, + private_retransmit_job_t *this) { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_retransmit_job_t *this) +METHOD(job_t, execute, void, + private_retransmit_job_t *this) { ike_sa_t *ike_sa; @@ -79,15 +75,18 @@ static void execute(private_retransmit_job_t *this) */ retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id) { - private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + private_retransmit_job_t *this; - /* private variables */ - this->message_id = message_id; - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .message_id = message_id, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/roam_job.c b/src/libcharon/processing/jobs/roam_job.c index adc884a8a..74ef8bd6d 100644 --- a/src/libcharon/processing/jobs/roam_job.c +++ b/src/libcharon/processing/jobs/roam_job.c @@ -38,18 +38,14 @@ struct private_roam_job_t { bool address; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_roam_job_t *this) +METHOD(job_t, destroy, void, + private_roam_job_t *this) { free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_roam_job_t *this) +METHOD(job_t, execute, void, + private_roam_job_t *this) { ike_sa_t *ike_sa; linked_list_t *list; @@ -94,12 +90,17 @@ static void execute(private_roam_job_t *this) */ roam_job_t *roam_job_create(bool address) { - private_roam_job_t *this = malloc_thing(private_roam_job_t); - - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; - - this->address = address; + private_roam_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .address = address, + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/send_dpd_job.c b/src/libcharon/processing/jobs/send_dpd_job.c index 1c2da52b8..47b525363 100644 --- a/src/libcharon/processing/jobs/send_dpd_job.c +++ b/src/libcharon/processing/jobs/send_dpd_job.c @@ -38,19 +38,15 @@ struct private_send_dpd_job_t { ike_sa_id_t *ike_sa_id; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_send_dpd_job_t *this) +METHOD(job_t, destroy, void, + private_send_dpd_job_t *this) { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_send_dpd_job_t *this) +METHOD(job_t, execute, void, + private_send_dpd_job_t *this) { ike_sa_t *ike_sa; @@ -75,14 +71,17 @@ static void execute(private_send_dpd_job_t *this) */ send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id) { - private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + private_send_dpd_job_t *this; - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/send_keepalive_job.c b/src/libcharon/processing/jobs/send_keepalive_job.c index 3d02cea2e..8d98aad7e 100644 --- a/src/libcharon/processing/jobs/send_keepalive_job.c +++ b/src/libcharon/processing/jobs/send_keepalive_job.c @@ -38,19 +38,15 @@ struct private_send_keepalive_job_t { ike_sa_id_t *ike_sa_id; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_send_keepalive_job_t *this) +METHOD(job_t, destroy, void, + private_send_keepalive_job_t *this) { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_send_keepalive_job_t *this) +METHOD(job_t, execute, void, + private_send_keepalive_job_t *this) { ike_sa_t *ike_sa; @@ -69,14 +65,17 @@ static void execute(private_send_keepalive_job_t *this) */ send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id) { - private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + private_send_keepalive_job_t *this; - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c new file mode 100644 index 000000000..5dda18be2 --- /dev/null +++ b/src/libcharon/processing/jobs/start_action_job.c @@ -0,0 +1,101 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "start_action_job.h" + +#include + + +typedef struct private_start_action_job_t private_start_action_job_t; + +/** + * Private data of an start_action_job_t object. + */ +struct private_start_action_job_t { + /** + * Public start_action_job_t interface. + */ + start_action_job_t public; +}; + +METHOD(job_t, destroy, void, + private_start_action_job_t *this) +{ + free(this); +} + +METHOD(job_t, execute, void, + private_start_action_job_t *this) +{ + enumerator_t *enumerator, *children; + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + char *name; + + enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends, + NULL, NULL, NULL, NULL); + while (enumerator->enumerate(enumerator, &peer_cfg)) + { + if (peer_cfg->get_ike_version(peer_cfg) != 2) + { + continue; + } + + children = peer_cfg->create_child_cfg_enumerator(peer_cfg); + while (children->enumerate(children, &child_cfg)) + { + name = child_cfg->get_name(child_cfg); + + switch (child_cfg->get_start_action(child_cfg)) + { + case ACTION_RESTART: + DBG1(DBG_JOB, "start action: initiate '%s'", name); + charon->controller->initiate(charon->controller, + peer_cfg->get_ref(peer_cfg), + child_cfg->get_ref(child_cfg), + NULL, NULL); + break; + case ACTION_ROUTE: + DBG1(DBG_JOB, "start action: route '%s'", name); + charon->traps->install(charon->traps, peer_cfg, child_cfg); + break; + case ACTION_NONE: + break; + } + } + children->destroy(children); + } + enumerator->destroy(enumerator); + destroy(this); +} + +/* + * Described in header + */ +start_action_job_t *start_action_job_create(void) +{ + private_start_action_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + ) + return &this->public; +} + diff --git a/src/libcharon/processing/jobs/start_action_job.h b/src/libcharon/processing/jobs/start_action_job.h new file mode 100644 index 000000000..ffc167c05 --- /dev/null +++ b/src/libcharon/processing/jobs/start_action_job.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup start_action_job start_action_job + * @{ @ingroup cjobs + */ + +#ifndef START_ACTION_JOB_H_ +#define START_ACTION_JOB_H_ + +typedef struct start_action_job_t start_action_job_t; + +#include +#include + +/** + * Class representing a start_action Job. + * + * This job handles all child configurations stored in an [SQL database] + * backend according to their start_action field (start, route, none). + */ +struct start_action_job_t { + /** + * The job_t interface. + */ + job_t job_interface; +}; + +/** + * Creates a job of type start_action. + * + * @return start_action_job_t object + */ +start_action_job_t *start_action_job_create(void); + +#endif /** START_ACTION_JOB_H_ @}*/ diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c index 17dce2548..3b4e9949f 100644 --- a/src/libcharon/processing/jobs/update_sa_job.c +++ b/src/libcharon/processing/jobs/update_sa_job.c @@ -43,19 +43,15 @@ struct private_update_sa_job_t { host_t *new; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_update_sa_job_t *this) +METHOD(job_t, destroy, void, + private_update_sa_job_t *this) { this->new->destroy(this->new); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_update_sa_job_t *this) +METHOD(job_t, execute, void, + private_update_sa_job_t *this) { ike_sa_t *ike_sa; @@ -71,7 +67,7 @@ static void execute(private_update_sa_job_t *this) if (ike_sa->has_condition(ike_sa, COND_NAT_THERE) && !ike_sa->has_condition(ike_sa, COND_NAT_HERE)) { - ike_sa->update_hosts(ike_sa, NULL, this->new); + ike_sa->update_hosts(ike_sa, NULL, this->new, FALSE); } charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } @@ -83,13 +79,18 @@ static void execute(private_update_sa_job_t *this) */ update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new) { - private_update_sa_job_t *this = malloc_thing(private_update_sa_job_t); - - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; - - this->reqid = reqid; - this->new = new; + private_update_sa_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .reqid = reqid, + .new = new, + ); return &this->public; } diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c index cd340e53e..83f5fbaad 100644 --- a/src/libcharon/sa/authenticators/authenticator.c +++ b/src/libcharon/sa/authenticators/authenticator.c @@ -39,7 +39,8 @@ ENUM_END(auth_method_names, AUTH_ECDSA_521); */ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init) + chunk_t received_init, chunk_t sent_init, + char reserved[3]) { switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS)) { @@ -47,13 +48,14 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, /* defaults to PUBKEY */ case AUTH_CLASS_PUBKEY: return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa, - received_nonce, sent_init); + received_nonce, sent_init, reserved); case AUTH_CLASS_PSK: return (authenticator_t*)psk_authenticator_create_builder(ike_sa, - received_nonce, sent_init); + received_nonce, sent_init, reserved); case AUTH_CLASS_EAP: return (authenticator_t*)eap_authenticator_create_builder(ike_sa, - received_nonce, sent_nonce, received_init, sent_init); + received_nonce, sent_nonce, + received_init, sent_init, reserved); default: return NULL; } @@ -65,7 +67,8 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, authenticator_t *authenticator_create_verifier( ike_sa_t *ike_sa, message_t *message, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init) + chunk_t received_init, chunk_t sent_init, + char reserved[3]) { auth_payload_t *auth_payload; @@ -73,7 +76,8 @@ authenticator_t *authenticator_create_verifier( if (auth_payload == NULL) { return (authenticator_t*)eap_authenticator_create_verifier(ike_sa, - received_nonce, sent_nonce, received_init, sent_init); + received_nonce, sent_nonce, + received_init, sent_init, reserved); } switch (auth_payload->get_auth_method(auth_payload)) { @@ -82,10 +86,10 @@ authenticator_t *authenticator_create_verifier( case AUTH_ECDSA_384: case AUTH_ECDSA_521: return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa, - sent_nonce, received_init); + sent_nonce, received_init, reserved); case AUTH_PSK: return (authenticator_t*)psk_authenticator_create_verifier(ike_sa, - sent_nonce, received_init); + sent_nonce, received_init, reserved); default: return NULL; } diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h index 89178b5cf..d27e006a3 100644 --- a/src/libcharon/sa/authenticators/authenticator.h +++ b/src/libcharon/sa/authenticators/authenticator.h @@ -130,12 +130,14 @@ struct authenticator_t { * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of the ID payload * @return authenticator, NULL if not supported */ authenticator_t *authenticator_create_builder( ike_sa_t *ike_sa, auth_cfg_t *cfg, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init); + chunk_t received_init, chunk_t sent_init, + char reserved[3]); /** * Create an authenticator to verify signatures. @@ -146,11 +148,13 @@ authenticator_t *authenticator_create_builder( * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of the ID payload * @return authenticator, NULL if not supported */ authenticator_t *authenticator_create_verifier( ike_sa_t *ike_sa, message_t *message, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init); + chunk_t received_init, chunk_t sent_init, + char reserved[3]); #endif /** AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c index 8b22fd1d7..dea02755d 100644 --- a/src/libcharon/sa/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/authenticators/eap_authenticator.c @@ -57,6 +57,11 @@ struct private_eap_authenticator_t { */ chunk_t sent_init; + /** + * Reserved bytes of ID payload + */ + char reserved[3]; + /** * Current EAP method processing */ @@ -422,7 +427,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, other_id = this->ike_sa->get_other_id(this->ike_sa); keymat = this->ike_sa->get_keymat(this->ike_sa); auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce, - this->msk, other_id); + this->msk, other_id, this->reserved); recv_auth_data = auth_payload->get_data(auth_payload); if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data)) { @@ -458,7 +463,8 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message, DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_class_names, AUTH_CLASS_EAP); - auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id); + auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, + this->msk, my_id, this->reserved); auth_payload = auth_payload_create(); auth_payload->set_auth_method(auth_payload, AUTH_PSK); auth_payload->set_data(auth_payload, auth_data); @@ -642,7 +648,8 @@ METHOD(authenticator_t, destroy, void, */ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init) + chunk_t received_init, chunk_t sent_init, + char reserved[3]) { private_eap_authenticator_t *this; @@ -661,6 +668,7 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, .sent_init = sent_init, .sent_nonce = sent_nonce, ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } @@ -670,7 +678,8 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, */ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init) + chunk_t received_init, chunk_t sent_init, + char reserved[3]) { private_eap_authenticator_t *this; @@ -689,6 +698,7 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, .sent_init = sent_init, .sent_nonce = sent_nonce, ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } diff --git a/src/libcharon/sa/authenticators/eap_authenticator.h b/src/libcharon/sa/authenticators/eap_authenticator.h index 41eb6a8c9..726411a18 100644 --- a/src/libcharon/sa/authenticators/eap_authenticator.h +++ b/src/libcharon/sa/authenticators/eap_authenticator.h @@ -75,11 +75,13 @@ struct eap_authenticator_t { * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return EAP authenticator */ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init); + chunk_t received_init, chunk_t sent_init, + char reserved[3]); /** * Create an authenticator to authenticate EAP clients. @@ -89,10 +91,12 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return EAP authenticator */ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init); + chunk_t received_init, chunk_t sent_init, + char reserved[3]); #endif /** EAP_AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c index e69f30dcf..21fc0f9b8 100644 --- a/src/libcharon/sa/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/authenticators/psk_authenticator.c @@ -45,12 +45,15 @@ struct private_psk_authenticator_t { * IKE_SA_INIT message data to include in AUTH calculation */ chunk_t ike_sa_init; + + /** + * Reserved bytes of ID payload + */ + char reserved[3]; }; -/* - * Implementation of authenticator_t.build for builder - */ -static status_t build(private_psk_authenticator_t *this, message_t *message) +METHOD(authenticator_t, build, status_t, + private_psk_authenticator_t *this, message_t *message) { identification_t *my_id, *other_id; auth_payload_t *auth_payload; @@ -70,7 +73,7 @@ static status_t build(private_psk_authenticator_t *this, message_t *message) return NOT_FOUND; } auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, - this->nonce, key->get_key(key), my_id); + this->nonce, key->get_key(key), my_id, this->reserved); key->destroy(key); DBG2(DBG_IKE, "successfully created shared key MAC"); auth_payload = auth_payload_create(); @@ -82,10 +85,8 @@ static status_t build(private_psk_authenticator_t *this, message_t *message) return SUCCESS; } -/** - * Implementation of authenticator_t.process for verifier - */ -static status_t process(private_psk_authenticator_t *this, message_t *message) +METHOD(authenticator_t, process, status_t, + private_psk_authenticator_t *this, message_t *message) { chunk_t auth_data, recv_auth_data; identification_t *my_id, *other_id; @@ -113,7 +114,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message) keys_found++; auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, - this->nonce, key->get_key(key), other_id); + this->nonce, key->get_key(key), other_id, this->reserved); if (auth_data.len && chunk_equals(auth_data, recv_auth_data)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", @@ -141,19 +142,8 @@ static status_t process(private_psk_authenticator_t *this, message_t *message) return SUCCESS; } -/** - * Implementation of authenticator_t.process for builder - * Implementation of authenticator_t.build for verifier - */ -static status_t return_failed() -{ - return FAILED; -} - -/** - * Implementation of authenticator_t.destroy. - */ -static void destroy(private_psk_authenticator_t *this) +METHOD(authenticator_t, destroy, void, + private_psk_authenticator_t *this) { free(this); } @@ -162,18 +152,25 @@ static void destroy(private_psk_authenticator_t *this) * Described in header. */ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, - chunk_t received_nonce, chunk_t sent_init) + chunk_t received_nonce, chunk_t sent_init, + char reserved[3]) { - private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t); - - this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build; - this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed; - this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; - this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - - this->ike_sa = ike_sa; - this->ike_sa_init = sent_init; - this->nonce = received_nonce; + private_psk_authenticator_t *this; + + INIT(this, + .public = { + .authenticator = { + .build = _build, + .process = (void*)return_failed, + .is_mutual = (void*)return_false, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .ike_sa_init = sent_init, + .nonce = received_nonce, + ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } @@ -182,18 +179,25 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, * Described in header. */ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, - chunk_t sent_nonce, chunk_t received_init) + chunk_t sent_nonce, chunk_t received_init, + char reserved[3]) { - private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t); - - this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed; - this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process; - this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; - this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - - this->ike_sa = ike_sa; - this->ike_sa_init = received_init; - this->nonce = sent_nonce; + private_psk_authenticator_t *this; + + INIT(this, + .public = { + .authenticator = { + .build = (void*)return_failed, + .process = _process, + .is_mutual = (void*)return_false, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .ike_sa_init = received_init, + .nonce = sent_nonce, + ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } diff --git a/src/libcharon/sa/authenticators/psk_authenticator.h b/src/libcharon/sa/authenticators/psk_authenticator.h index 0fab11095..8cf1a0f98 100644 --- a/src/libcharon/sa/authenticators/psk_authenticator.h +++ b/src/libcharon/sa/authenticators/psk_authenticator.h @@ -42,10 +42,12 @@ struct psk_authenticator_t { * @param ike_sa associated ike_sa * @param received_nonce nonce received in IKE_SA_INIT * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return PSK authenticator */ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, - chunk_t received_nonce, chunk_t sent_init); + chunk_t received_nonce, chunk_t sent_init, + char reserved[3]); /** * Create an authenticator to verify PSK signatures. @@ -53,9 +55,11 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, * @param ike_sa associated ike_sa * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return PSK authenticator */ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, - chunk_t sent_nonce, chunk_t received_init); + chunk_t sent_nonce, chunk_t received_init, + char reserved[3]); #endif /** PSK_AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c index 54b4338bb..247891670 100644 --- a/src/libcharon/sa/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c @@ -46,12 +46,15 @@ struct private_pubkey_authenticator_t { * IKE_SA_INIT message data to include in AUTH calculation */ chunk_t ike_sa_init; + + /** + * Reserved bytes of ID payload + */ + char reserved[3]; }; -/** - * Implementation of authenticator_t.build for builder - */ -static status_t build(private_pubkey_authenticator_t *this, message_t *message) +METHOD(authenticator_t, build, status_t, + private_pubkey_authenticator_t *this, message_t *message) { chunk_t octets, auth_data; status_t status = FAILED; @@ -109,7 +112,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) } keymat = this->ike_sa->get_keymat(this->ike_sa); octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, - this->nonce, id); + this->nonce, id, this->reserved); if (private->sign(private, scheme, octets, &auth_data)) { auth_payload = auth_payload_create(); @@ -128,10 +131,8 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) return status; } -/** - * Implementation of authenticator_t.process for verifier - */ -static status_t process(private_pubkey_authenticator_t *this, message_t *message) +METHOD(authenticator_t, process, status_t, + private_pubkey_authenticator_t *this, message_t *message) { public_key_t *public; auth_method_t auth_method; @@ -175,7 +176,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message id = this->ike_sa->get_other_id(this->ike_sa); keymat = this->ike_sa->get_keymat(this->ike_sa); octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init, - this->nonce, id); + this->nonce, id, this->reserved); auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, key_type, id, auth); @@ -206,19 +207,8 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message return status; } -/** - * Implementation of authenticator_t.process for builder - * Implementation of authenticator_t.build for verifier - */ -static status_t return_failed() -{ - return FAILED; -} - -/** - * Implementation of authenticator_t.destroy. - */ -static void destroy(private_pubkey_authenticator_t *this) +METHOD(authenticator_t, destroy, void, + private_pubkey_authenticator_t *this) { free(this); } @@ -227,18 +217,25 @@ static void destroy(private_pubkey_authenticator_t *this) * Described in header. */ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, - chunk_t received_nonce, chunk_t sent_init) + chunk_t received_nonce, chunk_t sent_init, + char reserved[3]) { - private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t); + private_pubkey_authenticator_t *this; - this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build; - this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed; - this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; - this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - - this->ike_sa = ike_sa; - this->ike_sa_init = sent_init; - this->nonce = received_nonce; + INIT(this, + .public = { + .authenticator = { + .build = _build, + .process = (void*)return_failed, + .is_mutual = (void*)return_false, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .ike_sa_init = sent_init, + .nonce = received_nonce, + ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } @@ -247,18 +244,25 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, * Described in header. */ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, - chunk_t sent_nonce, chunk_t received_init) + chunk_t sent_nonce, chunk_t received_init, + char reserved[3]) { - private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t); - - this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed; - this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process; - this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; - this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; + private_pubkey_authenticator_t *this; - this->ike_sa = ike_sa; - this->ike_sa_init = received_init; - this->nonce = sent_nonce; + INIT(this, + .public = { + .authenticator = { + .build = (void*)return_failed, + .process = _process, + .is_mutual = (void*)return_false, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .ike_sa_init = received_init, + .nonce = sent_nonce, + ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.h b/src/libcharon/sa/authenticators/pubkey_authenticator.h index be369cb89..4c3937ecc 100644 --- a/src/libcharon/sa/authenticators/pubkey_authenticator.h +++ b/src/libcharon/sa/authenticators/pubkey_authenticator.h @@ -43,10 +43,12 @@ struct pubkey_authenticator_t { * @param ike_sa associated ike_sa * @param received_nonce nonce received in IKE_SA_INIT * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return public key authenticator */ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, - chunk_t received_nonce, chunk_t sent_init); + chunk_t received_nonce, chunk_t sent_init, + char reserved[3]); /** * Create an authenticator to verify public key signatures. @@ -54,9 +56,11 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, * @param ike_sa associated ike_sa * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return public key authenticator */ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, - chunk_t sent_nonce, chunk_t received_init); + chunk_t sent_nonce, chunk_t received_init, + char reserved[3]); #endif /** PUBKEY_AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index b6ef31da0..495929965 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -559,13 +559,14 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t, METHOD(child_sa_t, install, status_t, private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi, - u_int16_t cpi, bool inbound, linked_list_t *my_ts, + u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts, linked_list_t *other_ts) { u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size; traffic_selector_t *src_ts = NULL, *dst_ts = NULL; time_t now; lifetime_cfg_t *lifetime; + u_int32_t tfc = 0; host_t *src, *dst; status_t status; bool update = FALSE; @@ -590,6 +591,11 @@ METHOD(child_sa_t, install, status_t, dst = this->other_addr; this->other_spi = spi; this->other_cpi = cpi; + + if (tfcv3) + { + tfc = this->config->get_tfc(this->config); + } } DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound", @@ -620,7 +626,7 @@ METHOD(child_sa_t, install, status_t, lifetime->time.rekey = 0; } - if (this->mode == MODE_BEET) + if (this->mode == MODE_BEET || this->mode == MODE_TRANSPORT) { /* BEET requires the bound address from the traffic selectors. * TODO: We add just the first traffic selector for now, as the @@ -639,7 +645,7 @@ METHOD(child_sa_t, install, status_t, status = hydra->kernel_interface->add_sa(hydra->kernel_interface, src, dst, spi, proto_ike2ip(this->protocol), this->reqid, - inbound ? this->mark_in : this->mark_out, + inbound ? this->mark_in : this->mark_out, tfc, lifetime, enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi, this->encap, update, src_ts, dst_ts); diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index 95bc297b0..f17ef01ac 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -313,12 +313,13 @@ struct child_sa_t { * @param spi SPI to use, allocated for inbound * @param cpi CPI to use, allocated for outbound * @param inbound TRUE to install an inbound SA, FALSE for outbound + * @param tfcv3 TRUE if peer supports ESPv3 TFC * @param my_ts negotiated local traffic selector list * @param other_ts negotiated remote traffic selector list * @return SUCCESS or FAILED */ status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ, - u_int32_t spi, u_int16_t cpi, bool inbound, + u_int32_t spi, u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts, linked_list_t *other_ts); /** * Install the policies using some traffic selectors. diff --git a/src/libcharon/sa/connect_manager.c b/src/libcharon/sa/connect_manager.c index 1fb286863..972cc98ad 100644 --- a/src/libcharon/sa/connect_manager.c +++ b/src/libcharon/sa/connect_manager.c @@ -1194,7 +1194,10 @@ static job_requeue_t initiate_mediated(initiate_data_t *data) DBG1(DBG_IKE, "establishing mediated connection failed"); charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); } - charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa); + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa); + } } iterator->destroy(iterator); } diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index a4e4028ab..9b6f9d06d 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -50,6 +50,7 @@ #include #include #include +#include #ifdef ME #include @@ -559,13 +560,6 @@ METHOD(ike_sa_t, send_dpd, status_t, time_t diff, delay; delay = this->peer_cfg->get_dpd(this->peer_cfg); - - if (delay == 0) - { - /* DPD disabled */ - return SUCCESS; - } - if (this->task_manager->busy(this->task_manager)) { /* an exchange is in the air, no need to start a DPD check */ @@ -578,7 +572,7 @@ METHOD(ike_sa_t, send_dpd, status_t, last_in = get_use_time(this, TRUE); now = time_monotonic(NULL); diff = now - last_in; - if (diff >= delay) + if (!delay || diff >= delay) { /* to long ago, initiate dead peer detection */ task_t *task; @@ -604,8 +598,11 @@ METHOD(ike_sa_t, send_dpd, status_t, } } /* recheck in "interval" seconds */ - job = (job_t*)send_dpd_job_create(this->ike_sa_id); - lib->scheduler->schedule_job(lib->scheduler, job, delay - diff); + if (delay) + { + job = (job_t*)send_dpd_job_create(this->ike_sa_id); + lib->scheduler->schedule_job(lib->scheduler, job, delay - diff); + } return SUCCESS; } @@ -680,7 +677,10 @@ METHOD(ike_sa_t, set_state, void, } /* start DPD checks */ - send_dpd(this); + if (this->peer_cfg->get_dpd(this->peer_cfg)) + { + send_dpd(this); + } } break; } @@ -825,7 +825,7 @@ METHOD(ike_sa_t, float_ports, void, } METHOD(ike_sa_t, update_hosts, void, - private_ike_sa_t *this, host_t *me, host_t *other) + private_ike_sa_t *this, host_t *me, host_t *other, bool force) { bool update = FALSE; @@ -858,7 +858,7 @@ METHOD(ike_sa_t, update_hosts, void, if (!other->equals(other, this->other_host)) { /* update others adress if we are NOT NATed */ - if (!has_condition(this, COND_NAT_HERE)) + if (force || !has_condition(this, COND_NAT_HERE)) { set_other_host(this, other->clone(other)); update = TRUE; @@ -891,8 +891,14 @@ METHOD(ike_sa_t, update_hosts, void, METHOD(ike_sa_t, generate_message, status_t, private_ike_sa_t *this, message_t *message, packet_t **packet) { + if (message->is_encoded(message)) + { /* already done */ + *packet = message->get_packet(message); + return SUCCESS; + } this->stats[STAT_OUTBOUND] = time_monotonic(NULL); message->set_ike_sa_id(message, this->ike_sa_id); + charon->bus->message(charon->bus, message, FALSE); return message->generate(message, this->keymat->get_aead(this->keymat, FALSE), packet); } @@ -901,7 +907,7 @@ METHOD(ike_sa_t, generate_message, status_t, * send a notify back to the sender */ static void send_notify_response(private_ike_sa_t *this, message_t *request, - notify_type_t type) + notify_type_t type, chunk_t data) { message_t *response; packet_t *packet; @@ -910,7 +916,7 @@ static void send_notify_response(private_ike_sa_t *this, message_t *request, response->set_exchange_type(response, request->get_exchange_type(request)); response->set_request(response, FALSE); response->set_message_id(response, request->get_message_id(request)); - response->add_notify(response, FALSE, type, chunk_empty); + response->add_notify(response, FALSE, type, data); if (this->my_host->is_anyaddr(this->my_host)) { this->my_host->destroy(this->my_host); @@ -1175,6 +1181,7 @@ METHOD(ike_sa_t, process_message, status_t, { status_t status; bool is_request; + u_int8_t type = 0; if (this->state == IKE_PASSIVE) { /* do not handle messages in passive state */ @@ -1185,9 +1192,29 @@ METHOD(ike_sa_t, process_message, status_t, status = message->parse_body(message, this->keymat->get_aead(this->keymat, TRUE)); + if (status == SUCCESS) + { /* check for unsupported critical payloads */ + enumerator_t *enumerator; + unknown_payload_t *unknown; + payload_t *payload; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + unknown = (unknown_payload_t*)payload; + type = payload->get_type(payload); + if (!payload_is_known(type) && + unknown->is_critical(unknown)) + { + DBG1(DBG_ENC, "payload type %N is not supported, " + "but its critical!", payload_type_names, type); + status = NOT_SUPPORTED; + } + } + enumerator->destroy(enumerator); + } if (status != SUCCESS) { - if (is_request) { switch (status) @@ -1196,21 +1223,28 @@ METHOD(ike_sa_t, process_message, status_t, DBG1(DBG_IKE, "critical unknown payloads found"); if (is_request) { - send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD); + send_notify_response(this, message, + UNSUPPORTED_CRITICAL_PAYLOAD, + chunk_from_thing(type)); + this->task_manager->incr_mid(this->task_manager, FALSE); } break; case PARSE_ERROR: DBG1(DBG_IKE, "message parsing failed"); if (is_request) { - send_notify_response(this, message, INVALID_SYNTAX); + send_notify_response(this, message, + INVALID_SYNTAX, chunk_empty); + this->task_manager->incr_mid(this->task_manager, FALSE); } break; case VERIFY_ERROR: DBG1(DBG_IKE, "message verification failed"); if (is_request) { - send_notify_response(this, message, INVALID_SYNTAX); + send_notify_response(this, message, + INVALID_SYNTAX, chunk_empty); + this->task_manager->incr_mid(this->task_manager, FALSE); } break; case FAILED: @@ -1219,10 +1253,6 @@ METHOD(ike_sa_t, process_message, status_t, break; case INVALID_STATE: DBG1(DBG_IKE, "found encrypted message, but no keys available"); - if (is_request) - { - send_notify_response(this, message, INVALID_SYNTAX); - } default: break; } @@ -1252,7 +1282,8 @@ METHOD(ike_sa_t, process_message, status_t, /* no config found for these hosts, destroy */ DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N", me, other, notify_type_names, NO_PROPOSAL_CHOSEN); - send_notify_response(this, message, NO_PROPOSAL_CHOSEN); + send_notify_response(this, message, + NO_PROPOSAL_CHOSEN, chunk_empty); return DESTROY_ME; } /* add a timeout if peer does not establish it completely */ diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index c0007e27d..988100bcc 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -343,8 +343,9 @@ struct ike_sa_t { * * @param me new local host address, or NULL * @param other new remote host address, or NULL + * @param force force update */ - void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other); + void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force); /** * Get the own identification. diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index fa94bb86d..d695c7f7c 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2005-2011 Martin Willi + * Copyright (C) 2011 revosec AG * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -85,7 +86,9 @@ struct entry_t { chunk_t init_hash; /** - * remote host address, required for DoS detection + * remote host address, required for DoS detection and duplicate + * checking (host with same my_id and other_id is *not* considered + * a duplicate if the address family differs) */ host_t *other; @@ -241,6 +244,9 @@ struct connected_peers_t { /** remote identity */ identification_t *other_id; + /** ip address family of peer */ + int family; + /** list of ike_sa_id_t objects of IKE_SAs between the two identities */ linked_list_t *sas; }; @@ -257,10 +263,12 @@ static void connected_peers_destroy(connected_peers_t *this) * Function that matches connected_peers_t objects by the given ids. */ static bool connected_peers_match(connected_peers_t *connected_peers, - identification_t *my_id, identification_t *other_id) + identification_t *my_id, identification_t *other_id, + uintptr_t family) { return my_id->equals(my_id, connected_peers->my_id) && - other_id->equals(other_id, connected_peers->other_id); + other_id->equals(other_id, connected_peers->other_id) && + family == connected_peers->family; } typedef struct segment_t segment_t; @@ -396,7 +404,7 @@ static void lock_all_segments(private_ike_sa_manager_t *this) { u_int i; - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->segments[i].mutex->lock(this->segments[i].mutex); } @@ -409,7 +417,7 @@ static void unlock_all_segments(private_ike_sa_manager_t *this) { u_int i; - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->segments[i].mutex->unlock(this->segments[i].mutex); } @@ -453,10 +461,8 @@ struct private_enumerator_t { enumerator_t *current; }; -/** - * Implementation of private_enumerator_t.enumerator.enumerate. - */ -static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segment) +METHOD(enumerator_t, enumerate, bool, + private_enumerator_t *this, entry_t **entry, u_int *segment) { if (this->entry) { @@ -502,10 +508,8 @@ static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segmen return FALSE; } -/** - * Implementation of private_enumerator_t.enumerator.destroy. - */ -static void enumerator_destroy(private_enumerator_t *this) +METHOD(enumerator_t, enumerator_destroy, void, + private_enumerator_t *this) { if (this->entry) { @@ -524,16 +528,15 @@ static void enumerator_destroy(private_enumerator_t *this) */ static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this) { - private_enumerator_t *enumerator = malloc_thing(private_enumerator_t); - - enumerator->enumerator.enumerate = (void*)enumerate; - enumerator->enumerator.destroy = (void*)enumerator_destroy; - enumerator->manager = this; - enumerator->segment = 0; - enumerator->entry = NULL; - enumerator->row = 0; - enumerator->current = NULL; - + private_enumerator_t *enumerator; + + INIT(enumerator, + .enumerator = { + .enumerate = (void*)_enumerate, + .destroy = _enumerator_destroy, + }, + .manager = this, + ); return &enumerator->enumerator; } @@ -544,11 +547,14 @@ static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this) static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry) { linked_list_t *list; - u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; - u_int segment = row & this->segment_mask; + u_int row, segment; + + row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; + segment = row & this->segment_mask; lock_single_segment(this, segment); - if ((list = this->ike_sa_table[row]) == NULL) + list = this->ike_sa_table[row]; + if (!list) { list = this->ike_sa_table[row] = linked_list_create(); } @@ -564,14 +570,17 @@ static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry) static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry) { linked_list_t *list; - u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; - u_int segment = row & this->segment_mask; + u_int row, segment; - if ((list = this->ike_sa_table[row]) != NULL) + row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; + segment = row & this->segment_mask; + list = this->ike_sa_table[row]; + if (list) { entry_t *current; + enumerator_t *enumerator; - enumerator_t *enumerator = list->create_enumerator(list); + enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, ¤t)) { if (current == entry) @@ -609,11 +618,14 @@ static status_t get_entry_by_match_function(private_ike_sa_manager_t *this, { entry_t *current; linked_list_t *list; - u_int row = ike_sa_id_hash(ike_sa_id) & this->table_mask; - u_int seg = row & this->segment_mask; + u_int row, seg; + + row = ike_sa_id_hash(ike_sa_id) & this->table_mask; + seg = row & this->segment_mask; lock_single_segment(this, seg); - if ((list = this->ike_sa_table[row]) != NULL) + list = this->ike_sa_table[row]; + if (list) { if (list->find_first(list, match, (void**)¤t, p1, p2) == SUCCESS) { @@ -697,19 +709,20 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) { half_open_t *half_open = NULL; linked_list_t *list; - chunk_t addr = entry->other->get_address(entry->other); - u_int row = chunk_hash(addr) & this->table_mask; - u_int segment = row & this->segment_mask; + chunk_t addr; + u_int row, segment; + rwlock_t *lock; - rwlock_t *lock = this->half_open_segments[segment].lock; + addr = entry->other->get_address(entry->other); + row = chunk_hash(addr) & this->table_mask; + segment = row & this->segment_mask; + lock = this->half_open_segments[segment].lock; lock->write_lock(lock); - if ((list = this->half_open_table[row]) == NULL) - { - list = this->half_open_table[row] = linked_list_create(); - } - else + list = this->half_open_table[row]; + if (list) { half_open_t *current; + if (list->find_first(list, (linked_list_match_t)half_open_match, (void**)¤t, &addr) == SUCCESS) { @@ -718,12 +731,17 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) this->half_open_segments[segment].count++; } } + else + { + list = this->half_open_table[row] = linked_list_create(); + } if (!half_open) { - half_open = malloc_thing(half_open_t); - half_open->other = chunk_clone(addr); - half_open->count = 1; + INIT(half_open, + .other = chunk_clone(addr), + .count = 1, + ); list->insert_last(list, half_open); this->half_open_segments[segment].count++; } @@ -736,16 +754,22 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) { linked_list_t *list; - chunk_t addr = entry->other->get_address(entry->other); - u_int row = chunk_hash(addr) & this->table_mask; - u_int segment = row & this->segment_mask; + chunk_t addr; + u_int row, segment; + rwlock_t *lock; - rwlock_t *lock = this->half_open_segments[segment].lock; + addr = entry->other->get_address(entry->other); + row = chunk_hash(addr) & this->table_mask; + segment = row & this->segment_mask; + lock = this->half_open_segments[segment].lock; lock->write_lock(lock); - if ((list = this->half_open_table[row]) != NULL) + list = this->half_open_table[row]; + if (list) { half_open_t *current; - enumerator_t *enumerator = list->create_enumerator(list); + enumerator_t *enumerator; + + enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, ¤t)) { if (half_open_match(current, &addr)) @@ -769,24 +793,26 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) */ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) { - linked_list_t *list; connected_peers_t *connected_peers = NULL; - chunk_t my_id = entry->my_id->get_encoding(entry->my_id), - other_id = entry->other_id->get_encoding(entry->other_id); - u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask; - u_int segment = row & this->segment_mask; + chunk_t my_id, other_id; + linked_list_t *list; + u_int row, segment; + rwlock_t *lock; - rwlock_t *lock = this->connected_peers_segments[segment].lock; + my_id = entry->my_id->get_encoding(entry->my_id); + other_id = entry->other_id->get_encoding(entry->other_id); + row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask; + segment = row & this->segment_mask; + lock = this->connected_peers_segments[segment].lock; lock->write_lock(lock); - if ((list = this->connected_peers_table[row]) == NULL) - { - list = this->connected_peers_table[row] = linked_list_create(); - } - else + list = this->connected_peers_table[row]; + if (list) { connected_peers_t *current; + if (list->find_first(list, (linked_list_match_t)connected_peers_match, - (void**)¤t, entry->my_id, entry->other_id) == SUCCESS) + (void**)¤t, entry->my_id, entry->other_id, + (uintptr_t)entry->other->get_family(entry->other)) == SUCCESS) { connected_peers = current; if (connected_peers->sas->find_first(connected_peers->sas, @@ -798,13 +824,19 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) } } } + else + { + list = this->connected_peers_table[row] = linked_list_create(); + } if (!connected_peers) { - connected_peers = malloc_thing(connected_peers_t); - connected_peers->my_id = entry->my_id->clone(entry->my_id); - connected_peers->other_id = entry->other_id->clone(entry->other_id); - connected_peers->sas = linked_list_create(); + INIT(connected_peers, + .my_id = entry->my_id->clone(entry->my_id), + .other_id = entry->other_id->clone(entry->other_id), + .family = entry->other->get_family(entry->other), + .sas = linked_list_create(), + ); list->insert_last(list, connected_peers); } connected_peers->sas->insert_last(connected_peers->sas, @@ -818,24 +850,34 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) */ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) { + chunk_t my_id, other_id; linked_list_t *list; - chunk_t my_id = entry->my_id->get_encoding(entry->my_id), - other_id = entry->other_id->get_encoding(entry->other_id); - u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask; - u_int segment = row & this->segment_mask; + u_int row, segment; + rwlock_t *lock; + + my_id = entry->my_id->get_encoding(entry->my_id); + other_id = entry->other_id->get_encoding(entry->other_id); + row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask; + segment = row & this->segment_mask; - rwlock_t *lock = this->connected_peers_segments[segment].lock; + lock = this->connected_peers_segments[segment].lock; lock->write_lock(lock); - if ((list = this->connected_peers_table[row]) != NULL) + list = this->connected_peers_table[row]; + if (list) { connected_peers_t *current; - enumerator_t *enumerator = list->create_enumerator(list); + enumerator_t *enumerator; + + enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, ¤t)) { - if (connected_peers_match(current, entry->my_id, entry->other_id)) + if (connected_peers_match(current, entry->my_id, entry->other_id, + (uintptr_t)entry->other->get_family(entry->other))) { ike_sa_id_t *ike_sa_id; - enumerator_t *inner = current->sas->create_enumerator(current->sas); + enumerator_t *inner; + + inner = current->sas->create_enumerator(current->sas); while (inner->enumerate(inner, &ike_sa_id)) { if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id)) @@ -861,20 +903,21 @@ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entr } /** - * Implementation of private_ike_sa_manager_t.get_next_spi. + * Get a random SPI for new IKE_SAs */ -static u_int64_t get_next_spi(private_ike_sa_manager_t *this) +static u_int64_t get_spi(private_ike_sa_manager_t *this) { - u_int64_t spi; + u_int64_t spi = 0; - this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi); + if (this->rng) + { + this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi); + } return spi; } -/** - * Implementation of of ike_sa_manager.checkout. - */ -static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) +METHOD(ike_sa_manager_t, checkout, ike_sa_t*, + private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) { ike_sa_t *ike_sa = NULL; entry_t *entry; @@ -897,62 +940,46 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id return ike_sa; } -/** - * Implementation of of ike_sa_manager.checkout_new. - */ -static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator) +METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*, + private_ike_sa_manager_t* this, bool initiator) { ike_sa_id_t *ike_sa_id; ike_sa_t *ike_sa; - entry_t *entry; - u_int segment; if (initiator) { - ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE); + ike_sa_id = ike_sa_id_create(get_spi(this), 0, TRUE); } else { - ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE); + ike_sa_id = ike_sa_id_create(0, get_spi(this), FALSE); } ike_sa = ike_sa_create(ike_sa_id); + ike_sa_id->destroy(ike_sa_id); DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); - if (!initiator) - { - ike_sa_id->destroy(ike_sa_id); - return ike_sa; - } - - entry = entry_create(); - entry->ike_sa_id = ike_sa_id; - entry->ike_sa = ike_sa; - segment = put_entry(this, entry); - entry->checked_out = TRUE; - unlock_single_segment(this, segment); - return entry->ike_sa; + return ike_sa; } -/** - * Implementation of of ike_sa_manager.checkout_by_message. - */ -static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, - message_t *message) +METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, + private_ike_sa_manager_t* this, message_t *message) { u_int segment; entry_t *entry; ike_sa_t *ike_sa = NULL; - ike_sa_id_t *id = message->get_ike_sa_id(message); + ike_sa_id_t *id; + id = message->get_ike_sa_id(message); id = id->clone(id); id->switch_initiator(id); DBG2(DBG_MGR, "checkout IKE_SA by message"); if (message->get_request(message) && - message->get_exchange_type(message) == IKE_SA_INIT) + message->get_exchange_type(message) == IKE_SA_INIT && + this->hasher) { /* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */ chunk_t data, hash; @@ -988,7 +1015,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, message->get_exchange_type(message) == IKE_SA_INIT) { /* no IKE_SA found, create a new one */ - id->set_responder_spi(id, get_next_spi(this)); + id->set_responder_spi(id, get_spi(this)); entry = entry_create(); entry->ike_sa = ike_sa_create(id); entry->ike_sa_id = id->clone(id); @@ -1048,11 +1075,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, return ike_sa; } -/** - * Implementation of of ike_sa_manager.checkout_by_config. - */ -static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, - peer_cfg_t *peer_cfg) +METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg) { enumerator_t *enumerator; entry_t *entry; @@ -1107,11 +1131,8 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, return ike_sa; } -/** - * Implementation of of ike_sa_manager.checkout_by_id. - */ -static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id, - bool child) +METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*, + private_ike_sa_manager_t *this, u_int32_t id, bool child) { enumerator_t *enumerator; iterator_t *children; @@ -1164,11 +1185,8 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id, return ike_sa; } -/** - * Implementation of of ike_sa_manager.checkout_by_name. - */ -static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name, - bool child) +METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*, + private_ike_sa_manager_t *this, char *name, bool child) { enumerator_t *enumerator; iterator_t *children; @@ -1233,20 +1251,15 @@ static bool enumerator_filter(private_ike_sa_manager_t *this, return FALSE; } -/** - * Implementation of ike_sa_manager_t.create_enumerator. - */ -static enumerator_t *create_enumerator(private_ike_sa_manager_t* this) +METHOD(ike_sa_manager_t, create_enumerator, enumerator_t*, + private_ike_sa_manager_t* this) { - return enumerator_create_filter( - create_table_enumerator(this), - (void*)enumerator_filter, this, NULL); + return enumerator_create_filter(create_table_enumerator(this), + (void*)enumerator_filter, this, NULL); } -/** - * Implementation of ike_sa_manager_t.checkin. - */ -static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +METHOD(ike_sa_manager_t, checkin, void, + private_ike_sa_manager_t *this, ike_sa_t *ike_sa) { /* to check the SA back in, we look for the pointer of the ike_sa * in all entries. @@ -1311,13 +1324,16 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) segment = put_entry(this, entry); } - /* apply identities for duplicate test (only as responder) */ - if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) && - ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && + /* apply identities for duplicate test */ + if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && entry->my_id == NULL && entry->other_id == NULL) { entry->my_id = my_id->clone(my_id); entry->other_id = other_id->clone(other_id); + if (!entry->other) + { + entry->other = other->clone(other); + } put_connected_peers(this, entry); } @@ -1326,10 +1342,8 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) charon->bus->set_sa(charon->bus, NULL); } -/** - * Implementation of ike_sa_manager_t.checkin_and_destroy. - */ -static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +METHOD(ike_sa_manager_t, checkin_and_destroy, void, + private_ike_sa_manager_t *this, ike_sa_t *ike_sa) { /* deletion is a bit complex, we must ensure that no thread is waiting for * this SA. @@ -1366,8 +1380,7 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa { remove_half_open(this, entry); } - if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) && - entry->my_id && entry->other_id) + if (entry->my_id && entry->other_id) { remove_connected_peers(this, entry); } @@ -1384,11 +1397,8 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa charon->bus->set_sa(charon->bus, NULL); } - -/** - * Implementation of ike_sa_manager_t.check_uniqueness. - */ -static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +METHOD(ike_sa_manager_t, check_uniqueness, bool, + private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace) { bool cancel = FALSE; peer_cfg_t *peer_cfg; @@ -1402,7 +1412,7 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) peer_cfg = ike_sa->get_peer_cfg(ike_sa); policy = peer_cfg->get_unique_policy(peer_cfg); - if (policy == UNIQUE_NO) + if (policy == UNIQUE_NO && !force_replace) { return FALSE; } @@ -1416,12 +1426,16 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) lock = this->connected_peers_segments[segment & this->segment_mask].lock; lock->read_lock(lock); - if ((list = this->connected_peers_table[row]) != NULL) + list = this->connected_peers_table[row]; + if (list) { connected_peers_t *current; + host_t *other_host; + other_host = ike_sa->get_other_host(ike_sa); if (list->find_first(list, (linked_list_match_t)connected_peers_match, - (void**)¤t, me, other) == SUCCESS) + (void**)¤t, me, other, + (uintptr_t)other_host->get_family(other_host)) == SUCCESS) { /* clone the list, so we can release the lock */ duplicate_ids = current->sas->clone_offset(current->sas, @@ -1446,6 +1460,13 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) { continue; } + if (force_replace) + { + DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', " + "received INITIAL_CONTACT", other); + checkin_and_destroy(this, duplicate); + continue; + } peer_cfg = duplicate->get_peer_cfg(duplicate); if (peer_cfg && peer_cfg->equals(peer_cfg, ike_sa->get_peer_cfg(ike_sa))) { @@ -1490,21 +1511,49 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) return cancel; } -/** - * Implementation of ike_sa_manager_t.get_half_open_count. - */ -static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip) +METHOD(ike_sa_manager_t, has_contact, bool, + private_ike_sa_manager_t *this, identification_t *me, + identification_t *other, int family) +{ + linked_list_t *list; + u_int row, segment; + rwlock_t *lock; + bool found = FALSE; + + row = chunk_hash_inc(other->get_encoding(other), + chunk_hash(me->get_encoding(me))) & this->table_mask; + segment = row & this->segment_mask; + lock = this->connected_peers_segments[segment & this->segment_mask].lock; + lock->read_lock(lock); + list = this->connected_peers_table[row]; + if (list) + { + if (list->find_first(list, (linked_list_match_t)connected_peers_match, + NULL, me, other, family) == SUCCESS) + { + found = TRUE; + } + } + lock->unlock(lock); + + return found; +} + +METHOD(ike_sa_manager_t, get_half_open_count, int, + private_ike_sa_manager_t *this, host_t *ip) { + linked_list_t *list; + u_int segment, row; + rwlock_t *lock; + chunk_t addr; int count = 0; if (ip) { - linked_list_t *list; - chunk_t addr = ip->get_address(ip); - u_int row = chunk_hash(addr) & this->table_mask; - u_int segment = row & this->segment_mask; - - rwlock_t *lock = this->half_open_segments[segment & this->segment_mask].lock; + addr = ip->get_address(ip); + row = chunk_hash(addr) & this->table_mask; + segment = row & this->segment_mask; + lock = this->half_open_segments[segment & this->segment_mask].lock; lock->read_lock(lock); if ((list = this->half_open_table[row]) != NULL) { @@ -1520,25 +1569,19 @@ static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip) } else { - u_int segment; - - for (segment = 0; segment < this->segment_count; ++segment) + for (segment = 0; segment < this->segment_count; segment++) { - rwlock_t *lock; lock = this->half_open_segments[segment & this->segment_mask].lock; lock->read_lock(lock); count += this->half_open_segments[segment].count; lock->unlock(lock); } } - return count; } -/** - * Implementation of ike_sa_manager_t.flush. - */ -static void flush(private_ike_sa_manager_t *this) +METHOD(ike_sa_manager_t, flush, void, + private_ike_sa_manager_t *this) { /* destroy all list entries */ enumerator_t *enumerator; @@ -1602,8 +1645,7 @@ static void flush(private_ike_sa_manager_t *this) { remove_half_open(this, entry); } - if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) && - entry->my_id && entry->other_id) + if (entry->my_id && entry->other_id) { remove_connected_peers(this, entry); } @@ -1615,37 +1657,26 @@ static void flush(private_ike_sa_manager_t *this) unlock_all_segments(this); this->rng->destroy(this->rng); + this->rng = NULL; this->hasher->destroy(this->hasher); + this->hasher = NULL; } -/** - * Implementation of ike_sa_manager_t.destroy. - */ -static void destroy(private_ike_sa_manager_t *this) +METHOD(ike_sa_manager_t, destroy, void, + private_ike_sa_manager_t *this) { u_int i; - for (i = 0; i < this->table_size; ++i) + for (i = 0; i < this->table_size; i++) { - linked_list_t *list; - - if ((list = this->ike_sa_table[i]) != NULL) - { - list->destroy(list); - } - if ((list = this->half_open_table[i]) != NULL) - { - list->destroy(list); - } - if ((list = this->connected_peers_table[i]) != NULL) - { - list->destroy(list); - } + DESTROY_IF(this->ike_sa_table[i]); + DESTROY_IF(this->half_open_table[i]); + DESTROY_IF(this->connected_peers_table[i]); } free(this->ike_sa_table); free(this->half_open_table); free(this->connected_peers_table); - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->segments[i].mutex->destroy(this->segments[i].mutex); this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock); @@ -1681,25 +1712,28 @@ static u_int get_nearest_powerof2(u_int n) */ ike_sa_manager_t *ike_sa_manager_create() { + private_ike_sa_manager_t *this; u_int i; - private_ike_sa_manager_t *this = malloc_thing(private_ike_sa_manager_t); - - /* assign public functions */ - this->public.flush = (void(*)(ike_sa_manager_t*))flush; - this->public.destroy = (void(*)(ike_sa_manager_t*))destroy; - this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout; - this->public.checkout_new = (ike_sa_t*(*)(ike_sa_manager_t*,bool))checkout_new; - this->public.checkout_by_message = (ike_sa_t*(*)(ike_sa_manager_t*,message_t*))checkout_by_message; - this->public.checkout_by_config = (ike_sa_t*(*)(ike_sa_manager_t*,peer_cfg_t*))checkout_by_config; - this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t,bool))checkout_by_id; - this->public.checkout_by_name = (ike_sa_t*(*)(ike_sa_manager_t*,char*,bool))checkout_by_name; - this->public.check_uniqueness = (bool(*)(ike_sa_manager_t*, ike_sa_t *ike_sa))check_uniqueness; - this->public.create_enumerator = (enumerator_t*(*)(ike_sa_manager_t*))create_enumerator; - this->public.checkin = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin; - this->public.checkin_and_destroy = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy; - this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count; - - /* initialize private variables */ + + INIT(this, + .public = { + .checkout = _checkout, + .checkout_new = _checkout_new, + .checkout_by_message = _checkout_by_message, + .checkout_by_config = _checkout_by_config, + .checkout_by_id = _checkout_by_id, + .checkout_by_name = _checkout_by_name, + .check_uniqueness = _check_uniqueness, + .has_contact = _has_contact, + .create_enumerator = _create_enumerator, + .checkin = _checkin, + .checkin_and_destroy = _checkin_and_destroy, + .get_half_open_count = _get_half_open_count, + .flush = _flush, + .destroy = _destroy, + }, + ); + this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED); if (this->hasher == NULL) { @@ -1715,6 +1749,7 @@ ike_sa_manager_t *ike_sa_manager_create() free(this); return NULL; } + this->table_size = get_nearest_powerof2(lib->settings->get_int(lib->settings, "charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE)); this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE)); @@ -1724,11 +1759,10 @@ ike_sa_manager_t *ike_sa_manager_create() "charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT)); this->segment_count = max(1, min(this->segment_count, this->table_size)); this->segment_mask = this->segment_count - 1; - this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*)); this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t)); - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE); this->segments[i].count = 0; @@ -1737,7 +1771,7 @@ ike_sa_manager_t *ike_sa_manager_create() /* we use the same table parameters for the table to track half-open SAs */ this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*)); this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t)); - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->half_open_segments[i].count = 0; @@ -1746,7 +1780,7 @@ ike_sa_manager_t *ike_sa_manager_create() /* also for the hash table used for duplicate tests */ this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*)); this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t)); - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->connected_peers_segments[i].count = 0; diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index f4eabf808..ec157ab3a 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -52,9 +52,6 @@ struct ike_sa_manager_t { /** * Create and check out a new IKE_SA. * - * @note If initiator equals FALSE, the returned IKE_SA is not registered - * in the manager. - * * @param initiator TRUE for initiator, FALSE otherwise * @returns created and checked out IKE_SA */ @@ -109,10 +106,23 @@ struct ike_sa_manager_t { * deadlocks occur otherwise. * * @param ike_sa ike_sa to check + * @param force_replace replace existing SAs, regardless of unique policy * @return TRUE, if the given IKE_SA has duplicates and * should be deleted */ - bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa); + bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa, + bool force_replace); + + /** + * Check if we already have a connected IKE_SA between two identities. + * + * @param me own identity + * @param other remote identity + * @param family address family to include in uniqueness check + * @return TRUE if we have a connected IKE_SA + */ + bool (*has_contact)(ike_sa_manager_t *this, identification_t *me, + identification_t *other, int family); /** * Check out an IKE_SA a unique ID. diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c index 878ad124f..33ece24b2 100644 --- a/src/libcharon/sa/keymat.c +++ b/src/libcharon/sa/keymat.c @@ -214,7 +214,7 @@ static bool derive_ike_traditional(private_keymat_t *this, u_int16_t enc_alg, { DBG1(DBG_IKE, "%N %N (key size %d) not supported!", transform_type_names, ENCRYPTION_ALGORITHM, - encryption_algorithm_names, enc_alg, key_size); + encryption_algorithm_names, enc_alg, enc_size); signer_i->destroy(signer_i); signer_r->destroy(signer_r); return FALSE; @@ -540,7 +540,7 @@ METHOD(keymat_t, get_aead, aead_t*, METHOD(keymat_t, get_auth_octets, chunk_t, private_keymat_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, identification_t *id) + chunk_t nonce, identification_t *id, char reserved[3]) { chunk_t chunk, idx, octets; chunk_t skp; @@ -548,8 +548,8 @@ METHOD(keymat_t, get_auth_octets, chunk_t, skp = verify ? this->skp_verify : this->skp_build; chunk = chunk_alloca(4); - memset(chunk.ptr, 0, chunk.len); chunk.ptr[0] = id->get_type(id); + memcpy(chunk.ptr + 1, reserved, 3); idx = chunk_cata("cc", chunk, id->get_encoding(id)); DBG3(DBG_IKE, "IDx' %B", &idx); @@ -570,7 +570,7 @@ METHOD(keymat_t, get_auth_octets, chunk_t, METHOD(keymat_t, get_psk_sig, chunk_t, private_keymat_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, chunk_t secret, identification_t *id) + chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3]) { chunk_t key_pad, key, sig, octets; @@ -578,7 +578,7 @@ METHOD(keymat_t, get_psk_sig, chunk_t, { /* EAP uses SK_p if no MSK has been established */ secret = verify ? this->skp_verify : this->skp_build; } - octets = get_auth_octets(this, verify, ike_sa_init, nonce, id); + octets = get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved); /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), ) */ key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH); this->prf->set_key(this->prf, secret); diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h index 4f01aa411..11e0fa79a 100644 --- a/src/libcharon/sa/keymat.h +++ b/src/libcharon/sa/keymat.h @@ -117,10 +117,12 @@ struct keymat_t { * @param ike_sa_init encoded ike_sa_init message * @param nonce nonce value * @param id identity + * @param reserved reserved bytes of id_payload * @return authentication octets */ chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, identification_t *id); + chunk_t nonce, identification_t *id, + char reserved[3]); /** * Build the shared secret signature used for PSK and EAP authentication. * @@ -133,10 +135,12 @@ struct keymat_t { * @param nonce nonce value * @param secret optional secret to include into signature * @param id identity + * @param reserved reserved bytes of id_payload * @return signature octets */ chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, chunk_t secret, identification_t *id); + chunk_t nonce, chunk_t secret, + identification_t *id, char reserved[3]); /** * Destroy a keymat_t. */ diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c index 18703ce36..9467d1586 100644 --- a/src/libcharon/sa/task_manager.c +++ b/src/libcharon/sa/task_manager.c @@ -465,7 +465,6 @@ METHOD(task_manager_t, initiate, status_t, /* update exchange type if a task changed it */ this->initiating.type = message->get_exchange_type(message); - charon->bus->message(charon->bus, message, FALSE); status = this->ike_sa->generate_message(this->ike_sa, message, &this->initiating.packet); if (status != SUCCESS) @@ -654,7 +653,6 @@ static status_t build_response(private_task_manager_t *this, message_t *request) /* message complete, send it */ DESTROY_IF(this->responding.packet); this->responding.packet = NULL; - charon->bus->message(charon->bus, message, FALSE); status = this->ike_sa->generate_message(this->ike_sa, message, &this->responding.packet); message->destroy(message); @@ -882,8 +880,12 @@ static status_t process_request(private_task_manager_t *this, METHOD(task_manager_t, process_message, status_t, private_task_manager_t *this, message_t *msg) { - u_int32_t mid = msg->get_message_id(msg); - host_t *me = msg->get_destination(msg), *other = msg->get_source(msg); + host_t *me, *other; + u_int32_t mid; + + mid = msg->get_message_id(msg); + me = msg->get_destination(msg); + other = msg->get_source(msg); if (msg->get_request(msg)) { @@ -895,10 +897,14 @@ METHOD(task_manager_t, process_message, status_t, { /* only do host updates based on verified messages */ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) { /* with MOBIKE, we do no implicit updates */ - this->ike_sa->update_hosts(this->ike_sa, me, other); + this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1); } } charon->bus->message(charon->bus, msg, TRUE); + if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED) + { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */ + return SUCCESS; + } if (process_request(this, msg) != SUCCESS) { flush(this); @@ -909,15 +915,15 @@ METHOD(task_manager_t, process_message, status_t, else if ((mid == this->responding.mid - 1) && this->responding.packet) { packet_t *clone; - host_t *me, *other; + host_t *host; DBG1(DBG_IKE, "received retransmit of request with ID %d, " "retransmitting response", mid); clone = this->responding.packet->clone(this->responding.packet); - me = msg->get_destination(msg); - other = msg->get_source(msg); - clone->set_source(clone, me->clone(me)); - clone->set_destination(clone, other->clone(other)); + host = msg->get_destination(msg); + clone->set_source(clone, host->clone(host)); + host = msg->get_source(msg); + clone->set_destination(clone, host->clone(host)); charon->sender->send(charon->sender, clone); } else @@ -936,10 +942,14 @@ METHOD(task_manager_t, process_message, status_t, { /* only do host updates based on verified messages */ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) { /* with MOBIKE, we do no implicit updates */ - this->ike_sa->update_hosts(this->ike_sa, me, other); + this->ike_sa->update_hosts(this->ike_sa, me, other, FALSE); } } charon->bus->message(charon->bus, msg, TRUE); + if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED) + { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */ + return SUCCESS; + } if (process_response(this, msg) != SUCCESS) { flush(this); @@ -1002,6 +1012,19 @@ METHOD(task_manager_t, busy, bool, return (this->active_tasks->get_count(this->active_tasks) > 0); } +METHOD(task_manager_t, incr_mid, void, + private_task_manager_t *this, bool initiate) +{ + if (initiate) + { + this->initiating.mid++; + } + else + { + this->responding.mid++; + } +} + METHOD(task_manager_t, reset, void, private_task_manager_t *this, u_int32_t initiate, u_int32_t respond) { @@ -1085,6 +1108,7 @@ task_manager_t *task_manager_create(ike_sa_t *ike_sa) .queue_task = _queue_task, .initiate = _initiate, .retransmit = _retransmit, + .incr_mid = _incr_mid, .reset = _reset, .adopt_tasks = _adopt_tasks, .busy = _busy, diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h index 14fccd5f9..5bc6c80c4 100644 --- a/src/libcharon/sa/task_manager.h +++ b/src/libcharon/sa/task_manager.h @@ -148,6 +148,16 @@ struct task_manager_t { */ void (*adopt_tasks) (task_manager_t *this, task_manager_t *other); + /** + * Increment a message ID counter, in- or outbound. + * + * If a message is processed outside of the manager, this call increments + * the message ID counters of the task manager. + * + * @param inititate TRUE to increment the initiating ID + */ + void (*incr_mid)(task_manager_t *this, bool initiate); + /** * Reset message ID counters of the task manager. * diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c index 57beedba9..fc02a334b 100644 --- a/src/libcharon/sa/tasks/child_create.c +++ b/src/libcharon/sa/tasks/child_create.c @@ -116,6 +116,11 @@ struct private_child_create_t { */ ipsec_mode_t mode; + /** + * peer accepts TFC padding for this SA + */ + bool tfcv3; + /** * IPComp transform to use */ @@ -455,17 +460,21 @@ static status_t select_and_install(private_child_create_t *this, { if (this->initiator) { - status_i = this->child_sa->install(this->child_sa, encr_r, integ_r, - this->my_spi, this->my_cpi, TRUE, my_ts, other_ts); - status_o = this->child_sa->install(this->child_sa, encr_i, integ_i, - this->other_spi, this->other_cpi, FALSE, my_ts, other_ts); + status_i = this->child_sa->install(this->child_sa, + encr_r, integ_r, this->my_spi, this->my_cpi, + TRUE, this->tfcv3, my_ts, other_ts); + status_o = this->child_sa->install(this->child_sa, + encr_i, integ_i, this->other_spi, this->other_cpi, + FALSE, this->tfcv3, my_ts, other_ts); } else { - status_i = this->child_sa->install(this->child_sa, encr_i, integ_i, - this->my_spi, this->my_cpi, TRUE, my_ts, other_ts); - status_o = this->child_sa->install(this->child_sa, encr_r, integ_r, - this->other_spi, this->other_cpi, FALSE, my_ts, other_ts); + status_i = this->child_sa->install(this->child_sa, + encr_i, integ_i, this->my_spi, this->my_cpi, + TRUE, this->tfcv3, my_ts, other_ts); + status_o = this->child_sa->install(this->child_sa, + encr_r, integ_r, this->other_spi, this->other_cpi, + FALSE, this->tfcv3, my_ts, other_ts); } } chunk_clear(&integ_i); @@ -631,7 +640,13 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify ipcomp_transform_names, ipcomp); break; } + break; } + case ESP_TFC_PADDING_NOT_SUPPORTED: + DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding", + notify_type_names, notify->get_notify_type(notify)); + this->tfcv3 = FALSE; + break; default: break; } @@ -691,10 +706,8 @@ static void process_payloads(private_child_create_t *this, message_t *message) enumerator->destroy(enumerator); } -/** - * Implementation of task_t.build for initiator - */ -static status_t build_i(private_child_create_t *this, message_t *message) +METHOD(task_t, build_i, status_t, + private_child_create_t *this, message_t *message) { host_t *me, *other, *vip; peer_cfg_t *peer_cfg; @@ -831,10 +844,8 @@ static status_t build_i(private_child_create_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.process for responder - */ -static status_t process_r(private_child_create_t *this, message_t *message) +METHOD(task_t, process_r, status_t, + private_child_create_t *this, message_t *message) { switch (message->get_exchange_type(message)) { @@ -877,10 +888,8 @@ static void handle_child_sa_failure(private_child_create_t *this, } } -/** - * Implementation of task_t.build for responder - */ -static status_t build_r(private_child_create_t *this, message_t *message) +METHOD(task_t, build_r, status_t, + private_child_create_t *this, message_t *message) { peer_cfg_t *peer_cfg; payload_t *payload; @@ -958,7 +967,7 @@ static status_t build_r(private_child_create_t *this, message_t *message) case INTERNAL_ADDRESS_FAILURE: case FAILED_CP_REQUIRED: { - DBG1(DBG_IKE,"configuration payload negotation " + DBG1(DBG_IKE,"configuration payload negotiation " "failed, no CHILD_SA built"); enumerator->destroy(enumerator); handle_child_sa_failure(this, message); @@ -1029,10 +1038,8 @@ static status_t build_r(private_child_create_t *this, message_t *message) return SUCCESS; } -/** - * Implementation of task_t.process for initiator - */ -static status_t process_i(private_child_create_t *this, message_t *message) +METHOD(task_t, process_i, status_t, + private_child_create_t *this, message_t *message) { enumerator_t *enumerator; payload_t *payload; @@ -1103,7 +1110,21 @@ static status_t process_i(private_child_create_t *this, message_t *message) return NEED_MORE; } default: + { + if (message->get_exchange_type(message) == CREATE_CHILD_SA) + { /* handle notifies if not handled in IKE_AUTH */ + if (type <= 16383) + { + DBG1(DBG_IKE, "received %N notify error", + notify_type_names, type); + enumerator->destroy(enumerator); + return SUCCESS; + } + DBG2(DBG_IKE, "received %N notify", + notify_type_names, type); + } break; + } } } } @@ -1155,34 +1176,20 @@ static status_t process_i(private_child_create_t *this, message_t *message) return SUCCESS; } -/** - * Implementation of task_t.get_type - */ -static task_type_t get_type(private_child_create_t *this) -{ - return CHILD_CREATE; -} - -/** - * Implementation of child_create_t.use_reqid - */ -static void use_reqid(private_child_create_t *this, u_int32_t reqid) +METHOD(child_create_t, use_reqid, void, + private_child_create_t *this, u_int32_t reqid) { this->reqid = reqid; } -/** - * Implementation of child_create_t.get_child - */ -static child_sa_t* get_child(private_child_create_t *this) +METHOD(child_create_t, get_child, child_sa_t*, + private_child_create_t *this) { return this->child_sa; } -/** - * Implementation of child_create_t.get_lower_nonce - */ -static chunk_t get_lower_nonce(private_child_create_t *this) +METHOD(child_create_t, get_lower_nonce, chunk_t, + private_child_create_t *this) { if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr, min(this->my_nonce.len, this->other_nonce.len)) < 0) @@ -1195,10 +1202,14 @@ static chunk_t get_lower_nonce(private_child_create_t *this) } } -/** - * Implementation of task_t.migrate - */ -static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) +METHOD(task_t, get_type, task_type_t, + private_child_create_t *this) +{ + return CHILD_CREATE; +} + +METHOD(task_t, migrate, void, + private_child_create_t *this, ike_sa_t *ike_sa) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1234,10 +1245,8 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) this->established = FALSE; } -/** - * Implementation of task_t.destroy - */ -static void destroy(private_child_create_t *this) +METHOD(task_t, destroy, void, + private_child_create_t *this) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1273,52 +1282,45 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config, bool rekey, traffic_selector_t *tsi, traffic_selector_t *tsr) { - private_child_create_t *this = malloc_thing(private_child_create_t); - - this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child; - this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce; - this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid; - this->public.task.get_type = (task_type_t(*)(task_t*))get_type; - this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; - this->public.task.destroy = (void(*)(task_t*))destroy; + private_child_create_t *this; + + INIT(this, + .public = { + .get_child = _get_child, + .get_lower_nonce = _get_lower_nonce, + .use_reqid = _use_reqid, + .task = { + .get_type = _get_type, + .migrate = _migrate, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .config = config, + .packet_tsi = tsi ? tsi->clone(tsi) : NULL, + .packet_tsr = tsr ? tsr->clone(tsr) : NULL, + .dh_group = MODP_NONE, + .keymat = ike_sa->get_keymat(ike_sa), + .mode = MODE_TUNNEL, + .tfcv3 = TRUE, + .ipcomp = IPCOMP_NONE, + .ipcomp_received = IPCOMP_NONE, + .rekey = rekey, + ); + if (config) { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; + this->public.task.build = _build_i; + this->public.task.process = _process_i; this->initiator = TRUE; config->get_ref(config); } else { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; + this->public.task.build = _build_r; + this->public.task.process = _process_r; this->initiator = FALSE; } - this->ike_sa = ike_sa; - this->config = config; - this->my_nonce = chunk_empty; - this->other_nonce = chunk_empty; - this->proposals = NULL; - this->proposal = NULL; - this->tsi = NULL; - this->tsr = NULL; - this->packet_tsi = tsi ? tsi->clone(tsi) : NULL; - this->packet_tsr = tsr ? tsr->clone(tsr) : NULL; - this->dh = NULL; - this->dh_group = MODP_NONE; - this->keymat = ike_sa->get_keymat(ike_sa); - this->child_sa = NULL; - this->mode = MODE_TUNNEL; - this->ipcomp = IPCOMP_NONE; - this->ipcomp_received = IPCOMP_NONE; - this->my_spi = 0; - this->other_spi = 0; - this->my_cpi = 0; - this->other_cpi = 0; - this->reqid = 0; - this->established = FALSE; - this->rekey = rekey; - return &this->public; } diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c index fdaaea4b8..e74ca4eef 100644 --- a/src/libcharon/sa/tasks/child_rekey.c +++ b/src/libcharon/sa/tasks/child_rekey.c @@ -241,12 +241,11 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) /* if we have the lower nonce, delete rekeyed SA. If not, delete * the redundant. */ if (memcmp(this_nonce.ptr, other_nonce.ptr, - min(this_nonce.len, other_nonce.len)) < 0) + min(this_nonce.len, other_nonce.len)) > 0) { child_sa_t *child_sa; - DBG1(DBG_IKE, "CHILD_SA rekey collision won, " - "deleting rekeyed child"); + DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting old child"); to_delete = this->child_sa; /* don't touch child other created, it has already been deleted */ if (!this->other_child_destroyed) @@ -259,7 +258,7 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) else { DBG1(DBG_IKE, "CHILD_SA rekey collision lost, " - "deleting redundant child"); + "deleting rekeyed child"); to_delete = this->child_create->get_child(this->child_create); } } diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c index b440ec811..0756c7d60 100644 --- a/src/libcharon/sa/tasks/ike_auth.c +++ b/src/libcharon/sa/tasks/ike_auth.c @@ -67,6 +67,11 @@ struct private_ike_auth_t { */ packet_t *other_packet; + /** + * Reserved bytes of ID payload + */ + char reserved[3]; + /** * currently active authenticator, to authenticate us */ @@ -101,6 +106,11 @@ struct private_ike_auth_t { * should we send a AUTHENTICATION_FAILED notify? */ bool authentication_failed; + + /** + * received an INITIAL_CONTACT? + */ + bool initial_contact; }; /** @@ -159,6 +169,24 @@ static status_t collect_other_init_data(private_ike_auth_t *this, return NEED_MORE; } +/** + * Get and store reserved bytes of id_payload, required for AUTH payload + */ +static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id) +{ + u_int8_t *byte; + int i; + + for (i = 0; i < countof(this->reserved); i++) + { + byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i); + if (byte) + { + this->reserved[i] = *byte; + } + } +} + /** * Get the next authentication configuration */ @@ -329,10 +357,8 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict) return this->peer_cfg != NULL; } -/** - * Implementation of task_t.build for initiator - */ -static status_t build_i(private_ike_auth_t *this, message_t *message) +METHOD(task_t, build_i, status_t, + private_ike_auth_t *this, message_t *message) { auth_cfg_t *cfg; @@ -367,7 +393,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) /* check if an authenticator is in progress */ if (this->my_auth == NULL) { - identification_t *id; + identification_t *idi, *idr = NULL; id_payload_t *id_payload; /* clean up authentication config from a previous round */ @@ -378,33 +404,48 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) cfg = get_auth_cfg(this, FALSE); if (cfg) { - id = cfg->get(cfg, AUTH_RULE_IDENTITY); - if (id && !id->contains_wildcards(id)) + idr = cfg->get(cfg, AUTH_RULE_IDENTITY); + if (idr && !idr->contains_wildcards(idr)) { - this->ike_sa->set_other_id(this->ike_sa, id->clone(id)); + this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr)); id_payload = id_payload_create_from_identification( - ID_RESPONDER, id); + ID_RESPONDER, idr); message->add_payload(message, (payload_t*)id_payload); } } /* add IDi */ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE); - id = cfg->get(cfg, AUTH_RULE_IDENTITY); - if (!id) + idi = cfg->get(cfg, AUTH_RULE_IDENTITY); + if (!idi) { DBG1(DBG_CFG, "configuration misses IDi"); return FAILED; } - this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); - id_payload = id_payload_create_from_identification(ID_INITIATOR, id); + this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi)); + id_payload = id_payload_create_from_identification(ID_INITIATOR, idi); + get_reserved_id_bytes(this, id_payload); message->add_payload(message, (payload_t*)id_payload); + if (idr && message->get_message_id(message) == 1 && + this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO) + { + host_t *host; + + host = this->ike_sa->get_other_host(this->ike_sa); + if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager, + idi, idr, host->get_family(host))) + { + message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty); + } + } + /* build authentication data */ this->my_auth = authenticator_create_builder(this->ike_sa, cfg, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), - this->my_packet->get_data(this->my_packet)); + this->my_packet->get_data(this->my_packet), + this->reserved); if (!this->my_auth) { return FAILED; @@ -441,10 +482,8 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.process for responder - */ -static status_t process_r(private_ike_auth_t *this, message_t *message) +METHOD(task_t, process_r, status_t, + private_ike_auth_t *this, message_t *message) { auth_cfg_t *cfg, *cand; id_payload_t *id_payload; @@ -498,6 +537,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return FAILED; } id = id_payload->get_identification(id_payload); + get_reserved_id_bytes(this, id_payload); this->ike_sa->set_other_id(this->ike_sa, id); cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); @@ -548,7 +588,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) this->other_auth = authenticator_create_verifier(this->ike_sa, message, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), - this->my_packet->get_data(this->my_packet)); + this->my_packet->get_data(this->my_packet), + this->reserved); if (!this->other_auth) { this->authentication_failed = TRUE; @@ -572,10 +613,13 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } - /* store authentication information */ - cfg = auth_cfg_create(); - cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); - this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); + /* If authenticated (with non-EAP) and received INITIAL_CONTACT, + * delete any existing IKE_SAs with that peer. */ + if (message->get_message_id(message) == 1 && + message->get_notify(message, INITIAL_CONTACT)) + { + this->initial_contact = TRUE; + } /* another auth round done, invoke authorize hook */ if (!charon->bus->authorize(charon->bus, FALSE)) @@ -585,6 +629,11 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } + /* store authentication information */ + cfg = auth_cfg_create(); + cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); + this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); + if (!update_cfg_candidates(this, FALSE)) { this->authentication_failed = TRUE; @@ -603,10 +652,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.build for responder - */ -static status_t build_r(private_ike_auth_t *this, message_t *message) +METHOD(task_t, build_r, status_t, + private_ike_auth_t *this, message_t *message) { auth_cfg_t *cfg; @@ -662,8 +709,16 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) } id_payload = id_payload_create_from_identification(ID_RESPONDER, id); + get_reserved_id_bytes(this, id_payload); message->add_payload(message, (payload_t*)id_payload); + if (this->initial_contact) + { + charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager, + this->ike_sa, TRUE); + this->initial_contact = FALSE; + } + if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP) { /* EAP-only authentication */ if (!this->ike_sa->supports_extension(this->ike_sa, @@ -682,7 +737,8 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) this->my_auth = authenticator_create_builder(this->ike_sa, cfg, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), - this->my_packet->get_data(this->my_packet)); + this->my_packet->get_data(this->my_packet), + this->reserved); if (!this->my_auth) { message->add_notify(message, TRUE, AUTHENTICATION_FAILED, @@ -744,7 +800,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) if (!this->do_another_auth && !this->expect_another_auth) { if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager, - this->ike_sa)) + this->ike_sa, FALSE)) { DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy"); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, @@ -772,10 +828,8 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.process for initiator - */ -static status_t process_i(private_ike_auth_t *this, message_t *message) +METHOD(task_t, process_i, status_t, + private_ike_auth_t *this, message_t *message) { enumerator_t *enumerator; payload_t *payload; @@ -857,6 +911,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) return FAILED; } id = id_payload->get_identification(id_payload); + get_reserved_id_bytes(this, id_payload); this->ike_sa->set_other_id(this->ike_sa, id); cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); @@ -867,7 +922,8 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) this->other_auth = authenticator_create_verifier(this->ike_sa, message, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), - this->my_packet->get_data(this->my_packet)); + this->my_packet->get_data(this->my_packet), + this->reserved); if (!this->other_auth) { return FAILED; @@ -893,17 +949,17 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) this->other_auth->destroy(this->other_auth); this->other_auth = NULL; } - /* store authentication information, reset authenticator */ - cfg = auth_cfg_create(); - cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); - this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); - /* another auth round done, invoke authorize hook */ if (!charon->bus->authorize(charon->bus, FALSE)) { DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling"); return FAILED; } + + /* store authentication information, reset authenticator */ + cfg = auth_cfg_create(); + cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); + this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); } if (this->my_auth) @@ -964,18 +1020,14 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.get_type - */ -static task_type_t get_type(private_ike_auth_t *this) +METHOD(task_t, get_type, task_type_t, + private_ike_auth_t *this) { return IKE_AUTHENTICATE; } -/** - * Implementation of task_t.migrate - */ -static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa) +METHOD(task_t, migrate, void, + private_ike_auth_t *this, ike_sa_t *ike_sa) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -998,10 +1050,8 @@ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa) this->candidates = linked_list_create(); } -/** - * Implementation of task_t.destroy - */ -static void destroy(private_ike_auth_t *this) +METHOD(task_t, destroy, void, + private_ike_auth_t *this) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1019,37 +1069,29 @@ static void destroy(private_ike_auth_t *this) */ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator) { - private_ike_auth_t *this = malloc_thing(private_ike_auth_t); - - this->public.task.get_type = (task_type_t(*)(task_t*))get_type; - this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; - this->public.task.destroy = (void(*)(task_t*))destroy; - + private_ike_auth_t *this; + + INIT(this, + .public = { + .task = { + .get_type = _get_type, + .migrate = _migrate, + .build = _build_r, + .process = _process_r, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .initiator = initiator, + .candidates = linked_list_create(), + .do_another_auth = TRUE, + .expect_another_auth = TRUE, + ); if (initiator) { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; - } - else - { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; + this->public.task.build = _build_i; + this->public.task.process = _process_i; } - - this->ike_sa = ike_sa; - this->initiator = initiator; - this->my_nonce = chunk_empty; - this->other_nonce = chunk_empty; - this->my_packet = NULL; - this->other_packet = NULL; - this->peer_cfg = NULL; - this->candidates = linked_list_create(); - this->my_auth = NULL; - this->other_auth = NULL; - this->do_another_auth = TRUE; - this->expect_another_auth = TRUE; - this->authentication_failed = FALSE; - return &this->public; } diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c index 1c0c54727..a59b8dcce 100644 --- a/src/libcharon/sa/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/tasks/ike_cert_pre.c @@ -76,6 +76,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) { certreq_payload_t *certreq = (certreq_payload_t*)payload; enumerator_t *enumerator; + u_int unknown = 0; chunk_t keyid; this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE); @@ -103,12 +104,18 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) } else { - DBG1(DBG_IKE, "received cert request for unknown ca " + DBG2(DBG_IKE, "received cert request for unknown ca " "with keyid %Y", id); + unknown++; } id->destroy(id); } enumerator->destroy(enumerator); + if (unknown) + { + DBG1(DBG_IKE, "received %u cert requests for an unknown ca", + unknown); + } break; } case NOTIFY: @@ -253,11 +260,19 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) } break; } + case ENC_CRL: + cert = cert_payload->get_cert(cert_payload); + if (cert) + { + DBG1(DBG_IKE, "received CRL \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert); + } + break; case ENC_PKCS7_WRAPPED_X509: case ENC_PGP: case ENC_DNS_SIGNED_KEY: case ENC_KERBEROS_TOKEN: - case ENC_CRL: case ENC_ARL: case ENC_SPKI: case ENC_X509_ATTRIBUTE: diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c index 1a6c140c4..44c55036e 100644 --- a/src/libcharon/sa/tasks/ike_rekey.c +++ b/src/libcharon/sa/tasks/ike_rekey.c @@ -255,19 +255,20 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) /* if we have the lower nonce, delete rekeyed SA. If not, delete * the redundant. */ if (memcmp(this_nonce.ptr, other_nonce.ptr, - min(this_nonce.len, other_nonce.len)) < 0) + min(this_nonce.len, other_nonce.len)) > 0) { /* peer should delete this SA. Add a timeout just in case. */ job_t *job = (job_t*)delete_ike_sa_job_create( other->new_sa->get_id(other->new_sa), TRUE); lib->scheduler->schedule_job(lib->scheduler, job, 10); - DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA"); + DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete"); charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa); other->new_sa = NULL; } else { - DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA"); + DBG1(DBG_IKE, "IKE_SA rekey collision lost, " + "deleting redundant IKE_SA"); /* apply host for a proper delete */ host = this->ike_sa->get_my_host(this->ike_sa); this->new_sa->set_my_host(this->new_sa, host->clone(host)); diff --git a/src/libcharon/tnc/imc/imc.h b/src/libcharon/tnc/imc/imc.h new file mode 100644 index 000000000..fe8f25b0f --- /dev/null +++ b/src/libcharon/tnc/imc/imc.h @@ -0,0 +1,175 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imc imc + * @ingroup tnc + * + * @defgroup imct imc + * @{ @ingroup imc + */ + +#ifndef IMC_H_ +#define IMC_H_ + +#include +#include + +typedef struct imc_t imc_t; + +/** + * Controls a single Integrity Measurement Collector (IMC) + */ +struct imc_t { + + /** + * The TNC Client calls this function to initialize the IMC and agree on + * the API version number to be used. It also supplies the IMC ID, an IMC + * identifier that the IMC must use when calling TNC Client callback functions. + * + * @param imcID IMC ID assigned by TNCC + * @param minVersion minimum API version supported by TNCC + * @param maxVersion maximum API version supported by TNCC + * @param OutActualVersion mutually supported API version number + * @return TNC result code + */ + TNC_Result (*initialize)(TNC_IMCID imcID, + TNC_Version minVersion, + TNC_Version maxVersion, + TNC_Version *OutActualVersion); + + /** + * The TNC Client calls this function to inform the IMC that the state of + * the network connection identified by connectionID has changed to newState. + * + * @param imcID IMC ID assigned by TNCC + * @param connectionID network connection ID assigned by TNCC + * @param newState new network connection state + * @return TNC result code + */ + TNC_Result (*notify_connection_change)(TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_ConnectionState newState); + + /** + * The TNC Client calls this function to indicate that an Integrity Check + * Handshake is beginning and solicit messages from IMCs for the first batch. + * + * @param imcID IMC ID assigned by TNCC + * @param connectionID network connection ID assigned by TNCC + * @return TNC result code + */ + TNC_Result (*begin_handshake)(TNC_IMCID imcID, + TNC_ConnectionID connectionID); + + /** + * The TNC Client calls this function to deliver a message to the IMC. + * The message is contained in the buffer referenced by message and contains + * the number of octets indicated by messageLength. The type of the message + * is indicated by messageType. + * + * @param imcID IMC ID assigned by TNCS + * @param connectionID network connection ID assigned by TNCC + * @param message reference to buffer containing message + * @param messageLength number of octets in message + * @param messageType message type of message + * @return TNC result code + */ + TNC_Result (*receive_message)(TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); + + /** + * The TNC Client calls this function to notify IMCs that all IMV messages + * received in a batch have been delivered and this is the IMC’s last chance + * to send a message in the batch of IMC messages currently being collected. + * + * @param imcID IMC ID assigned by TNCC + * @param connectionID network connection ID assigned by TNCC + * @return TNC result code + */ + TNC_Result (*batch_ending)(TNC_IMCID imcID, + TNC_ConnectionID connectionID); + + /** + * The TNC Client calls this function to close down the IMC when all work is + * complete or the IMC reports TNC_RESULT_FATAL. + * + * @param imcID IMC ID assigned by TNCC + * @return TNC result code + */ + TNC_Result (*terminate)(TNC_IMCID imcID); + + /** + * IMVs implementing the UNIX/Linux Dynamic Linkage platform binding MUST + * define this additional function. The TNC Server MUST call the function + * immediately after calling TNC_IMV_Initialize to provide a pointer to the + * TNCS bind function. The IMV can then use the TNCS bind function to obtain + * pointers to any other TNCS functions. + * + * @param imcID IMC ID assigned by TNCC + * @param bindFunction pointer to TNC_TNCC_BindFunction + * @return TNC result code + */ + TNC_Result (*provide_bind_function)(TNC_IMCID imcID, + TNC_TNCC_BindFunctionPointer bindFunction); + + /** + * Sets the ID of an imc_t object. + * + * @param id IMC ID to be assigned + */ + void (*set_id)(imc_t *this, TNC_IMCID id); + + /** + * Returns the ID of an imc_t object. + * + * @return assigned IMC ID + */ + TNC_IMCID (*get_id)(imc_t *this); + + /** + * Returns the name of an imc_t object. + * + * @return name of IMC + */ + char* (*get_name)(imc_t *this); + + /** + * Sets the supported message types of an imc_t object. + * + * @param supported_types list of messages type supported by IMC + * @param type_count number of supported message types + */ + void (*set_message_types)(imc_t *this, TNC_MessageTypeList supported_types, + TNC_UInt32 type_count); + + /** + * Check if the IMC supports a given message type. + * + * @param message_type message type + * @return TRUE if supported + */ + bool (*type_supported)(imc_t *this, TNC_MessageType message_type); + + /** + * Destroys an imc_t object. + */ + void (*destroy)(imc_t *this); +}; + +#endif /** IMC_H_ @}*/ diff --git a/src/libcharon/tnc/imc/imc_manager.h b/src/libcharon/tnc/imc/imc_manager.h new file mode 100644 index 000000000..634afdbe8 --- /dev/null +++ b/src/libcharon/tnc/imc/imc_manager.h @@ -0,0 +1,116 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imc_manager imc_manager + * @{ @ingroup imc + */ + +#ifndef IMC_MANAGER_H_ +#define IMC_MANAGER_H_ + +#include "imc.h" + +#include + +typedef struct imc_manager_t imc_manager_t; + +/** + * The IMC manager controls all IMC instances. + */ +struct imc_manager_t { + + /** + * Add an IMC instance + * + * @param imc IMC instance + * @return TRUE if initialization successful + */ + bool (*add)(imc_manager_t *this, imc_t *imc); + + /** + * Remove an IMC instance from the list and return it + * + * @param id ID of IMC instance + * @return removed IMC instance + */ + imc_t* (*remove)(imc_manager_t *this, TNC_IMCID id); + + /** + * Return the preferred language for recommendations + * + * @return preferred language string + */ + char* (*get_preferred_language)(imc_manager_t *this); + + /** + * Notify all IMC instances + * + * @param state communicate the state a connection has reached + */ + void (*notify_connection_change)(imc_manager_t *this, + TNC_ConnectionID id, + TNC_ConnectionState state); + + /** + * Begin a handshake between the IMCs and a connection + * + * @param id connection ID + */ + void (*begin_handshake)(imc_manager_t *this, TNC_ConnectionID id); + + /** + * Sets the supported message types reported by a given IMC + * + * @param id ID of reporting IMC + * @param supported_types list of messages type supported by IMC + * @param type_count number of supported message types + * @return TNC result code + */ + TNC_Result (*set_message_types)(imc_manager_t *this, + TNC_IMCID id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count); + + /** + * Delivers a message to interested IMCs. + * + * @param connection_id ID of connection over which message was received + * @param message message + * @param message_len message length + * @param message_type message type + */ + void (*receive_message)(imc_manager_t *this, + TNC_ConnectionID connection_id, + TNC_BufferReference message, + TNC_UInt32 message_len, + TNC_MessageType message_type); + + /** + * Notify all IMCs that all IMV messages received in a batch have been + * delivered and this is the IMCs last chance to send a message in the + * batch of IMC messages currently being collected. + * + * @param id connection ID + */ + void (*batch_ending)(imc_manager_t *this, TNC_ConnectionID id); + + /** + * Destroy an IMC manager and all its controlled instances. + */ + void (*destroy)(imc_manager_t *this); +}; + +#endif /** IMC_MANAGER_H_ @}*/ diff --git a/src/libcharon/tnc/imv/imv.h b/src/libcharon/tnc/imv/imv.h new file mode 100644 index 000000000..26874ab0b --- /dev/null +++ b/src/libcharon/tnc/imv/imv.h @@ -0,0 +1,175 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv imv + * @ingroup tnc + * + * @defgroup imvt imv + * @{ @ingroup imv + */ + +#ifndef IMV_H_ +#define IMV_H_ + +#include +#include + +typedef struct imv_t imv_t; + +/** + * Controls a single Integrity Measurement Verifier (IMV) + */ +struct imv_t { + + /** + * The TNC Server calls this function to initialize the IMV and agree on + * the API version number to be used. It also supplies the IMV ID, an IMV + * identifier that the IMV must use when calling TNC Server callback functions. + * + * @param imvID IMV ID assigned by TNCS + * @param minVersion minimum API version supported + * @param maxVersion maximum API version supported by TNCS + * @param OutActualVersion mutually supported API version number + * @return TNC result code + */ + TNC_Result (*initialize)(TNC_IMVID imvID, + TNC_Version minVersion, + TNC_Version maxVersion, + TNC_Version *OutActualVersion); + + /** + * The TNC Server calls this function to inform the IMV that the state of + * the network connection identified by connectionID has changed to newState. + * + * @param imvID IMV ID assigned by TNCS + * @param connectionID network connection ID assigned by TNCS + * @param newState new network connection state + * @return TNC result code + */ + TNC_Result (*notify_connection_change)(TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_ConnectionState newState); + + /** + * The TNC Server calls this function at the end of an Integrity Check + * Handshake (after all IMC-IMV messages have been delivered) to solicit + * recommendations from IMVs that have not yet provided a recommendation. + * + * @param imvID IMV ID assigned by TNCS + * @param connectionID network connection ID assigned by TNCS + * @return TNC result code + */ + TNC_Result (*solicit_recommendation)(TNC_IMVID imvID, + TNC_ConnectionID connectionID); + + /** + * The TNC Server calls this function to deliver a message to the IMV. + * The message is contained in the buffer referenced by message and contains + * the number of octets indicated by messageLength. The type of the message + * is indicated by messageType. + * + * @param imvID IMV ID assigned by TNCS + * @param connectionID network connection ID assigned by TNCS + * @param message reference to buffer containing message + * @param messageLength number of octets in message + * @param messageType message type of message + * @return TNC result code + */ + TNC_Result (*receive_message)(TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); + + /** + * The TNC Server calls this function to notify IMVs that all IMC messages + * received in a batch have been delivered and this is the IMV’s last chance + * to send a message in the batch of IMV messages currently being collected. + * + * @param imvID IMV ID assigned by TNCS + * @param connectionID network connection ID assigned by TNCS + * @return TNC result code + */ + TNC_Result (*batch_ending)(TNC_IMVID imvID, + TNC_ConnectionID connectionID); + + /** + * The TNC Server calls this function to close down the IMV. + * + * @param imvID IMV ID assigned by TNCS + * @return TNC result code + */ + TNC_Result (*terminate)(TNC_IMVID imvID); + + /** + * IMVs implementing the UNIX/Linux Dynamic Linkage platform binding MUST + * define this additional function. The TNC Server MUST call the function + * immediately after calling TNC_IMV_Initialize to provide a pointer to the + * TNCS bind function. The IMV can then use the TNCS bind function to obtain + * pointers to any other TNCS functions. + * + * @param imvID IMV ID assigned by TNCS + * @param bindFunction pointer to TNC_TNCS_BindFunction + * @return TNC result code + */ + TNC_Result (*provide_bind_function)(TNC_IMVID imvID, + TNC_TNCS_BindFunctionPointer bindFunction); + + /** + * Sets the ID of an imv_t object. + * + * @param id IMV ID to be assigned + */ + void (*set_id)(imv_t *this, TNC_IMVID id); + + /** + * Returns the ID of an imv_t object. + * + * @return IMV ID assigned by TNCS + */ + TNC_IMVID (*get_id)(imv_t *this); + + /** + * Returns the name of an imv_t object. + * + * @return name of IMV + */ + char* (*get_name)(imv_t *this); + + /** + * Sets the supported message types of an imv_t object. + * + * @param supported_types list of messages type supported by IMV + * @param type_count number of supported message types + */ + void (*set_message_types)(imv_t *this, TNC_MessageTypeList supported_types, + TNC_UInt32 type_count); + + /** + * Check if the IMV supports a given message type. + * + * @param message_type message type + * @return TRUE if supported + */ + bool (*type_supported)(imv_t *this, TNC_MessageType message_type); + + /** + * Destroys an imv_t object. + */ + void (*destroy)(imv_t *this); +}; + +#endif /** IMV_H_ @}*/ diff --git a/src/libcharon/tnc/imv/imv_manager.h b/src/libcharon/tnc/imv/imv_manager.h new file mode 100644 index 000000000..b5c581a75 --- /dev/null +++ b/src/libcharon/tnc/imv/imv_manager.h @@ -0,0 +1,134 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv_manager imv_manager + * @{ @ingroup imv + */ + +#ifndef IMV_MANAGER_H_ +#define IMV_MANAGER_H_ + +#include "imv.h" +#include "imv_recommendations.h" + +#include + +typedef struct imv_manager_t imv_manager_t; + +/** + * The IMV manager controls all IMV instances. + */ +struct imv_manager_t { + + /** + * Add an IMV instance + * + * @param imv IMV instance + * @return TRUE if initialization successful + */ + bool (*add)(imv_manager_t *this, imv_t *imv); + + /** + * Remove an IMV instance from the list and return it + * + * @param id ID of IMV instance + * @return removed IMC instance + */ + imv_t* (*remove)(imv_manager_t *this, TNC_IMVID id); + + /** + * Get the configured recommendation policy + * + * @return configured recommendation policy + */ + recommendation_policy_t (*get_recommendation_policy)(imv_manager_t *this); + + /** + * Create an empty set of IMV recommendations and evaluations + * + * @return instance of a recommendations_t list + */ + recommendations_t* (*create_recommendations)(imv_manager_t *this); + + /** + * Enforce the TNC recommendation on the IKE_SA by either inserting an + * allow|isolate group membership rule (TRUE) or by blocking access (FALSE) + * + * @param void TNC action recommendation + * @return TRUE for allow|isolate, FALSE for none + */ + bool (*enforce_recommendation)(imv_manager_t *this, + TNC_IMV_Action_Recommendation rec); + + /** + * Notify all IMV instances + * + * @param state communicate the state a connection has reached + */ + void (*notify_connection_change)(imv_manager_t *this, + TNC_ConnectionID id, + TNC_ConnectionState state); + + /** + * Sets the supported message types reported by a given IMV + * + * @param id ID of reporting IMV + * @param supported_types list of messages type supported by IMV + * @param type_count number of supported message types + * @return TNC result code + */ + TNC_Result (*set_message_types)(imv_manager_t *this, + TNC_IMVID id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count); + + /** + * Solicit recommendations from IMVs that have not yet provided one + * + * @param id connection ID + */ + void (*solicit_recommendation)(imv_manager_t *this, TNC_ConnectionID id); + + /** + * Delivers a message to interested IMVs. + * + * @param connection_id ID of connection over which message was received + * @param message message + * @param message_len message length + * @param message_type message type + */ + void (*receive_message)(imv_manager_t *this, + TNC_ConnectionID connection_id, + TNC_BufferReference message, + TNC_UInt32 message_len, + TNC_MessageType message_type); + + /** + * Notify all IMVs that all IMC messages received in a batch have been + * delivered and this is the IMVs last chance to send a message in the + * batch of IMV messages currently being collected. + * + * @param id connection ID + */ + void (*batch_ending)(imv_manager_t *this, TNC_ConnectionID id); + + /** + * Destroy an IMV manager and all its controlled instances. + */ + void (*destroy)(imv_manager_t *this); +}; + +#endif /** IMV_MANAGER_H_ @}*/ diff --git a/src/libcharon/tnc/imv/imv_recommendations.c b/src/libcharon/tnc/imv/imv_recommendations.c new file mode 100644 index 000000000..9daaca16c --- /dev/null +++ b/src/libcharon/tnc/imv/imv_recommendations.c @@ -0,0 +1,24 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_recommendations.h" + +ENUM(recommendation_policy_names, RECOMMENDATION_POLICY_DEFAULT, + RECOMMENDATION_POLICY_ALL, + "default", + "any", + "all" +); + diff --git a/src/libcharon/tnc/imv/imv_recommendations.h b/src/libcharon/tnc/imv/imv_recommendations.h new file mode 100644 index 000000000..3a6e25c9f --- /dev/null +++ b/src/libcharon/tnc/imv/imv_recommendations.h @@ -0,0 +1,117 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv_recommendations imv_recommendations + * @{ @ingroup imv + */ + +#ifndef IMV_RECOMMENDATIONS_H_ +#define IMV_RECOMMENDATIONS_H_ + +#include +#include + +typedef enum recommendation_policy_t recommendation_policy_t; + +enum recommendation_policy_t { + RECOMMENDATION_POLICY_DEFAULT, + RECOMMENDATION_POLICY_ANY, + RECOMMENDATION_POLICY_ALL +}; + +extern enum_name_t *recommendation_policy_names; + + +typedef struct recommendations_t recommendations_t; + +/** + * Collection of all IMV action recommendations and evaluation results + */ +struct recommendations_t { + + /** + * Deliver an IMV action recommendation and IMV evaluation result to the TNCS + * + * @param imv_id ID of the IMV providing the recommendation + * @param rec action recommendation + * @param eval evaluation result + * @return return code + */ + TNC_Result (*provide_recommendation)(recommendations_t *this, + TNC_IMVID imv_id, + TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval); + + /** + * If all IMVs provided a recommendation, derive a consolidated action + * recommendation and evaluation result based on a configured policy + * + * @param rec action recommendation + * @param eval evaluation result + * @return TRUE if all IMVs provided a recommendation + */ + bool (*have_recommendation)(recommendations_t *this, + TNC_IMV_Action_Recommendation *rec, + TNC_IMV_Evaluation_Result *eval); + + /** + * Get the preferred language for remediation messages + * + * @return preferred language + */ + chunk_t (*get_preferred_language)(recommendations_t *this); + + /** + * Set the preferred language for remediation messages + * + * @param pref_lang preferred language + */ + void (*set_preferred_language)(recommendations_t *this, chunk_t pref_lang); + + /** + * Set the reason string + * + * @param id ID of IMV setting the reason string + * @param reason reason string + * @result return code + */ + TNC_Result (*set_reason_string)(recommendations_t *this, TNC_IMVID id, + chunk_t reason); + + /** + * Set the language for reason strings + * + * @param id ID of IMV setting the reason language + * @param reason_lang reason language + * @result return code + */ + TNC_Result (*set_reason_language)(recommendations_t *this, TNC_IMVID id, + chunk_t reason_lang); + + /** + * Enumerates over all IMVs sending a reason string. + * Format: TNC_IMVID *id, chunk_t *reason, chunk_t *reason_language + * + * @return enumerator + */ + enumerator_t* (*create_reason_enumerator)(recommendations_t *this); + /** + * Destroys an imv_t object. + */ + void (*destroy)(recommendations_t *this); +}; + +#endif /** IMV_RECOMMENDATIONS_H_ @}*/ diff --git a/src/libcharon/tnc/tnccs/tnccs.c b/src/libcharon/tnc/tnccs/tnccs.c new file mode 100644 index 000000000..575b850f5 --- /dev/null +++ b/src/libcharon/tnc/tnccs/tnccs.c @@ -0,0 +1,23 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs.h" + +ENUM(tnccs_type_names, TNCCS_UNKNOWN, TNCCS_2_0, + "unknown TNCCS", + "TNCCS 1.1", + "TNCCS SOH", + "TNCCS 2.0", +); diff --git a/src/libcharon/tnc/tnccs/tnccs.h b/src/libcharon/tnc/tnccs/tnccs.h new file mode 100644 index 000000000..c5d6f5ef0 --- /dev/null +++ b/src/libcharon/tnc/tnccs/tnccs.h @@ -0,0 +1,82 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs tnccs + * @ingroup tnc + * + * @defgroup tnccst tnccs + * @{ @ingroup tnccs + */ + +#ifndef TNCCS_H_ +#define TNCCS_H_ + +#include +#include +#include +#include + +#define IETF_VENDOR_ID 0x000000 /* 0 */ +#define MICROSOFT_VENDOR_ID 0x000137 /* 311 */ +#define OSC_VENDOR_ID 0x002358 /* 9048 */ +#define FHH_VENDOR_ID 0x0080ab /* 32939 */ +#define ITA_VENDOR_ID 0x00902a /* 36906 */ +#define RESERVED_VENDOR_ID 0xffffff /* 16777215 */ + +typedef enum tnccs_type_t tnccs_type_t; + +/** + * Type of TNC Client/Server protocol + */ +enum tnccs_type_t { + TNCCS_UNKNOWN, + TNCCS_1_1, + TNCCS_SOH, + TNCCS_2_0, + TNCCS_DYNAMIC +}; + +/** + * enum names for tnccs_type_t. + */ +extern enum_name_t *tnccs_type_names; + +typedef struct tnccs_t tnccs_t; + +/** + * Constructor definition for a pluggable TNCCS protocol implementation. + * + * @param is_server TRUE if TNC Server, FALSE if TNC Client + * @return implementation of the tnccs_t interface + */ +typedef tnccs_t* (*tnccs_constructor_t)(bool is_server); + +/** + * Callback function adding a message to a TNCCS batch + * + * @param imc_id ID of IMC or TNC_IMCID_ANY + * @param imc_id ID of IMV or TNC_IMVID_ANY + * @param msg message to be added + * @param msg_len message length + * @param msg_type message type + */ +typedef void (*tnccs_send_message_t)(tnccs_t* tncss, TNC_IMCID imc_id, + TNC_IMVID imv_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type); + +#endif /** TNCCS_H_ @}*/ diff --git a/src/libcharon/tnc/tnccs/tnccs_manager.c b/src/libcharon/tnc/tnccs/tnccs_manager.c new file mode 100644 index 000000000..7e522b870 --- /dev/null +++ b/src/libcharon/tnc/tnccs/tnccs_manager.c @@ -0,0 +1,477 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_manager.h" + +#include + +#include +#include +#include +#include + +typedef struct private_tnccs_manager_t private_tnccs_manager_t; +typedef struct tnccs_entry_t tnccs_entry_t; +typedef struct tnccs_connection_entry_t tnccs_connection_entry_t; + +/** + * TNCCS constructor entry + */ +struct tnccs_entry_t { + + /** + * TNCCS protocol type + */ + tnccs_type_t type; + + /** + * constructor function to create instance + */ + tnccs_constructor_t constructor; +}; + +/** + * TNCCS connection entry + */ +struct tnccs_connection_entry_t { + + /** + * TNCCS connection ID + */ + TNC_ConnectionID id; + + /** + * TNCCS instance + */ + tnccs_t *tnccs; + + /** + * TNCCS send message function + */ + tnccs_send_message_t send_message; + + /** + * TNCCS request handshake retry flag + */ + bool *request_handshake_retry; + + /** + * collection of IMV recommendations + */ + recommendations_t *recs; +}; + +/** + * private data of tnccs_manager + */ +struct private_tnccs_manager_t { + + /** + * public functions + */ + tnccs_manager_t public; + + /** + * list of TNCCS protocol entries + */ + linked_list_t *protocols; + + /** + * rwlock to lock the TNCCS protocol entries + */ + rwlock_t *protocol_lock; + + /** + * connection ID counter + */ + TNC_ConnectionID connection_id; + + /** + * list of TNCCS connection entries + */ + linked_list_t *connections; + + /** + * rwlock to lock TNCCS connection entries + */ + rwlock_t *connection_lock; + +}; + +METHOD(tnccs_manager_t, add_method, void, + private_tnccs_manager_t *this, tnccs_type_t type, + tnccs_constructor_t constructor) +{ + tnccs_entry_t *entry; + + entry = malloc_thing(tnccs_entry_t); + entry->type = type; + entry->constructor = constructor; + + this->protocol_lock->write_lock(this->protocol_lock); + this->protocols->insert_last(this->protocols, entry); + this->protocol_lock->unlock(this->protocol_lock); +} + +METHOD(tnccs_manager_t, remove_method, void, + private_tnccs_manager_t *this, tnccs_constructor_t constructor) +{ + enumerator_t *enumerator; + tnccs_entry_t *entry; + + this->protocol_lock->write_lock(this->protocol_lock); + enumerator = this->protocols->create_enumerator(this->protocols); + while (enumerator->enumerate(enumerator, &entry)) + { + if (constructor == entry->constructor) + { + this->protocols->remove_at(this->protocols, enumerator); + free(entry); + } + } + enumerator->destroy(enumerator); + this->protocol_lock->unlock(this->protocol_lock); +} + +METHOD(tnccs_manager_t, create_instance, tnccs_t*, + private_tnccs_manager_t *this, tnccs_type_t type, bool is_server) +{ + enumerator_t *enumerator; + tnccs_entry_t *entry; + tnccs_t *protocol = NULL; + + this->protocol_lock->read_lock(this->protocol_lock); + enumerator = this->protocols->create_enumerator(this->protocols); + while (enumerator->enumerate(enumerator, &entry)) + { + if (type == entry->type) + { + protocol = entry->constructor(is_server); + if (protocol) + { + break; + } + } + } + enumerator->destroy(enumerator); + this->protocol_lock->unlock(this->protocol_lock); + + return protocol; +} + +METHOD(tnccs_manager_t, create_connection, TNC_ConnectionID, + private_tnccs_manager_t *this, tnccs_t *tnccs, + tnccs_send_message_t send_message, bool* request_handshake_retry, + recommendations_t **recs) +{ + tnccs_connection_entry_t *entry; + + entry = malloc_thing(tnccs_connection_entry_t); + entry->tnccs = tnccs; + entry->send_message = send_message; + entry->request_handshake_retry = request_handshake_retry; + if (recs) + { + /* we assume a TNC Server needing recommendations from IMVs */ + if (!charon->imvs) + { + DBG1(DBG_TNC, "no IMV manager available!"); + free(entry); + return 0; + } + entry->recs = charon->imvs->create_recommendations(charon->imvs); + *recs = entry->recs; + } + else + { + /* we assume a TNC Client */ + if (!charon->imcs) + { + DBG1(DBG_TNC, "no IMC manager available!"); + free(entry); + return 0; + } + entry->recs = NULL; + } + this->connection_lock->write_lock(this->connection_lock); + entry->id = ++this->connection_id; + this->connections->insert_last(this->connections, entry); + this->connection_lock->unlock(this->connection_lock); + + DBG1(DBG_TNC, "assigned TNCCS Connection ID %u", entry->id); + return entry->id; +} + +METHOD(tnccs_manager_t, remove_connection, void, + private_tnccs_manager_t *this, TNC_ConnectionID id) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + + this->connection_lock->write_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == entry->id) + { + this->connections->remove_at(this->connections, enumerator); + if (entry->recs) + { + entry->recs->destroy(entry->recs); + } + free(entry); + DBG1(DBG_TNC, "removed TNCCS Connection ID %u", id); + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); +} + +METHOD(tnccs_manager_t, request_handshake_retry, TNC_Result, + private_tnccs_manager_t *this, bool is_imc, TNC_UInt32 imcv_id, + TNC_ConnectionID id, + TNC_RetryReason reason) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + + if (id == TNC_CONNECTIONID_ANY) + { + DBG2(DBG_TNC, "%s %u requests handshake retry for all connections " + "(reason: %u)", is_imc ? "IMC":"IMV", reason); + } + else + { + DBG2(DBG_TNC, "%s %u requests handshake retry for connection ID %u " + "(reason: %u)", is_imc ? "IMC":"IMV", id, reason); + } + this->connection_lock->read_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == TNC_CONNECTIONID_ANY || id == entry->id) + { + *entry->request_handshake_retry = TRUE; + break; + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); + + return TNC_RESULT_SUCCESS; +} + +METHOD(tnccs_manager_t, send_message, TNC_Result, + private_tnccs_manager_t *this, TNC_IMCID imc_id, TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + tnccs_send_message_t send_message = NULL; + tnccs_t *tnccs = NULL; + + this->connection_lock->read_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == entry->id) + { + tnccs = entry->tnccs; + send_message = entry->send_message; + break; + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); + + if (tnccs && send_message) + { + send_message(tnccs, imc_id, imv_id, msg, msg_len, msg_type); + return TNC_RESULT_SUCCESS; + } + return TNC_RESULT_FATAL; +} + +METHOD(tnccs_manager_t, provide_recommendation, TNC_Result, + private_tnccs_manager_t *this, TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + recommendations_t *recs = NULL; + + this->connection_lock->read_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == entry->id) + { + recs = entry->recs; + break; + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); + + if (recs) + { + recs->provide_recommendation(recs, imv_id, rec, eval); + return TNC_RESULT_SUCCESS; + } + return TNC_RESULT_FATAL; +} + +METHOD(tnccs_manager_t, get_attribute, TNC_Result, + private_tnccs_manager_t *this, TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer, + TNC_UInt32 *out_value_len) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + recommendations_t *recs = NULL; + + if (id == TNC_CONNECTIONID_ANY || + attribute_id != TNC_ATTRIBUTEID_PREFERRED_LANGUAGE) + { + return TNC_RESULT_INVALID_PARAMETER; + } + + this->connection_lock->read_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == entry->id) + { + recs = entry->recs; + break; + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); + + if (recs) + { + chunk_t pref_lang; + + pref_lang = recs->get_preferred_language(recs); + if (pref_lang.len == 0) + { + return TNC_RESULT_INVALID_PARAMETER; + } + *out_value_len = pref_lang.len; + if (buffer && buffer_len <= pref_lang.len) + { + memcpy(buffer, pref_lang.ptr, pref_lang.len); + } + return TNC_RESULT_SUCCESS; + } + return TNC_RESULT_INVALID_PARAMETER; +} + +METHOD(tnccs_manager_t, set_attribute, TNC_Result, + private_tnccs_manager_t *this, TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + recommendations_t *recs = NULL; + + if (id == TNC_CONNECTIONID_ANY || + (attribute_id != TNC_ATTRIBUTEID_REASON_STRING && + attribute_id != TNC_ATTRIBUTEID_REASON_LANGUAGE)) + { + return TNC_RESULT_INVALID_PARAMETER; + } + + this->connection_lock->read_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == entry->id) + { + recs = entry->recs; + break; + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); + + if (recs) + { + chunk_t attribute = { buffer, buffer_len }; + + if (attribute_id == TNC_ATTRIBUTEID_REASON_STRING) + { + return recs->set_reason_string(recs, imv_id, attribute); + } + else + { + return recs->set_reason_language(recs, imv_id, attribute); + } + } + return TNC_RESULT_INVALID_PARAMETER; +} + +METHOD(tnccs_manager_t, destroy, void, + private_tnccs_manager_t *this) +{ + this->protocols->destroy_function(this->protocols, free); + this->protocol_lock->destroy(this->protocol_lock); + this->connections->destroy_function(this->connections, free); + this->connection_lock->destroy(this->connection_lock); + free(this); +} + +/* + * See header + */ +tnccs_manager_t *tnccs_manager_create() +{ + private_tnccs_manager_t *this; + + INIT(this, + .public = { + .add_method = _add_method, + .remove_method = _remove_method, + .create_instance = _create_instance, + .create_connection = _create_connection, + .remove_connection = _remove_connection, + .request_handshake_retry = _request_handshake_retry, + .send_message = _send_message, + .provide_recommendation = _provide_recommendation, + .get_attribute = _get_attribute, + .set_attribute = _set_attribute, + .destroy = _destroy, + }, + .protocols = linked_list_create(), + .connections = linked_list_create(), + .protocol_lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .connection_lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + return &this->public; +} + diff --git a/src/libcharon/tnc/tnccs/tnccs_manager.h b/src/libcharon/tnc/tnccs/tnccs_manager.h new file mode 100644 index 000000000..c02eac03c --- /dev/null +++ b/src/libcharon/tnc/tnccs/tnccs_manager.h @@ -0,0 +1,184 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_manager tnccs_manager + * @{ @ingroup tnccs + */ + +#ifndef TNCCS_MANAGER_H_ +#define TNCCS_MANAGER_H_ + +#include "tnccs.h" + +#include + +typedef struct tnccs_manager_t tnccs_manager_t; + +/** + * The TNCCS manager manages all TNCCS implementations and creates instances. + * + * A plugin registers its implemented TNCCS protocol with the manager by + * providing type and a constructor function. The manager then creates + * TNCCS protocol instances via the provided constructor. + */ +struct tnccs_manager_t { + + /** + * Register a TNCCS protocol implementation. + * + * @param type TNCCS protocol type + * @param constructor constructor, returns a TNCCS protocol implementation + */ + void (*add_method)(tnccs_manager_t *this, tnccs_type_t type, + tnccs_constructor_t constructor); + + /** + * Unregister a TNCCS protocol implementation using it's constructor. + * + * @param constructor constructor function to remove, as added in add_method + */ + void (*remove_method)(tnccs_manager_t *this, tnccs_constructor_t constructor); + + /** + * Create a new TNCCS protocol instance. + * + * @param type type of the TNCCS protocol + * @param is_server TRUE if TNC Server, FALSE if TNC Client + * @return TNCCS protocol instance, NULL if no constructor found + */ + tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type, + bool is_server); + + /** + * Create a TNCCS connection and assign a unique connection ID as well a + * callback function for adding a message to a TNCCS batch and create + * an empty set for collecting IMV recommendations + * + * @param tnccs TNCCS connection instance + * @param send_message TNCCS callback function + * @param request_handshake_retry pointer to boolean variable + * @param recs pointer to IMV recommendation set + * @return assigned connection ID + */ + TNC_ConnectionID (*create_connection)(tnccs_manager_t *this, tnccs_t *tnccs, + tnccs_send_message_t send_message, + bool *request_handshake_retry, + recommendations_t **recs); + + /** + * Remove a TNCCS connection using its connection ID. + * + * @param id ID of the connection to be removed + */ + void (*remove_connection)(tnccs_manager_t *this, TNC_ConnectionID id); + + /** + * Request a handshake retry + * + * @param is_imc TRUE if IMC, FALSE if IMV + * @param imcv_id ID of IMC or IMV requesting the retry + * @param id ID of a specific connection or any connection + * @param reason reason for the handshake retry + * @return return code + */ + TNC_Result (*request_handshake_retry)(tnccs_manager_t *this, bool is_imc, + TNC_UInt32 imcv_id, + TNC_ConnectionID id, + TNC_RetryReason reason); + + /** + * Add an IMC/IMV message to the batch of a given connection ID. + * + * @param imc_id ID of IMC or TNC_IMCID_ANY + * @param imv_id ID of IMV or TNC_IMVID_ANY + * @param id ID of target connection + * @param msg message to be added + * @param msg_len message length + * @param msg_type message type + * @return return code + */ + TNC_Result (*send_message)(tnccs_manager_t *this, TNC_IMCID imc_id, + TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type); + + /** + * Deliver an IMV Action Recommendation and IMV Evaluation Result to the TNCS + * + * @param imv_id ID of the IMV providing the recommendation + * @param id ID of target connection + * @param rec action recommendation + * @param eval evaluation result + * @return return code + */ + TNC_Result (*provide_recommendation)(tnccs_manager_t *this, + TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval); + + /** + * Get the value of an attribute associated with a connection or with the + * TNCS as a whole. + * + * @param imv_id ID of the IMV requesting the attribute + * @param id ID of target connection + * @param attribute_id ID of the requested attribute + * @param buffer_len length of the buffer in bytes + * @param buffer pointer to the buffer + * @param out_value_len actual length of the returned attribute + * @return return code + */ + TNC_Result (*get_attribute)(tnccs_manager_t *this, + TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer, + TNC_UInt32 *out_value_len); + + /** + * Set the value of an attribute associated with a connection or with the + * TNCS as a whole. + * + * @param imv_id ID of the IMV setting the attribute + * @param id ID of target connection + * @param attribute_id ID of the attribute to be set + * @param buffer_len length of the buffer in bytes + * @param buffer pointer to the buffer + * @return return code + */ + TNC_Result (*set_attribute)(tnccs_manager_t *this, + TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer); + + /** + * Destroy a tnccs_manager instance. + */ + void (*destroy)(tnccs_manager_t *this); +}; + +/** + * Create a tnccs_manager instance. + */ +tnccs_manager_t *tnccs_manager_create(); + +#endif /** TNCCS_MANAGER_H_ @}*/ diff --git a/src/libcharon/tnc/tncif.h b/src/libcharon/tnc/tncif.h new file mode 100644 index 000000000..99441a9a9 --- /dev/null +++ b/src/libcharon/tnc/tncif.h @@ -0,0 +1,106 @@ +/* tncif.h + * + * Trusted Network Connect IF-IMV API version 1.20 + * Microsoft Windows DLL Platform Binding C Header + * February 5, 2007 + * + * Copyright(c) 2005-2007, Trusted Computing Group, Inc. All rights + * reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * - Neither the name of the Trusted Computing Group nor the names of + * its contributors may be used to endorse or promote products + * derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * Contact the Trusted Computing Group at + * admin@trustedcomputinggroup.org for information on specification + * licensing through membership agreements. + * + * Any marks and brands contained herein are the property of their + * respective owners. + * + * Trusted Network Connect IF-IMC/IF-IMV API version 1.00 Revision 3 + * Microsoft Windows DLL Platform Binding C Header + * Common definitions for IF-IMC and IF-IMV + * extracted from tncifimc.h and tncifimv.h + * Feb 12, 2007 + */ + +/** + * @defgroup tnc tnc + * @ingroup libcharon + * + * @defgroup tncif tncif + * @{ @ingroup tnc + */ + +#ifndef TNCIF_H_ +#define TNCIF_H_ + +/* Basic Types */ +typedef unsigned long TNC_UInt32; +typedef unsigned char *TNC_BufferReference; + +/* Derived Types */ +typedef TNC_UInt32 TNC_ConnectionID; +typedef TNC_UInt32 TNC_ConnectionState; +typedef TNC_UInt32 TNC_RetryReason; +typedef TNC_UInt32 TNC_MessageType; +typedef TNC_MessageType *TNC_MessageTypeList; +typedef TNC_UInt32 TNC_VendorID; +typedef TNC_UInt32 TNC_MessageSubtype; +typedef TNC_UInt32 TNC_Version; +typedef TNC_UInt32 TNC_Result; + +/* Result Codes */ +#define TNC_RESULT_SUCCESS 0 +#define TNC_RESULT_NOT_INITIALIZED 1 +#define TNC_RESULT_ALREADY_INITIALIZED 2 +#define TNC_RESULT_NO_COMMON_VERSION 3 +#define TNC_RESULT_CANT_RETRY 4 +#define TNC_RESULT_WONT_RETRY 5 +#define TNC_RESULT_INVALID_PARAMETER 6 +#define TNC_RESULT_CANT_RESPOND 7 +#define TNC_RESULT_ILLEGAL_OPERATION 8 +#define TNC_RESULT_OTHER 9 +#define TNC_RESULT_FATAL 10 + +/* Network Connection ID Values */ +#define TNC_CONNECTIONID_ANY 0xFFFFFFFF +/* Network Connection State Values */ +#define TNC_CONNECTION_STATE_CREATE 0 +#define TNC_CONNECTION_STATE_HANDSHAKE 1 +#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2 +#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3 +#define TNC_CONNECTION_STATE_ACCESS_NONE 4 +#define TNC_CONNECTION_STATE_DELETE 5 + +/* Vendor ID Values */ +#define TNC_VENDORID_TCG 0 +#define TNC_VENDORID_ANY ((TNC_VendorID) 0xffffff) +/* Message Subtype Values */ +#define TNC_SUBTYPE_ANY ((TNC_MessageSubtype) 0xff) + +#endif /** TNCIF_H_ @}*/ diff --git a/src/libcharon/tnc/tncifimc.h b/src/libcharon/tnc/tncifimc.h new file mode 100644 index 000000000..c6ddabd45 --- /dev/null +++ b/src/libcharon/tnc/tncifimc.h @@ -0,0 +1,180 @@ +/* tncifimc.h + * + * Trusted Network Connect IF-IMC API version 1.20 Revision 8 + * Microsoft Windows DLL Platform Binding C Header + * February 5, 2007 + * + * Copyright(c) 2005-2007, Trusted Computing Group, Inc. All rights + * reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * - Neither the name of the Trusted Computing Group nor the names of + * its contributors may be used to endorse or promote products + * derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * Contact the Trusted Computing Group at + * admin@trustedcomputinggroup.org for information on specification + * licensing through membership agreements. + * + * Any marks and brands contained herein are the property of their + * respective owners. + * + */ + +/** + * @defgroup tncifimc tncifimc + * @{ @ingroup tnc + */ + +#ifndef TNCIFIMC_H_ +#define TNCIFIMC_H_ + +#include "tncif.h" + +/* Derived Types */ + +typedef TNC_UInt32 TNC_IMCID; + +/* Function pointers */ + +typedef TNC_Result (*TNC_IMC_InitializePointer)( + TNC_IMCID imcID, + TNC_Version minVersion, + TNC_Version maxVersion, + TNC_Version *pOutActualVersion); +typedef TNC_Result (*TNC_IMC_NotifyConnectionChangePointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_ConnectionState newState); +typedef TNC_Result (*TNC_IMC_BeginHandshakePointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID); +typedef TNC_Result (*TNC_IMC_ReceiveMessagePointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); +typedef TNC_Result (*TNC_IMC_BatchEndingPointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID); +typedef TNC_Result (*TNC_IMC_TerminatePointer)( + TNC_IMCID imcID); +typedef TNC_Result (*TNC_TNCC_ReportMessageTypesPointer)( + TNC_IMCID imcID, + TNC_MessageTypeList supportedTypes, + TNC_UInt32 typeCount); +typedef TNC_Result (*TNC_TNCC_SendMessagePointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); +typedef TNC_Result (*TNC_TNCC_RequestHandshakeRetryPointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_RetryReason reason); +typedef TNC_Result (*TNC_TNCC_BindFunctionPointer)( + TNC_IMCID imcID, + char *functionName, + void **pOutfunctionPointer); +typedef TNC_Result (*TNC_IMC_ProvideBindFunctionPointer)( + TNC_IMCID imcID, + TNC_TNCC_BindFunctionPointer bindFunction); + +#define TNC_IFIMC_VERSION_1 1 + +/* Handshake Retry Reason Values */ + +#define TNC_RETRY_REASON_IMC_REMEDIATION_COMPLETE 0 +#define TNC_RETRY_REASON_IMC_SERIOUS_EVENT 1 +#define TNC_RETRY_REASON_IMC_INFORMATIONAL_EVENT 2 +#define TNC_RETRY_REASON_IMC_PERIODIC 3 +/* reserved for TNC_RETRY_REASON_IMV_IMPORTANT_POLICY_CHANGE: 4 */ +/* reserved for TNC_RETRY_REASON_IMV_MINOR_POLICY_CHANGE: 5 */ +/* reserved for TNC_RETRY_REASON_IMV_SERIOUS_EVENT: 6 */ +/* reserved for TNC_RETRY_REASON_IMV_MINOR_EVENT: 7 */ +/* reserved for TNC_RETRY_REASON_IMV_PERIODIC: 8 */ + +/* IMC Functions */ + +TNC_Result TNC_IMC_Initialize( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_Version minVersion, +/*in*/ TNC_Version maxVersion, +/*out*/ TNC_Version *pOutActualVersion); + +TNC_Result TNC_IMC_NotifyConnectionChange( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_ConnectionState newState); + +TNC_Result TNC_IMC_BeginHandshake( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID); + +TNC_Result TNC_IMC_ReceiveMessage( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_BufferReference messageBuffer, +/*in*/ TNC_UInt32 messageLength, +/*in*/ TNC_MessageType messageType); + +TNC_Result TNC_IMC_BatchEnding( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID); + +TNC_Result TNC_IMC_Terminate( +/*in*/ TNC_IMCID imcID); + +TNC_Result TNC_IMC_ProvideBindFunction( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_TNCC_BindFunctionPointer bindFunction); + +/* TNC Client Functions */ + +TNC_Result TNC_TNCC_ReportMessageTypes( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_MessageTypeList supportedTypes, +/*in*/ TNC_UInt32 typeCount); + +TNC_Result TNC_TNCC_SendMessage( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_BufferReference message, +/*in*/ TNC_UInt32 messageLength, +/*in*/ TNC_MessageType messageType); + +TNC_Result TNC_TNCC_RequestHandshakeRetry( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_RetryReason reason); + +TNC_Result TNC_TNCC_BindFunction( +/*in*/ TNC_IMCID imcID, +/*in*/ char *functionName, +/*out*/ void **pOutfunctionPointer); + +#endif /** TNCIFIMC_H_ @}*/ diff --git a/src/libcharon/tnc/tncifimv.c b/src/libcharon/tnc/tncifimv.c new file mode 100644 index 000000000..fbfd56566 --- /dev/null +++ b/src/libcharon/tnc/tncifimv.c @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tncifimv.h" + +ENUM(TNC_IMV_Action_Recommendation_names, + TNC_IMV_ACTION_RECOMMENDATION_ALLOW, + TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, + "allow", + "no access", + "isolate", + "no recommendation" +); + +ENUM(TNC_IMV_Evaluation_Result_names, + TNC_IMV_EVALUATION_RESULT_COMPLIANT, + TNC_IMV_EVALUATION_RESULT_DONT_KNOW, + "compliant", + "non-compliant minor", + "non-compliant major", + "error", + "don't know" +); + diff --git a/src/libcharon/tnc/tncifimv.h b/src/libcharon/tnc/tncifimv.h new file mode 100644 index 000000000..4ec101337 --- /dev/null +++ b/src/libcharon/tnc/tncifimv.h @@ -0,0 +1,248 @@ +/* tncifimv.h + * + * Trusted Network Connect IF-IMV API version 1.20 + * Microsoft Windows DLL Platform Binding C Header + * February 5, 2007 + * + * Copyright(c) 2005-2007, Trusted Computing Group, Inc. All rights + * reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * - Neither the name of the Trusted Computing Group nor the names of + * its contributors may be used to endorse or promote products + * derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * Contact the Trusted Computing Group at + * admin@trustedcomputinggroup.org for information on specification + * licensing through membership agreements. + * + * Any marks and brands contained herein are the property of their + * respective owners. + */ + +/** + * @defgroup tncifimv tncifimv + * @{ @ingroup tnc + */ + +#ifndef TNCIFIMV_H_ +#define TNCIFIMV_H_ + +#include "tncif.h" + +#include + +typedef TNC_UInt32 TNC_IMVID; +typedef TNC_UInt32 TNC_IMV_Action_Recommendation; +typedef TNC_UInt32 TNC_IMV_Evaluation_Result; +typedef TNC_UInt32 TNC_AttributeID; + +/* Function pointers */ + +typedef TNC_Result (*TNC_IMV_InitializePointer)( + TNC_IMVID imvID, + TNC_Version minVersion, + TNC_Version maxVersion, + TNC_Version *pOutActualVersion); +typedef TNC_Result (*TNC_IMV_NotifyConnectionChangePointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_ConnectionState newState); +typedef TNC_Result (*TNC_IMV_ReceiveMessagePointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); +typedef TNC_Result (*TNC_IMV_SolicitRecommendationPointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID); +typedef TNC_Result (*TNC_IMV_BatchEndingPointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID); +typedef TNC_Result (*TNC_IMV_TerminatePointer)( + TNC_IMVID imvID); +typedef TNC_Result (*TNC_TNCS_ReportMessageTypesPointer)( + TNC_IMVID imvID, + TNC_MessageTypeList supportedTypes, + TNC_UInt32 typeCount); +typedef TNC_Result (*TNC_TNCS_SendMessagePointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); +typedef TNC_Result (*TNC_TNCS_RequestHandshakeRetryPointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_RetryReason reason); +typedef TNC_Result (*TNC_TNCS_ProvideRecommendationPointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_IMV_Action_Recommendation recommendation, + TNC_IMV_Evaluation_Result evaluation); +typedef TNC_Result (*TNC_TNCS_GetAttributePointer)( + TNC_IMVID imvID, +TNC_ConnectionID connectionID, +TNC_AttributeID attributeID, + TNC_UInt32 bufferLength, + TNC_BufferReference buffer, + TNC_UInt32 *pOutValueLength); +typedef TNC_Result (*TNC_TNCS_SetAttributePointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, +TNC_AttributeID attributeID, + TNC_UInt32 bufferLength, + TNC_BufferReference buffer); +typedef TNC_Result (*TNC_TNCS_BindFunctionPointer)( + TNC_IMVID imvID, + char *functionName, + void **pOutfunctionPointer); +typedef TNC_Result (*TNC_IMV_ProvideBindFunctionPointer)( + TNC_IMVID imvID, + TNC_TNCS_BindFunctionPointer bindFunction); + +/* Version Numbers */ + +#define TNC_IFIMV_VERSION_1 1 + +/* Handshake Retry Reason Values */ + +/* reserved for TNC_RETRY_REASON_IMC_REMEDIATION_COMPLETE: 0 */ +/* reserved for TNC_RETRY_REASON_IMC_SERIOUS_EVENT: 1 */ +/* reserved for TNC_RETRY_REASON_IMC_INFORMATIONAL_EVENT: 2 */ +/* reserved for TNC_RETRY_REASON_IMC_PERIODIC: 3 */ +#define TNC_RETRY_REASON_IMV_IMPORTANT_POLICY_CHANGE 4 +#define TNC_RETRY_REASON_IMV_MINOR_POLICY_CHANGE 5 +#define TNC_RETRY_REASON_IMV_SERIOUS_EVENT 6 +#define TNC_RETRY_REASON_IMV_MINOR_EVENT 7 +#define TNC_RETRY_REASON_IMV_PERIODIC 8 + +/* IMV Action Recommendation Values */ + +#define TNC_IMV_ACTION_RECOMMENDATION_ALLOW 0 +#define TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS 1 +#define TNC_IMV_ACTION_RECOMMENDATION_ISOLATE 2 +#define TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION 3 + +extern enum_name_t *TNC_IMV_Action_Recommendation_names; + +/* IMV Evaluation Result Values */ + +#define TNC_IMV_EVALUATION_RESULT_COMPLIANT 0 +#define TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR 1 +#define TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR 2 +#define TNC_IMV_EVALUATION_RESULT_ERROR 3 +#define TNC_IMV_EVALUATION_RESULT_DONT_KNOW 4 + +extern enum_name_t *TNC_IMV_Evaluation_Result_names; + +/* Message Attribute ID Values */ + +#define TNC_ATTRIBUTEID_PREFERRED_LANGUAGE ((TNC_AttributeID) 0x00000001) +#define TNC_ATTRIBUTEID_REASON_STRING ((TNC_AttributeID) 0x00000002) +#define TNC_ATTRIBUTEID_REASON_LANGUAGE ((TNC_AttributeID) 0x00000003) + +/* IMV Functions */ + +TNC_Result TNC_IMV_Initialize( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_Version minVersion, +/*in*/ TNC_Version maxVersion, +/*in*/ TNC_Version *pOutActualVersion); + +TNC_Result TNC_IMV_NotifyConnectionChange( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_ConnectionState newState); + +TNC_Result TNC_IMV_ReceiveMessage( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_BufferReference messageBuffer, +/*in*/ TNC_UInt32 messageLength, +/*in*/ TNC_MessageType messageType); + +TNC_Result TNC_IMV_SolicitRecommendation( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID); + +TNC_Result TNC_IMV_BatchEnding( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID); + +TNC_Result TNC_IMV_Terminate( +/*in*/ TNC_IMVID imvID); + +TNC_Result TNC_IMV_ProvideBindFunction( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_TNCS_BindFunctionPointer bindFunction); + +/* TNC Server Functions */ + +TNC_Result TNC_TNCS_ReportMessageTypes( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_MessageTypeList supportedTypes, +/*in*/ TNC_UInt32 typeCount); + +TNC_Result TNC_TNCS_SendMessage( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_BufferReference message, +/*in*/ TNC_UInt32 messageLength, +/*in*/ TNC_MessageType messageType); + +TNC_Result TNC_TNCS_RequestHandshakeRetry( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_RetryReason reason); + +TNC_Result TNC_TNCS_ProvideRecommendation( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_IMV_Action_Recommendation recommendation, +/*in*/ TNC_IMV_Evaluation_Result evaluation); + +TNC_Result TNC_TNCS_GetAttribute( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_AttributeID attributeID, +/*in*/ TNC_UInt32 bufferLength, +/*out*/ TNC_BufferReference buffer, +/*out*/ TNC_UInt32 *pOutValueLength); + +TNC_Result TNC_TNCS_SetAttribute( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_AttributeID attributeID, +/*in*/ TNC_UInt32 bufferLength, +/*in*/ TNC_BufferReference buffer); + +TNC_Result TNC_TNCS_BindFunction( +/*in*/ TNC_IMVID imvID, +/*in*/ char *functionName, +/*in*/ void **pOutfunctionPointer); + +#endif /** TNCIFIMV_H_ @}*/ diff --git a/src/libcharon/tnccs/tnccs.c b/src/libcharon/tnccs/tnccs.c deleted file mode 100644 index 2facf02c8..000000000 --- a/src/libcharon/tnccs/tnccs.c +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (C) 2010 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "tnccs.h" - -ENUM(eap_type_names, TNCCS_1_1, TNCCS_2_0, - "TNCCS 1.1", - "TNCCS SOH", - "TNCCS 2.0", -); diff --git a/src/libcharon/tnccs/tnccs.h b/src/libcharon/tnccs/tnccs.h deleted file mode 100644 index 583512e82..000000000 --- a/src/libcharon/tnccs/tnccs.h +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (C) 2010 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup tnccs tnccs - * @{ @ingroup libcharon - */ - -#ifndef TNCCS_H_ -#define TNCCS_H_ - -typedef enum tnccs_type_t tnccs_type_t; - -#include - -/** - * Type of TNC Client/Server protocol - */ -enum tnccs_type_t { - TNCCS_1_1, - TNCCS_SOH, - TNCCS_2_0 -}; - -/** - * enum names for tnccs_type_t. - */ -extern enum_name_t *tnccs_type_names; - -typedef struct tnccs_t tnccs_t; - -/** - * Constructor definition for a pluggable TNCCS protocol implementation. - * - * @param is_server TRUE if TNC Server, FALSE if TNC Client - * @return implementation of the tnccs_t interface - */ -typedef tnccs_t* (*tnccs_constructor_t)(bool is_server); - -#endif /** TNC_H_ @}*/ diff --git a/src/libcharon/tnccs/tnccs_manager.c b/src/libcharon/tnccs/tnccs_manager.c deleted file mode 100644 index 0fd6737c0..000000000 --- a/src/libcharon/tnccs/tnccs_manager.c +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Copyright (C) 2010 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "tnccs_manager.h" - -#include -#include - -typedef struct private_tnccs_manager_t private_tnccs_manager_t; -typedef struct tnccs_entry_t tnccs_entry_t; - -/** - * TNCCS constructor entry - */ -struct tnccs_entry_t { - - /** - * TNCCS protocol type - */ - tnccs_type_t type; - - /** - * constructor function to create instance - */ - tnccs_constructor_t constructor; -}; - -/** - * private data of tnccs_manager - */ -struct private_tnccs_manager_t { - - /** - * public functions - */ - tnccs_manager_t public; - - /** - * list of tnccs_entry_t's - */ - linked_list_t *protocols; - - /** - * rwlock to lock methods - */ - rwlock_t *lock; -}; - -METHOD(tnccs_manager_t, add_method, void, - private_tnccs_manager_t *this, tnccs_type_t type, - tnccs_constructor_t constructor) -{ - tnccs_entry_t *entry = malloc_thing(tnccs_entry_t); - - entry->type = type; - entry->constructor = constructor; - - this->lock->write_lock(this->lock); - this->protocols->insert_last(this->protocols, entry); - this->lock->unlock(this->lock); -} - -METHOD(tnccs_manager_t, remove_method, void, - private_tnccs_manager_t *this, tnccs_constructor_t constructor) -{ - enumerator_t *enumerator; - tnccs_entry_t *entry; - - this->lock->write_lock(this->lock); - enumerator = this->protocols->create_enumerator(this->protocols); - while (enumerator->enumerate(enumerator, &entry)) - { - if (constructor == entry->constructor) - { - this->protocols->remove_at(this->protocols, enumerator); - free(entry); - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); -} - -METHOD(tnccs_manager_t, create_instance, tnccs_t*, - private_tnccs_manager_t *this, tnccs_type_t type, bool is_server) -{ - enumerator_t *enumerator; - tnccs_entry_t *entry; - tnccs_t *protocol = NULL; - - this->lock->read_lock(this->lock); - enumerator = this->protocols->create_enumerator(this->protocols); - while (enumerator->enumerate(enumerator, &entry)) - { - if (type == entry->type) - { - protocol = entry->constructor(is_server); - if (protocol) - { - break; - } - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - return protocol; -} - -METHOD(tnccs_manager_t, destroy, void, - private_tnccs_manager_t *this) -{ - this->protocols->destroy_function(this->protocols, free); - this->lock->destroy(this->lock); - free(this); -} - -/* - * See header - */ -tnccs_manager_t *tnccs_manager_create() -{ - private_tnccs_manager_t *this; - - INIT(this, - .public = { - .add_method = _add_method, - .remove_method = _remove_method, - .create_instance = _create_instance, - .destroy = _destroy, - }, - .protocols = linked_list_create(), - .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), - ); - - return &this->public; -} - diff --git a/src/libcharon/tnccs/tnccs_manager.h b/src/libcharon/tnccs/tnccs_manager.h deleted file mode 100644 index 2f4a961a7..000000000 --- a/src/libcharon/tnccs/tnccs_manager.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (C) 2010 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup tnccs_manager tnccs_manager - * @{ @ingroup tnccs - */ - -#ifndef TNCCS_MANAGER_H_ -#define TNCCS_MANAGER_H_ - -#include "tnccs.h" - -typedef struct tnccs_manager_t tnccs_manager_t; - -/** - * The TNCCS manager manages all TNCCS implementations and creates instances. - * - * A plugin registers its implemented TNCCS protocol with the manager by - * providing type and a constructor function. The manager then creates - * TNCCS protocol instances via the provided constructor. - */ -struct tnccs_manager_t { - - /** - * Register a TNCCS protocol implementation. - * - * @param type TNCCS protocol type - * @param constructor constructor, returns a TNCCS protocol implementation - */ - void (*add_method)(tnccs_manager_t *this, tnccs_type_t type, - tnccs_constructor_t constructor); - - /** - * Unregister a TNCCS protocol implementation using it's constructor. - * - * @param constructor constructor function to remove, as added in add_method - */ - void (*remove_method)(tnccs_manager_t *this, tnccs_constructor_t constructor); - - /** - * Create a new TNCCS protocol instance. - * - * @param type type of the TNCCS protocol - * @param is_server TRUE if TNC Server, FALSE if TNC Client - * @return TNCCS protocol instance, NULL if no constructor found - */ - tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type, - bool is_server); - - /** - * Destroy a tnccs_manager instance. - */ - void (*destroy)(tnccs_manager_t *this); -}; - -/** - * Create a tnccs_manager instance. - */ -tnccs_manager_t *tnccs_manager_create(); - -#endif /** TNCCS_MANAGER_H_ @}*/ diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index 777f1fd10..46f23f4d6 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -217,9 +217,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,6 +256,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libfast/request.c b/src/libfast/request.c index 16c1ae583..a3db70e82 100644 --- a/src/libfast/request.c +++ b/src/libfast/request.c @@ -120,7 +120,7 @@ static char *getenv_cb(void *null, const char *key) private_request_t *this = (private_request_t*)thread_this->get(thread_this); value = FCGX_GetParam(key, this->req.envp); - return value ? strdup(value) : NULL; + return strdupnull(value); } /** @@ -203,6 +203,14 @@ static char* get_query_data(private_request_t *this, char *name) return hdf_get_valuef(this->hdf, "Query.%s", name); } +/** + * Implementation of request_t.get_env_var. + */ +static char* get_env_var(private_request_t *this, char *name) +{ + return FCGX_GetParam(name, this->req.envp); +} + /** * Implementation of request_t.read_data. */ @@ -415,6 +423,7 @@ request_t *request_create(int fd, bool debug) this->public.add_cookie = (void(*)(request_t*, char *name, char *value))add_cookie; this->public.get_cookie = (char*(*)(request_t*,char*))get_cookie; this->public.get_query_data = (char*(*)(request_t*, char *name))get_query_data; + this->public.get_env_var = (char*(*)(request_t*, char *name))get_env_var; this->public.read_data = (int(*)(request_t*, char*, int))read_data; this->public.session_closed = (bool(*)(request_t*))session_closed; this->public.close_session = (void(*)(request_t*))close_session; diff --git a/src/libfast/request.h b/src/libfast/request.h index 9ca74a91e..c9c1f13e2 100644 --- a/src/libfast/request.h +++ b/src/libfast/request.h @@ -85,6 +85,14 @@ struct request_t { */ char* (*get_query_data)(request_t *this, char *name); + /** + * Get an arbitrary environment variable. + * + * @param name name of the environment variable + * @return value, NULL if not found + */ + char* (*get_env_var)(request_t *this, char *name); + /** * Read raw POST/PUT data from HTTP request. * diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am index 5fee39da9..09f5fe2cd 100644 --- a/src/libfreeswan/Makefile.am +++ b/src/libfreeswan/Makefile.am @@ -1,10 +1,10 @@ noinst_LIBRARIES = libfreeswan.a libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \ - atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ + atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \ - keyblobtoid.c pfkey_v2_build.c pfkey_v2_debug.c \ - pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \ - pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \ + pfkey_v2_build.c pfkey_v2_debug.c \ + pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \ + pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \ satot.c subnetof.c subnettoa.c subnettot.c \ subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \ ultoa.c ultot.c @@ -14,7 +14,7 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto -dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ - keyblobtoid.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ +dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ + portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in index 28ba035c6..88ceab557 100644 --- a/src/libfreeswan/Makefile.in +++ b/src/libfreeswan/Makefile.in @@ -58,19 +58,17 @@ libfreeswan_a_AR = $(AR) $(ARFLAGS) libfreeswan_a_LIBADD = am_libfreeswan_a_OBJECTS = addrtoa.$(OBJEXT) addrtot.$(OBJEXT) \ addrtypeof.$(OBJEXT) anyaddr.$(OBJEXT) atoaddr.$(OBJEXT) \ - atoasr.$(OBJEXT) atosa.$(OBJEXT) atosubnet.$(OBJEXT) \ - atoul.$(OBJEXT) copyright.$(OBJEXT) datatot.$(OBJEXT) \ - goodmask.$(OBJEXT) initaddr.$(OBJEXT) initsaid.$(OBJEXT) \ - initsubnet.$(OBJEXT) keyblobtoid.$(OBJEXT) \ + atoasr.$(OBJEXT) atosubnet.$(OBJEXT) atoul.$(OBJEXT) \ + copyright.$(OBJEXT) datatot.$(OBJEXT) goodmask.$(OBJEXT) \ + initaddr.$(OBJEXT) initsaid.$(OBJEXT) initsubnet.$(OBJEXT) \ pfkey_v2_build.$(OBJEXT) pfkey_v2_debug.$(OBJEXT) \ pfkey_v2_ext_bits.$(OBJEXT) pfkey_v2_parse.$(OBJEXT) \ - portof.$(OBJEXT) prng.$(OBJEXT) rangetoa.$(OBJEXT) \ - rangetosubnet.$(OBJEXT) sameaddr.$(OBJEXT) satoa.$(OBJEXT) \ - satot.$(OBJEXT) subnetof.$(OBJEXT) subnettoa.$(OBJEXT) \ - subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) ttoaddr.$(OBJEXT) \ - ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) ttosa.$(OBJEXT) \ - ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) ultoa.$(OBJEXT) \ - ultot.$(OBJEXT) + portof.$(OBJEXT) rangetoa.$(OBJEXT) rangetosubnet.$(OBJEXT) \ + sameaddr.$(OBJEXT) satot.$(OBJEXT) subnetof.$(OBJEXT) \ + subnettoa.$(OBJEXT) subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) \ + ttoaddr.$(OBJEXT) ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) \ + ttosa.$(OBJEXT) ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) \ + ultoa.$(OBJEXT) ultot.$(OBJEXT) libfreeswan_a_OBJECTS = $(am_libfreeswan_a_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -234,9 +232,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -275,6 +271,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -287,11 +285,11 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ noinst_LIBRARIES = libfreeswan.a libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \ - atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ + atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \ - keyblobtoid.c pfkey_v2_build.c pfkey_v2_debug.c \ - pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \ - pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \ + pfkey_v2_build.c pfkey_v2_debug.c \ + pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \ + pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \ satot.c subnetof.c subnettoa.c subnettot.c \ subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \ ultoa.c ultot.c @@ -301,8 +299,8 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto -dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ - keyblobtoid.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ +dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ + portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 all: all-am @@ -359,7 +357,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/anyaddr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoaddr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoasr.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosubnet.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoul.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/copyright.Po@am__quote@ @@ -368,17 +365,14 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initaddr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsaid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsubnet.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyblobtoid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_build.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_debug.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_ext_bits.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_parse.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portof.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prng.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetoa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetosubnet.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sameaddr.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satoa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satot.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnetof.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnettoa.Po@am__quote@ diff --git a/src/libfreeswan/atosa.3 b/src/libfreeswan/atosa.3 deleted file mode 100644 index f57fcf1e9..000000000 --- a/src/libfreeswan/atosa.3 +++ /dev/null @@ -1,217 +0,0 @@ -.TH IPSEC_ATOSA 3 "11 June 2001" -.SH NAME -ipsec atosa, satoa \- convert IPsec Security Association IDs to and from ASCII -.SH SYNOPSIS -.B "#include -.sp -.B "const char *atosa(const char *src, size_t srclen," -.ti +1c -.B "struct sa_id *sa); -.br -.B "size_t satoa(struct sa_id sa, int format," -.ti +1c -.B "char *dst, size_t dstlen);" -.sp -.B "struct sa_id {" -.ti +1c -.B "struct in_addr dst;" -.ti +1c -.B "ipsec_spi_t spi;" -.ti +1c -.B "int proto;" -.br -.B "};" -.SH DESCRIPTION -These functions are obsolete; see -.IR ipsec_ttosa (3) -for their replacements. -.PP -.I Atosa -converts an ASCII Security Association (SA) specifier into an -.B sa_id -structure (containing -a destination-host address -in network byte order, -an SPI number in network byte order, and -a protocol code). -.I Satoa -does the reverse conversion, back to an ASCII SA specifier. -.PP -An SA is specified in ASCII with a mail-like syntax, e.g. -.BR esp507@1.2.3.4 . -An SA specifier contains -a protocol prefix (currently -.BR ah , -.BR esp , -or -.BR tun ), -an unsigned integer SPI number, -and an IP address. -The SPI number can be decimal or hexadecimal -(with -.B 0x -prefix), as accepted by -.IR ipsec_atoul (3). -The IP address can be any form accepted by -.IR ipsec_atoaddr (3), -e.g. dotted-decimal address or DNS name. -.PP -As a special case, the SA specifier -.B %passthrough -signifies the special SA used to indicate that packets should be -passed through unaltered. -(At present, this is a synonym for -.BR tun0x0@0.0.0.0 , -but that is subject to change without notice.) -This form is known to both -.I atosa -and -.IR satoa , -so the internal form of -.B %passthrough -is never visible. -.PP -The -.B -header file supplies the -.B sa_id -structure, as well as a data type -.B ipsec_spi_t -which is an unsigned 32-bit integer. -(There is no consistency between kernel and user on what such a type -is called, hence the header hides the differences.) -.PP -The protocol code uses the same numbers that IP does. -For user convenience, given the difficulty in acquiring the exact set of -protocol names used by the kernel, -.B -defines the names -.BR SA_ESP , -.BR SA_AH , -and -.B SA_IPIP -to have the same values as the kernel names -.BR IPPROTO_ESP , -.BR IPPROTO_AH , -and -.BR IPPROTO_IPIP . -.PP -The -.I srclen -parameter of -.I atosa -specifies the length of the ASCII string pointed to by -.IR src ; -it is an error for there to be anything else -(e.g., a terminating NUL) within that length. -As a convenience for cases where an entire NUL-terminated string is -to be converted, -a -.I srclen -value of -.B 0 -is taken to mean -.BR strlen(src) . -.PP -The -.I dstlen -parameter of -.I satoa -specifies the size of the -.I dst -parameter; -under no circumstances are more than -.I dstlen -bytes written to -.IR dst . -A result which will not fit is truncated. -.I Dstlen -can be zero, in which case -.I dst -need not be valid and no result is written, -but the return value is unaffected; -in all other cases, the (possibly truncated) result is NUL-terminated. -The -.I freeswan.h -header file defines a constant, -.BR SATOA_BUF , -which is the size of a buffer just large enough for worst-case results. -.PP -The -.I format -parameter of -.I satoa -specifies what format is to be used for the conversion. -The value -.B 0 -(not the ASCII character -.BR '0' , -but a zero value) -specifies a reasonable default -(currently -lowercase protocol prefix, lowercase hexadecimal SPI, dotted-decimal address). -The value -.B d -causes the SPI to be generated in decimal instead. -.PP -.I Atosa -returns -.B NULL -for success and -a pointer to a string-literal error message for failure; -see DIAGNOSTICS. -.I Satoa -returns -.B 0 -for a failure, and otherwise -always returns the size of buffer which would -be needed to -accommodate the full conversion result, including terminating NUL; -it is the caller's responsibility to check this against the size of -the provided buffer to determine whether truncation has occurred. -.SH SEE ALSO -ipsec_atoul(3), ipsec_atoaddr(3), inet(3) -.SH DIAGNOSTICS -Fatal errors in -.I atosa -are: -empty input; -input too small to be a legal SA specifier; -no -.B @ -in input; -unknown protocol prefix; -conversion error in -.I atoul -or -.IR atoaddr . -.PP -Fatal errors in -.I satoa -are: -unknown format; unknown protocol code. -.SH HISTORY -Written for the FreeS/WAN project by Henry Spencer. -.SH BUGS -The -.B tun -protocol code is a FreeS/WANism which may eventually disappear. -.PP -The restriction of ASCII-to-binary error reports to literal strings -(so that callers don't need to worry about freeing them or copying them) -does limit the precision of error reporting. -.PP -The ASCII-to-binary error-reporting convention lends itself -to slightly obscure code, -because many readers will not think of NULL as signifying success. -A good way to make it clearer is to write something like: -.PP -.RS -.nf -.B "const char *error;" -.sp -.B "error = atoaddr( /* ... */ );" -.B "if (error != NULL) {" -.B " /* something went wrong */" -.fi -.RE diff --git a/src/libfreeswan/atosa.c b/src/libfreeswan/atosa.c deleted file mode 100644 index 7339b4c3e..000000000 --- a/src/libfreeswan/atosa.c +++ /dev/null @@ -1,198 +0,0 @@ -/* - * convert from ASCII form of SA ID to binary - * Copyright (C) 1998, 1999 Henry Spencer. - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the GNU Library General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public - * License for more details. - */ -#include "internal.h" -#include "freeswan.h" - -static struct satype { - char *prefix; - size_t prelen; /* strlen(prefix) */ - int proto; -} satypes[] = { - { "ah", 2, SA_AH }, - { "esp", 3, SA_ESP }, - { "tun", 3, SA_IPIP }, - { "comp", 4, SA_COMP }, - { NULL, 0, 0, } -}; - -/* - - atosa - convert ASCII "ah507@10.0.0.1" to SA identifier - */ -const char * /* NULL for success, else string literal */ -atosa(src, srclen, sa) -const char *src; -size_t srclen; /* 0 means "apply strlen" */ -struct sa_id *sa; -{ - const char *at; - const char *addr; - const char *spi = NULL; - struct satype *sat; - unsigned long ul; - const char *oops; -# define MINLEN 5 /* ah0@0 is as short as it can get */ - static char ptname[] = PASSTHROUGHNAME; -# define PTNLEN (sizeof(ptname)-1) /* -1 for NUL */ - - if (srclen == 0) - srclen = strlen(src); - if (srclen == 0) - return "empty string"; - if (srclen < MINLEN) - return "string too short to be SA specifier"; - if (srclen == PTNLEN && memcmp(src, ptname, PTNLEN) == 0) { - src = PASSTHROUGHIS; - srclen = strlen(src); - } - - at = memchr(src, '@', srclen); - if (at == NULL) - return "no @ in SA specifier"; - - for (sat = satypes; sat->prefix != NULL; sat++) - if (sat->prelen < srclen && - strncmp(src, sat->prefix, sat->prelen) == 0) { - sa->proto = sat->proto; - spi = src + sat->prelen; - break; /* NOTE BREAK OUT */ - } - if (sat->prefix == NULL) - return "SA specifier lacks valid protocol prefix"; - - if (spi >= at) - return "no SPI in SA specifier"; - oops = atoul(spi, at - spi, 13, &ul); - if (oops != NULL) - return oops; - sa->spi = htonl(ul); - - addr = at + 1; - oops = atoaddr(addr, srclen - (addr - src), &sa->dst); - if (oops != NULL) - return oops; - - return NULL; -} - - - -#ifdef ATOSA_MAIN - -#include -#include -#include -#include - -void regress(void); - -int -main(int argc, char *argv[]) -{ - struct sa_id sa; - char buf[100]; - const char *oops; - size_t n; - - if (argc < 2) { - fprintf(stderr, "Usage: %s {ahnnn@aaa|-r}\n", argv[0]); - exit(2); - } - - if (strcmp(argv[1], "-r") == 0) { - regress(); - fprintf(stderr, "regress() returned?!?\n"); - exit(1); - } - - oops = atosa(argv[1], 0, &sa); - if (oops != NULL) { - fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops); - exit(1); - } - n = satoa(sa, 0, buf, sizeof(buf)); - if (n > sizeof(buf)) { - fprintf(stderr, "%s: reverse conv of `%d'", argv[0], sa.proto); - fprintf(stderr, "%lu@", (long unsigned int)sa.spi); - fprintf(stderr, "%s", inet_ntoa(sa.dst)); - fprintf(stderr, " failed: need %ld bytes, have only %ld\n", - (long)n, (long)sizeof(buf)); - exit(1); - } - printf("%s\n", buf); - - exit(0); -} - -struct rtab { - char *input; - char *output; /* NULL means error expected */ -} rtab[] = { - {"esp257@1.2.3.0", "esp257@1.2.3.0"}, - {"ah0x20@1.2.3.4", "ah32@1.2.3.4"}, - {"tun011@111.2.3.99", "tun11@111.2.3.99"}, - {"", NULL}, - {"_", NULL}, - {"ah2.2", NULL}, - {"goo2@1.2.3.4", NULL}, - {"esp9@1.2.3.4", "esp9@1.2.3.4"}, - {"espp9@1.2.3.4", NULL}, - {"es9@1.2.3.4", NULL}, - {"ah@1.2.3.4", NULL}, - {"esp7x7@1.2.3.4", NULL}, - {"esp77@1.0x2.3.4", NULL}, - {PASSTHROUGHNAME, PASSTHROUGHNAME}, - {NULL, NULL} -}; - -void -regress(void) -{ - struct rtab *r; - int status = 0; - struct sa_id sa; - char in[100]; - char buf[100]; - const char *oops; - size_t n; - - for (r = rtab; r->input != NULL; r++) { - strcpy(in, r->input); - oops = atosa(in, 0, &sa); - if (oops != NULL && r->output == NULL) - {} /* okay, error expected */ - else if (oops != NULL) { - printf("`%s' atosa failed: %s\n", r->input, oops); - status = 1; - } else if (r->output == NULL) { - printf("`%s' atosa succeeded unexpectedly\n", - r->input); - status = 1; - } else { - n = satoa(sa, 'd', buf, sizeof(buf)); - if (n > sizeof(buf)) { - printf("`%s' satoa failed: need %ld\n", - r->input, (long)n); - status = 1; - } else if (strcmp(r->output, buf) != 0) { - printf("`%s' gave `%s', expected `%s'\n", - r->input, buf, r->output); - status = 1; - } - } - } - exit(status); -} - -#endif /* ATOSA_MAIN */ diff --git a/src/libfreeswan/copyright.c b/src/libfreeswan/copyright.c index 65585b62e..e55e849f7 100644 --- a/src/libfreeswan/copyright.c +++ b/src/libfreeswan/copyright.c @@ -27,13 +27,13 @@ static const char *co[] = { " Christoph Gysin, Andreas Hess, Patric Lichtsteiner, Michael Meier,", " Andreas Schleiss, Ariane Seiler, Mario Strasser, Lukas Suter,", " Roger Wegmann, Simon Zwahlen,", - " Zuercher Hochschule Winterthur (Switzerland).", + " ZHW Zuercher Hochschule Winterthur (Switzerland).", "", - " Philip Boetschi, Tobias Brunner, Adrian Doerig, Andreas Eigenmann,", - " Fabian Hartmann, Noah Heusser, Jan Hutter, Thomas Kallenberg,", - " Daniel Roethlisberger, Joel Stillhart, Martin Willi, Daniel Wydler,", - " Andreas Steffen,", - " Hochschule fuer Technik Rapperswil (Switzerland).", + " Philip Boetschi, Tobias Brunner, Sansar Choinyambuu, Adrian Doerig,", + " Andreas Eigenmann, Fabian Hartmann, Noah Heusser, Jan Hutter,", + " Thomas Kallenberg, Daniel Roethlisberger, Joel Stillhart, Martin Willi,", + " Daniel Wydler, Andreas Steffen,", + " HSR Hochschule fuer Technik Rapperswil (Switzerland).", "", "This program is free software; you can redistribute it and/or modify it", "under the terms of the GNU General Public License as published by the", diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h index 342f59987..724165bde 100644 --- a/src/libfreeswan/freeswan.h +++ b/src/libfreeswan/freeswan.h @@ -158,11 +158,6 @@ err_t ttodatav(const char *src, size_t srclen, int base, size_t datatot(const char *src, size_t srclen, int format, char *buf, size_t buflen); -size_t keyblobtoid(const unsigned char *src, size_t srclen, char *dst, - size_t dstlen); -size_t splitkeytoid(const unsigned char *e, size_t elen, const unsigned char *m, - size_t mlen, char *dst, size_t dstlen); -#define KEYID_BUF 10 /* up to 9 text digits plus NUL */ err_t ttoprotoport(char *src, size_t src_len, u_int8_t *proto, u_int16_t *port, bool *has_port_wildcard); @@ -206,12 +201,6 @@ void setportof(int port, ip_address *dst); struct sockaddr *sockaddrof(ip_address *src); size_t sockaddrlenof(const ip_address *src); -/* PRNG */ -void prng_init(struct prng *prng, const unsigned char *key, size_t keylen); -void prng_bytes(struct prng *prng, unsigned char *dst, size_t dstlen); -unsigned long prng_count(struct prng *prng); -void prng_final(struct prng *prng); - /* odds and ends */ const char **ipsec_copyright_notice(void); @@ -294,24 +283,6 @@ rangetoa( ); #define RANGETOA_BUF 34 /* large enough for worst case result */ -/* data types for SA conversion functions */ - -/* SAs */ -const char * /* NULL for success, else string literal */ -atosa( - const char *src, - size_t srclen, /* 0 means strlen(src) */ - struct sa_id *sa -); -size_t /* space needed for full conversion */ -satoa( - struct sa_id sa, - int format, /* character; 0 means default */ - char *dst, - size_t dstlen -); -#define SATOA_BUF (3+ULTOA_BUF+ADDRTOA_BUF) - /* generic data, e.g. keys */ const char * /* NULL for success, else string literal */ atobytes( diff --git a/src/libfreeswan/keyblobtoid.3 b/src/libfreeswan/keyblobtoid.3 deleted file mode 100644 index 8b5bfb0a2..000000000 --- a/src/libfreeswan/keyblobtoid.3 +++ /dev/null @@ -1,102 +0,0 @@ -.TH IPSEC_KEYBLOBTOID 3 "25 March 2002" -.SH NAME -ipsec keyblobtoid, splitkeytoid \- generate key IDs from RSA keys -.SH SYNOPSIS -.B "#include -.sp -.B "size_t keyblobtoid(const unsigned char *blob," -.ti +1c -.B "size_t bloblen, char *dst, size_t dstlen);" -.br -.B "size_t splitkeytoid(const unsigned char *e, size_t elen," -.ti +1c -.B "const unsigned char *m, size_t mlen, char *dst, -.ti +1c -.B "size_t dstlen);" -.SH DESCRIPTION -.I Keyblobtoid -and -.I splitkeytoid -generate -key IDs -from RSA keys, -for use in messages and reporting, -writing the result to -.IR dst . -A -.I key ID -is a short ASCII string identifying a key; -currently it is just the first nine characters of the base64 -encoding of the RFC 2537/3110 ``byte blob'' representation of the key. -(Beware that no finite key ID can be collision-proof: -there is always some small chance of two random keys having the -same ID.) -.PP -.I Keyblobtoid -generates a key ID from a key which is already in the form of an -RFC 2537/3110 binary key -.I blob -(encoded exponent length, exponent, modulus). -.PP -.I Splitkeytoid -generates a key ID from a key given in the form of a separate -(binary) exponent -.I e -and modulus -.IR m . -.PP -The -.I dstlen -parameter of either -specifies the size of the -.I dst -parameter; -under no circumstances are more than -.I dstlen -bytes written to -.IR dst . -A result which will not fit is truncated. -.I Dstlen -can be zero, in which case -.I dst -need not be valid and no result is written, -but the return value is unaffected; -in all other cases, the (possibly truncated) result is NUL-terminated. -The -.I freeswan.h -header file defines a constant -.B KEYID_BUF -which is the size of a buffer large enough for worst-case results. -.PP -Both functions return -.B 0 -for a failure, and otherwise -always return the size of buffer which would -be needed to -accommodate the full conversion result, including terminating NUL; -it is the caller's responsibility to check this against the size of -the provided buffer to determine whether truncation has occurred. -.P -With keys generated by -.IR ipsec_rsasigkey (3), -the first two base64 digits are always the same, -and the third carries only about one bit of information. -It's worse with keys using longer fixed exponents, -e.g. the 24-bit exponent that's common in X.509 certificates. -However, being able to relate key IDs to the full -base64 text form of keys by eye is sufficiently useful that this -waste of space seems justifiable. -The choice of nine digits is a compromise between bulk and -probability of collision. -.SH SEE ALSO -RFC 3110, -\fIRSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)\fR, -Eastlake, 2001 -(superseding the older but better-known RFC 2537). -.SH DIAGNOSTICS -Fatal errors are: -key too short to supply enough bits to construct a complete key ID -(almost certainly indicating a garbage key); -exponent too long for its length to be representable. -.SH HISTORY -Written for the FreeS/WAN project by Henry Spencer. diff --git a/src/libfreeswan/keyblobtoid.c b/src/libfreeswan/keyblobtoid.c deleted file mode 100644 index 89ab5fced..000000000 --- a/src/libfreeswan/keyblobtoid.c +++ /dev/null @@ -1,146 +0,0 @@ -/* - * generate printable key IDs - * Copyright (C) 2002 Henry Spencer. - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the GNU Library General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public - * License for more details. - */ -#include "internal.h" -#include "freeswan.h" - -/* - - keyblobtoid - generate a printable key ID from an RFC 2537/3110 key blob - * Current algorithm is just to use first nine base64 digits. - */ -size_t -keyblobtoid(src, srclen, dst, dstlen) -const unsigned char *src; -size_t srclen; -char *dst; /* need not be valid if dstlen is 0 */ -size_t dstlen; -{ - char buf[KEYID_BUF]; - size_t ret; -# define NDIG 9 - - if (srclen < (NDIG*6 + 7)/8) { - strcpy(buf, "?len= ?"); - buf[5] = '0' + srclen; - ret = 0; - } else { - (void) datatot(src, srclen, 64, buf, NDIG+1); - ret = NDIG+1; - } - - if (dstlen > 0) { - if (strlen(buf)+1 > dstlen) - *(buf + dstlen - 1) = '\0'; - strcpy(dst, buf); - } - return ret; -} - -/* - - splitkeytoid - generate a printable key ID from exponent/modulus pair - * Just constructs the beginnings of a key blob and calls keyblobtoid(). - */ -size_t -splitkeytoid(e, elen, m, mlen, dst, dstlen) -const unsigned char *e; -size_t elen; -const unsigned char *m; -size_t mlen; -char *dst; /* need not be valid if dstlen is 0 */ -size_t dstlen; -{ - unsigned char buf[KEYID_BUF]; /* ample room */ - unsigned char *bufend = buf + sizeof(buf); - unsigned char *p; - size_t n; - - p = buf; - if (elen <= 255) - *p++ = elen; - else if ((elen &~ 0xffff) == 0) { - *p++ = 0; - *p++ = (elen>>8) & 0xff; - *p++ = elen & 0xff; - } else - return 0; /* unrepresentable exponent length */ - - n = bufend - p; - if (elen < n) - n = elen; - memcpy(p, e, n); - p += n; - - n = bufend - p; - if (n > 0) { - if (mlen < n) - n = mlen; - memcpy(p, m, n); - p += n; - } - - return keyblobtoid(buf, p - buf, dst, dstlen); -} - - - -#ifdef KEYBLOBTOID_MAIN - -#include - -void regress(); - -int -main(argc, argv) -int argc; -char *argv[]; -{ - typedef unsigned char uc; - uc hexblob[] = "\x01\x03\x85\xf2\xd6\x76\x9b\x03\x59\xb6\x21\x52"; - uc hexe[] = "\x03"; - uc hexm[] = "\x85\xf2\xd6\x76\x9b\x03\x59\xb6\x21\x52\xef\x85"; - char b64nine[] = "AQOF8tZ2m"; - char b64six[] = "AQOF8t"; - char buf[100]; - size_t n; - char *b = b64nine; - size_t bl = strlen(b) + 1; - int st = 0; - - n = keyblobtoid(hexblob, strlen(hexblob), buf, sizeof(buf)); - if (n != bl) { - fprintf(stderr, "%s: keyblobtoid returned %d not %d\n", - argv[0], n, bl); - st = 1; - } - if (strcmp(buf, b) != 0) { - fprintf(stderr, "%s: keyblobtoid generated `%s' not `%s'\n", - argv[0], buf, b); - st = 1; - } - n = splitkeytoid(hexe, strlen(hexe), hexm, strlen(hexm), buf, - sizeof(buf)); - if (n != bl) { - fprintf(stderr, "%s: splitkeytoid returned %d not %d\n", - argv[0], n, bl); - st = 1; - } - if (strcmp(buf, b) != 0) { - fprintf(stderr, "%s: splitkeytoid generated `%s' not `%s'\n", - argv[0], buf, b); - st = 1; - } - exit(st); -} - -#endif /* KEYBLOBTOID_MAIN */ diff --git a/src/libfreeswan/prng.3 b/src/libfreeswan/prng.3 deleted file mode 100644 index 48c6ceed0..000000000 --- a/src/libfreeswan/prng.3 +++ /dev/null @@ -1,120 +0,0 @@ -.TH IPSEC_PRNG 3 "1 April 2002" -.SH NAME -ipsec prng_init \- initialize IPsec pseudorandom-number generator -.br -ipsec prng_bytes \- get bytes from IPsec pseudorandom-number generator -.br -ipsec prng_final \- close down IPsec pseudorandom-number generator -.SH SYNOPSIS -.B "#include -.sp -.B "void prng_init(struct prng *prng," -.ti +1c -.B "const unsigned char *key, size_t keylen);" -.br -.B "void prng_bytes(struct prng *prng, char *dst," -.ti +1c -.B "size_t dstlen);" -.br -.B "unsigned long prng_count(struct prng *prng);" -.br -.B "void prng_final(struct prng *prng);" -.SH DESCRIPTION -.I Prng_init -initializes a crypto-quality pseudo-random-number generator from a key; -.I prng_bytes -obtains pseudo-random bytes from it; -.I prng_count -reports the number of bytes extracted from it to date; -.I prng_final -closes it down. -It is the user's responsibility to initialize a PRNG before using it, -and not to use it again after it is closed down. -.PP -.I Prng_init -initializes, -or re-initializes, -the specified -.I prng -from the -.IR key , -whose length is given by -.IR keylen . -The user must allocate the -.B "struct prng" -pointed to by -.IR prng . -There is no particular constraint on the length of the key, -although a key longer than 256 bytes is unnecessary because -only the first 256 would be used. -Initialization requires on the order of 3000 integer operations, -independent of key length. -.PP -.I Prng_bytes -obtains -.I dstlen -pseudo-random bytes from the PRNG and puts them in -.IR buf . -This is quite fast, -on the order of 10 integer operations per byte. -.PP -.I Prng_count -reports the number of bytes obtained from the PRNG -since it was (last) initialized. -.PP -.I Prng_final -closes down a PRNG by -zeroing its internal memory, -obliterating all trace of the state used to generate its previous output. -This requires on the order of 250 integer operations. -.PP -The -.B -header file supplies the definition of the -.B prng -structure. -Examination of its innards is discouraged, as they may change. -.PP -The PRNG algorithm -used by these functions is currently identical to that of RC4(TM). -This algorithm is cryptographically strong, -sufficiently unpredictable that even a hostile observer will -have difficulty determining the next byte of output from past history, -provided it is initialized from a reasonably large key composed of -highly random bytes (see -.IR random (4)). -The usual run of software pseudo-random-number generators -(e.g. -.IR random (3)) -are -.I not -cryptographically strong. -.PP -The well-known attacks against RC4(TM), -e.g. as found in 802.11b's WEP encryption system, -apply only if multiple PRNGs are initialized with closely-related keys -(e.g., using a counter appended to a base key). -If such keys are used, the first few hundred pseudo-random bytes -from each PRNG should be discarded, -to give the PRNGs a chance to randomize their innards properly. -No useful attacks are known if the key is well randomized to begin with. -.SH SEE ALSO -random(3), random(4) -.br -Bruce Schneier, -\fIApplied Cryptography\fR, 2nd ed., 1996, ISBN 0-471-11709-9, -pp. 397-8. -.SH HISTORY -Written for the FreeS/WAN project by Henry Spencer. -.SH BUGS -If an attempt is made to obtain more than 4e9 bytes -between initializations, -the PRNG will continue to work but -.IR prng_count 's -output will stick at -.BR 4000000000 . -Fixing this would require a longer integer type and does -not seem worth the trouble, -since you should probably re-initialize before then anyway... -.PP -``RC4'' is a trademark of RSA Data Security, Inc. diff --git a/src/libfreeswan/prng.c b/src/libfreeswan/prng.c deleted file mode 100644 index 347f13f89..000000000 --- a/src/libfreeswan/prng.c +++ /dev/null @@ -1,200 +0,0 @@ -/* - * crypto-class pseudorandom number generator - * currently uses same algorithm as RC4(TM), from Schneier 2nd ed p397 - * Copyright (C) 2002 Henry Spencer. - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the GNU Library General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public - * License for more details. - */ -#include "internal.h" -#include "freeswan.h" - -/* - - prng_init - initialize PRNG from a key - */ -void -prng_init(prng, key, keylen) -struct prng *prng; -const unsigned char *key; -size_t keylen; -{ - unsigned char k[256]; - int i, j; - unsigned const char *p; - unsigned const char *keyend = key + keylen; - unsigned char t; - - for (i = 0; i <= 255; i++) - prng->sbox[i] = i; - p = key; - for (i = 0; i <= 255; i++) { - k[i] = *p++; - if (p >= keyend) - p = key; - } - j = 0; - for (i = 0; i <= 255; i++) { - j = (j + prng->sbox[i] + k[i]) & 0xff; - t = prng->sbox[i]; - prng->sbox[i] = prng->sbox[j]; - prng->sbox[j] = t; - k[i] = 0; /* clear out key memory */ - } - prng->i = 0; - prng->j = 0; - prng->count = 0; -} - -/* - - prng_bytes - get some pseudorandom bytes from PRNG - */ -void -prng_bytes(prng, dst, dstlen) -struct prng *prng; -unsigned char *dst; -size_t dstlen; -{ - int i, j, t; - unsigned char *p = dst; - size_t remain = dstlen; -# define MAX 4000000000ul - - while (remain > 0) { - i = (prng->i + 1) & 0xff; - prng->i = i; - j = (prng->j + prng->sbox[i]) & 0xff; - prng->j = j; - t = prng->sbox[i]; - prng->sbox[i] = prng->sbox[j]; - prng->sbox[j] = t; - t = (t + prng->sbox[i]) & 0xff; - *p++ = prng->sbox[t]; - remain--; - } - if (prng->count < MAX - dstlen) - prng->count += dstlen; - else - prng->count = MAX; -} - -/* - - prnt_count - how many bytes have been extracted from PRNG so far? - */ -unsigned long -prng_count(prng) -struct prng *prng; -{ - return prng->count; -} - -/* - - prng_final - clear out PRNG to ensure nothing left in memory - */ -void -prng_final(prng) -struct prng *prng; -{ - int i; - - for (i = 0; i <= 255; i++) - prng->sbox[i] = 0; - prng->i = 0; - prng->j = 0; - prng->count = 0; /* just for good measure */ -} - - - -#ifdef PRNG_MAIN - -#include - -void regress(); - -int -main(argc, argv) -int argc; -char *argv[]; -{ - struct prng pr; - unsigned char buf[100]; - unsigned char *p; - size_t n; - - if (argc < 2) { - fprintf(stderr, "Usage: %s {key|-r}\n", argv[0]); - exit(2); - } - - if (strcmp(argv[1], "-r") == 0) { - regress(); - fprintf(stderr, "regress() returned?!?\n"); - exit(1); - } - - prng_init(&pr, argv[1], strlen(argv[1])); - prng_bytes(&pr, buf, 32); - printf("0x"); - for (p = buf, n = 32; n > 0; p++, n--) - printf("%02x", *p); - printf("\n%lu bytes\n", prng_count(&pr)); - prng_final(&pr); - exit(0); -} - -void -regress() -{ - struct prng pr; - unsigned char buf[100]; - unsigned char *p; - size_t n; - /* somewhat non-random sample key */ - unsigned char key[] = "here we go gathering nuts in May"; - /* first thirty bytes of output from that key */ - unsigned char good[] = "\x3f\x02\x8e\x4a\x2a\xea\x23\x18\x92\x7c" - "\x09\x52\x83\x61\xaa\x26\xce\xbb\x9d\x71" - "\x71\xe5\x10\x22\xaf\x60\x54\x8d\x5b\x28"; - int nzero, none; - int show = 0; - - prng_init(&pr, key, strlen(key)); - prng_bytes(&pr, buf, sizeof(buf)); - for (p = buf, n = sizeof(buf); n > 0; p++, n--) { - if (*p == 0) - nzero++; - if (*p == 255) - none++; - } - if (nzero > 3 || none > 3) { - fprintf(stderr, "suspiciously non-random output!\n"); - show = 1; - } - if (memcmp(buf, good, strlen(good)) != 0) { - fprintf(stderr, "incorrect output!\n"); - show = 1; - } - if (show) { - fprintf(stderr, "0x"); - for (p = buf, n = sizeof(buf); n > 0; p++, n--) - fprintf(stderr, "%02x", *p); - fprintf(stderr, "\n"); - exit(1); - } - if (prng_count(&pr) != sizeof(buf)) { - fprintf(stderr, "got %u bytes, but count is %lu\n", - sizeof(buf), prng_count(&pr)); - exit(1); - } - prng_final(&pr); - exit(0); -} - -#endif /* PRNG_MAIN */ diff --git a/src/libfreeswan/satoa.c b/src/libfreeswan/satoa.c deleted file mode 100644 index 09a152727..000000000 --- a/src/libfreeswan/satoa.c +++ /dev/null @@ -1,100 +0,0 @@ -/* - * convert from binary form of SA ID to ASCII - * Copyright (C) 1998, 1999, 2001 Henry Spencer. - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the GNU Library General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public - * License for more details. - */ -#include "internal.h" -#include "freeswan.h" - -static struct typename { - char type; - char *name; -} typenames[] = { - { SA_AH, "ah" }, - { SA_ESP, "esp" }, - { SA_IPIP, "tun" }, - { SA_COMP, "comp" }, - { SA_INT, "int" }, - { 0, NULL } -}; - -/* - - satoa - convert SA to ASCII "ah507@1.2.3.4" - */ -size_t /* space needed for full conversion */ -satoa(sa, format, dst, dstlen) -struct sa_id sa; -int format; /* character */ -char *dst; /* need not be valid if dstlen is 0 */ -size_t dstlen; -{ - size_t len = 0; /* 0 means not handled yet */ - int base; - struct typename *tn; - char buf[30+ADDRTOA_BUF]; - - switch (format) { - case 0: - base = 16; /* temporarily at least */ - break; - case 'd': - base = 10; - break; - default: - return 0; - break; - } - - for (tn = typenames; tn->name != NULL; tn++) - if (sa.proto == tn->type) - break; - if (tn->name == NULL) - return 0; - - if (strcmp(tn->name, PASSTHROUGHTYPE) == 0 && - sa.spi == PASSTHROUGHSPI && - sa.dst.s_addr == PASSTHROUGHDST) { - strcpy(buf, PASSTHROUGHNAME); - len = strlen(buf); - } else if (sa.proto == SA_INT && sa.dst.s_addr == 0) { - char *p; - - switch (ntohl(sa.spi)) { - case SPI_PASS: p = "%pass"; break; - case SPI_DROP: p = "%drop"; break; - case SPI_REJECT: p = "%reject"; break; - case SPI_HOLD: p = "%hold"; break; - case SPI_TRAP: p = "%trap"; break; - case SPI_TRAPSUBNET: p = "%trapsubnet"; break; - default: p = NULL; break; - } - if (p != NULL) { - strcpy(buf, p); - len = strlen(buf); - } - } - - if (len == 0) { - strcpy(buf, tn->name); - len = strlen(buf); - len += ultoa(ntohl(sa.spi), base, buf+len, sizeof(buf)-len); - *(buf+len-1) = '@'; - len += addrtoa(sa.dst, 0, buf+len, sizeof(buf)-len); - } - - if (dst != NULL) { - if (len > dstlen) - *(buf+dstlen-1) = '\0'; - strcpy(dst, buf); - } - return len; -} diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in index 8e5697b79..8b1e7384f 100644 --- a/src/libhydra/Makefile.in +++ b/src/libhydra/Makefile.in @@ -271,9 +271,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -312,6 +310,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index 3e6d46205..4fd5a7535 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -78,8 +78,8 @@ METHOD(kernel_interface_t, get_cpi, status_t, METHOD(kernel_interface_t, add_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, u_int8_t protocol, u_int32_t reqid, - mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, + u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) @@ -89,8 +89,8 @@ METHOD(kernel_interface_t, add_sa, status_t, return NOT_SUPPORTED; } return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid, - mark, lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, - cpi, encap, inbound, src_ts, dst_ts); + mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode, + ipcomp, cpi, encap, inbound, src_ts, dst_ts); } METHOD(kernel_interface_t, update_sa, status_t, diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index 8b0c7a296..ec73fa1f7 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -91,6 +91,7 @@ struct kernel_interface_t { * @param protocol protocol for this SA (ESP/AH) * @param reqid unique ID for this SA * @param mark optional mark for this SA + * @param tfc Traffic Flow Confidentiality padding for this SA * @param lifetime lifetime_cfg_t for this SA * @param enc_alg Algorithm to use for encryption (ESP only) * @param enc_key key to use for encryption @@ -108,7 +109,7 @@ struct kernel_interface_t { status_t (*add_sa) (kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, - lifetime_cfg_t *lifetime, + u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index 49d9cc07a..3e2d8b9ce 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -204,6 +204,7 @@ struct kernel_ipsec_t { * @param protocol protocol for this SA (ESP/AH) * @param reqid unique ID for this SA * @param mark mark for this SA + * @param tfc Traffic Flow Confidentiality padding for this SA * @param lifetime lifetime_cfg_t for this SA * @param enc_alg Algorithm to use for encryption (ESP only) * @param enc_key key to use for encryption @@ -221,7 +222,7 @@ struct kernel_ipsec_t { status_t (*add_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, - mark_t mark, lifetime_cfg_t *lifetime, + mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in index 72182e57f..2da06a89c 100644 --- a/src/libhydra/plugins/attr/Makefile.in +++ b/src/libhydra/plugins/attr/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libhydra/plugins/attr/attr_plugin.c index 24c00bb44..0f66b680a 100644 --- a/src/libhydra/plugins/attr/attr_plugin.c +++ b/src/libhydra/plugins/attr/attr_plugin.c @@ -36,10 +36,8 @@ struct private_attr_plugin_t { attr_provider_t *provider; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_attr_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_attr_plugin_t *this) { hydra->attributes->remove_provider(hydra->attributes, &this->provider->provider); this->provider->destroy(this->provider); @@ -51,11 +49,16 @@ static void destroy(private_attr_plugin_t *this) */ plugin_t *attr_plugin_create() { - private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_attr_plugin_t *this; - this->provider = attr_provider_create(); + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .provider = attr_provider_create(), + ); hydra->attributes->add_provider(hydra->attributes, &this->provider->provider); return &this->public.plugin; diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in index dfb41cc02..26e7a3038 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.in +++ b/src/libhydra/plugins/attr_sql/Makefile.in @@ -232,9 +232,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -273,6 +271,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c index 70e7a2247..ca9de023e 100644 --- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c +++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c @@ -43,10 +43,8 @@ struct private_attr_sql_plugin_t { }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_attr_sql_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_attr_sql_plugin_t *this) { hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider); this->attribute->destroy(this->attribute); @@ -59,21 +57,26 @@ static void destroy(private_attr_sql_plugin_t *this) */ plugin_t *attr_sql_plugin_create() { - char *uri; private_attr_sql_plugin_t *this; + char *uri; - uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL); + uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", + NULL); if (!uri) { DBG1(DBG_CFG, "attr-sql plugin: database URI not set"); return NULL; } - this = malloc_thing(private_attr_sql_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .db = lib->db->create(lib->db, uri), + ); - this->db = lib->db->create(lib->db, uri); if (!this->db) { DBG1(DBG_CFG, "attr-sql plugin failed to connect to database"); diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in index a451bd6f5..7d2464456 100644 --- a/src/libhydra/plugins/kernel_klips/Makefile.in +++ b/src/libhydra/plugins/kernel_klips/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c index 0ccb2ac5f..cf9a3e1fd 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1668,7 +1668,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - u_int8_t protocol, u_int32_t reqid, mark_t mark, + u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c index 1a22835c0..3c312ca2b 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c @@ -32,10 +32,8 @@ struct private_kernel_klips_plugin_t { kernel_klips_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_klips_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_kernel_klips_plugin_t *this) { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); @@ -47,10 +45,15 @@ static void destroy(private_kernel_klips_plugin_t *this) */ plugin_t *kernel_klips_plugin_create() { - private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + private_kernel_klips_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in index d41ee1456..c7404fe06 100644 --- a/src/libhydra/plugins/kernel_netlink/Makefile.in +++ b/src/libhydra/plugins/kernel_netlink/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 8cc9a6283..4dc80785c 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -58,8 +58,8 @@ #endif /*IPV6_XFRM_POLICY*/ /** default priority of installed policies */ -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 +#define PRIO_LOW 1024 +#define PRIO_HIGH 512 /** * map the limit for bytes and packets to XFRM_INF per default @@ -866,7 +866,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t* src_ts, traffic_selector_t* dst_ts) @@ -882,7 +882,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, if (ipcomp != IPCOMP_NONE && cpi != 0) { lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}}; - add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, + add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, ipcomp, 0, FALSE, inbound, NULL, NULL); ipcomp = IPCOMP_NONE; @@ -920,6 +920,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, sa->flags |= XFRM_STATE_AF_UNSPEC; break; case MODE_BEET: + case MODE_TRANSPORT: if(src_ts && dst_ts) { sa->sel = ts2selector(src_ts, dst_ts); @@ -1153,6 +1154,24 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr = XFRM_RTA_NEXT(rthdr); } + if (tfc) + { + u_int32_t *tfcpad; + + rthdr->rta_type = XFRMA_TFCPAD; + rthdr->rta_len = RTA_LENGTH(sizeof(u_int32_t)); + + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + tfcpad = (u_int32_t*)RTA_DATA(rthdr); + *tfcpad = tfc; + rthdr = XFRM_RTA_NEXT(rthdr); + } + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { if (mark.value) @@ -1687,11 +1706,16 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); policy_info->sel = policy->sel; policy_info->dir = policy->direction; - /* calculate priority based on source selector size, small size = high prio */ + + /* calculate priority based on selector size, small size = high prio */ policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH; - policy_info->priority -= policy->sel.prefixlen_s * 10; - policy_info->priority -= policy->sel.proto ? 2 : 0; - policy_info->priority -= policy->sel.sport_mask ? 1 : 0; + policy_info->priority -= policy->sel.prefixlen_s; + policy_info->priority -= policy->sel.prefixlen_d; + policy_info->priority <<= 2; /* make some room for the two flags */ + policy_info->priority += policy->sel.sport_mask || + policy->sel.dport_mask ? 0 : 2; + policy_info->priority += policy->sel.proto ? 0 : 1; + policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW : XFRM_POLICY_BLOCK; policy_info->share = XFRM_SHARE_ANY; @@ -1813,6 +1837,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, if (route->if_name) { + DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", + src_ts, route->gateway, route->src_ip, route->if_name); switch (hydra->kernel_interface->add_route( hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c index 212675d1a..9fc1a03f5 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c @@ -33,10 +33,8 @@ struct private_kernel_netlink_plugin_t { kernel_netlink_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_netlink_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_kernel_netlink_plugin_t *this) { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); @@ -50,10 +48,15 @@ static void destroy(private_kernel_netlink_plugin_t *this) */ plugin_t *kernel_netlink_plugin_create() { - private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_kernel_netlink_plugin_t *this; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); hydra->kernel_interface->add_net_interface(hydra->kernel_interface, diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in index a98ae42d1..40363f319 100644 --- a/src/libhydra/plugins/kernel_pfkey/Makefile.in +++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index f5786447b..681811528 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -99,8 +99,8 @@ #endif /** default priority of installed policies */ -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 +#define PRIO_LOW 1024 +#define PRIO_HIGH 512 #ifdef __APPLE__ /** from xnu/bsd/net/pfkeyv2.h */ @@ -1206,7 +1206,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - u_int8_t protocol, u_int32_t reqid, mark_t mark, + u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, @@ -1651,11 +1651,14 @@ METHOD(kernel_ipsec_t, add_policy, status_t, pol->sadb_x_policy_dir = dir2kernel(direction); pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY - /* calculate priority based on source selector size, small size = high prio */ + /* calculate priority based on selector size, small size = high prio */ pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH; - pol->sadb_x_policy_priority -= policy->src.mask * 10; - pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0; - pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0; + pol->sadb_x_policy_priority -= policy->src.mask; + pol->sadb_x_policy_priority -= policy->dst.mask; + pol->sadb_x_policy_priority <<= 2; /* make some room for the flags */ + pol->sadb_x_policy_priority += policy->src.net->get_port(policy->src.net) || + policy->dst.net->get_port(policy->dst.net) ? 0 : 2; + pol->sadb_x_policy_priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1; #endif /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c index 781ba5008..9e7a7904d 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c @@ -32,10 +32,8 @@ struct private_kernel_pfkey_plugin_t { kernel_pfkey_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_pfkey_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_kernel_pfkey_plugin_t *this) { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); @@ -47,10 +45,15 @@ static void destroy(private_kernel_pfkey_plugin_t *this) */ plugin_t *kernel_pfkey_plugin_create() { - private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + private_kernel_pfkey_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in index b0bc00c70..4db374b75 100644 --- a/src/libhydra/plugins/kernel_pfroute/Makefile.in +++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c index 5f351bd72..a4cb53edd 100644 --- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c @@ -32,10 +32,8 @@ struct private_kernel_pfroute_plugin_t { kernel_pfroute_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_pfroute_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_kernel_pfroute_plugin_t *this) { hydra->kernel_interface->remove_net_interface(hydra->kernel_interface, (kernel_net_constructor_t)kernel_pfroute_net_create); @@ -47,10 +45,15 @@ static void destroy(private_kernel_pfroute_plugin_t *this) */ plugin_t *kernel_pfroute_plugin_create() { - private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + private_kernel_pfroute_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); hydra->kernel_interface->add_net_interface(hydra->kernel_interface, (kernel_net_constructor_t)kernel_pfroute_net_create); diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in index aedc8fdb7..e6c5fb712 100644 --- a/src/libhydra/plugins/resolve/Makefile.in +++ b/src/libhydra/plugins/resolve/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c index 502129593..ad18c7060 100644 --- a/src/libhydra/plugins/resolve/resolve_plugin.c +++ b/src/libhydra/plugins/resolve/resolve_plugin.c @@ -36,10 +36,8 @@ struct private_resolve_plugin_t { resolve_handler_t *handler; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_resolve_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_resolve_plugin_t *this) { hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); this->handler->destroy(this->handler); @@ -51,10 +49,16 @@ static void destroy(private_resolve_plugin_t *this) */ plugin_t *resolve_plugin_create() { - private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t); + private_resolve_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - this->handler = resolve_handler_create(); + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .handler = resolve_handler_create(), + ); hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); return &this->public.plugin; diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index 0aa509acc..ef7a6ee38 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -192,9 +192,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -233,6 +231,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 2ab8aa636..6a29d8eea 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -30,8 +30,7 @@ credentials/keys/private_key.c credentials/keys/private_key.h \ credentials/keys/public_key.c credentials/keys/public_key.h \ credentials/keys/shared_key.c credentials/keys/shared_key.h \ credentials/certificates/certificate.c credentials/certificates/certificate.h \ -credentials/certificates/x509.h credentials/certificates/x509.c \ -credentials/certificates/ac.h \ +credentials/certificates/x509.h credentials/certificates/ac.h \ credentials/certificates/crl.h credentials/certificates/crl.c \ credentials/certificates/pkcs10.h \ credentials/certificates/ocsp_request.h \ @@ -136,6 +135,13 @@ else SUBDIRS = . endif +if USE_AF_ALG + SUBDIRS += plugins/af_alg +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/af_alg/libstrongswan-af-alg.la +endif +endif + if USE_AES SUBDIRS += plugins/aes if MONOLITHIC @@ -227,6 +233,13 @@ if MONOLITHIC endif endif +if USE_CONSTRAINTS + SUBDIRS += plugins/constraints +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/constraints/libstrongswan-constraints.la +endif +endif + if USE_PUBKEY SUBDIRS += plugins/pubkey if MONOLITHIC @@ -269,6 +282,13 @@ if MONOLITHIC endif endif +if USE_SOUP + SUBDIRS += plugins/soup +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/soup/libstrongswan-soup.la +endif +endif + if USE_LDAP SUBDIRS += plugins/ldap if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 8be6dd9b8..76b4f70c6 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -44,70 +44,76 @@ host_triplet = @host@ @USE_INTEGRITY_TEST_TRUE@ integrity_checker.c integrity_checker.h @USE_VSTR_TRUE@am__append_6 = -lvstr -@USE_AES_TRUE@am__append_7 = plugins/aes -@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_8 = plugins/aes/libstrongswan-aes.la -@USE_DES_TRUE@am__append_9 = plugins/des -@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_10 = plugins/des/libstrongswan-des.la -@USE_BLOWFISH_TRUE@am__append_11 = plugins/blowfish -@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_12 = plugins/blowfish/libstrongswan-blowfish.la -@USE_MD4_TRUE@am__append_13 = plugins/md4 -@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_14 = plugins/md4/libstrongswan-md4.la -@USE_MD5_TRUE@am__append_15 = plugins/md5 -@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_16 = plugins/md5/libstrongswan-md5.la -@USE_SHA1_TRUE@am__append_17 = plugins/sha1 -@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_18 = plugins/sha1/libstrongswan-sha1.la -@USE_SHA2_TRUE@am__append_19 = plugins/sha2 -@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_20 = plugins/sha2/libstrongswan-sha2.la -@USE_GMP_TRUE@am__append_21 = plugins/gmp -@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_22 = plugins/gmp/libstrongswan-gmp.la -@USE_RANDOM_TRUE@am__append_23 = plugins/random -@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_24 = plugins/random/libstrongswan-random.la -@USE_HMAC_TRUE@am__append_25 = plugins/hmac -@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_26 = plugins/hmac/libstrongswan-hmac.la -@USE_XCBC_TRUE@am__append_27 = plugins/xcbc -@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_28 = plugins/xcbc/libstrongswan-xcbc.la -@USE_X509_TRUE@am__append_29 = plugins/x509 -@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_30 = plugins/x509/libstrongswan-x509.la -@USE_REVOCATION_TRUE@am__append_31 = plugins/revocation -@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_32 = plugins/revocation/libstrongswan-revocation.la -@USE_PUBKEY_TRUE@am__append_33 = plugins/pubkey -@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_34 = plugins/pubkey/libstrongswan-pubkey.la -@USE_PKCS1_TRUE@am__append_35 = plugins/pkcs1 -@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_36 = plugins/pkcs1/libstrongswan-pkcs1.la -@USE_PGP_TRUE@am__append_37 = plugins/pgp -@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_38 = plugins/pgp/libstrongswan-pgp.la -@USE_DNSKEY_TRUE@am__append_39 = plugins/dnskey -@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_40 = plugins/dnskey/libstrongswan-dnskey.la -@USE_PEM_TRUE@am__append_41 = plugins/pem -@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_42 = plugins/pem/libstrongswan-pem.la -@USE_CURL_TRUE@am__append_43 = plugins/curl -@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_44 = plugins/curl/libstrongswan-curl.la -@USE_LDAP_TRUE@am__append_45 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_46 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_47 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_48 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_49 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_50 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_51 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_52 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_53 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_54 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_55 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_56 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_57 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_58 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_59 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_60 = plugins/agent/libstrongswan-agent.la -@USE_PKCS11_TRUE@am__append_61 = plugins/pkcs11 -@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_62 = plugins/pkcs11/libstrongswan-pkcs11.la -@USE_CTR_TRUE@am__append_63 = plugins/ctr -@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_64 = plugins/ctr/libstrongswan-ctr.la -@USE_CCM_TRUE@am__append_65 = plugins/ccm -@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_66 = plugins/ccm/libstrongswan-ccm.la -@USE_GCM_TRUE@am__append_67 = plugins/gcm -@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_68 = plugins/gcm/libstrongswan-gcm.la -@USE_TEST_VECTORS_TRUE@am__append_69 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_70 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_AF_ALG_TRUE@am__append_7 = plugins/af_alg +@MONOLITHIC_TRUE@@USE_AF_ALG_TRUE@am__append_8 = plugins/af_alg/libstrongswan-af-alg.la +@USE_AES_TRUE@am__append_9 = plugins/aes +@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_10 = plugins/aes/libstrongswan-aes.la +@USE_DES_TRUE@am__append_11 = plugins/des +@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_12 = plugins/des/libstrongswan-des.la +@USE_BLOWFISH_TRUE@am__append_13 = plugins/blowfish +@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_14 = plugins/blowfish/libstrongswan-blowfish.la +@USE_MD4_TRUE@am__append_15 = plugins/md4 +@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_16 = plugins/md4/libstrongswan-md4.la +@USE_MD5_TRUE@am__append_17 = plugins/md5 +@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_18 = plugins/md5/libstrongswan-md5.la +@USE_SHA1_TRUE@am__append_19 = plugins/sha1 +@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_20 = plugins/sha1/libstrongswan-sha1.la +@USE_SHA2_TRUE@am__append_21 = plugins/sha2 +@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_22 = plugins/sha2/libstrongswan-sha2.la +@USE_GMP_TRUE@am__append_23 = plugins/gmp +@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_24 = plugins/gmp/libstrongswan-gmp.la +@USE_RANDOM_TRUE@am__append_25 = plugins/random +@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_26 = plugins/random/libstrongswan-random.la +@USE_HMAC_TRUE@am__append_27 = plugins/hmac +@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_28 = plugins/hmac/libstrongswan-hmac.la +@USE_XCBC_TRUE@am__append_29 = plugins/xcbc +@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_30 = plugins/xcbc/libstrongswan-xcbc.la +@USE_X509_TRUE@am__append_31 = plugins/x509 +@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_32 = plugins/x509/libstrongswan-x509.la +@USE_REVOCATION_TRUE@am__append_33 = plugins/revocation +@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_34 = plugins/revocation/libstrongswan-revocation.la +@USE_CONSTRAINTS_TRUE@am__append_35 = plugins/constraints +@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_36 = plugins/constraints/libstrongswan-constraints.la +@USE_PUBKEY_TRUE@am__append_37 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_38 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_39 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_40 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PGP_TRUE@am__append_41 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_42 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_43 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_44 = plugins/dnskey/libstrongswan-dnskey.la +@USE_PEM_TRUE@am__append_45 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_46 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_47 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_48 = plugins/curl/libstrongswan-curl.la +@USE_SOUP_TRUE@am__append_49 = plugins/soup +@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_50 = plugins/soup/libstrongswan-soup.la +@USE_LDAP_TRUE@am__append_51 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_52 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_53 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_54 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_55 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_56 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_57 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_58 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_59 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_60 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_61 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_62 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_63 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_64 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_65 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_66 = plugins/agent/libstrongswan-agent.la +@USE_PKCS11_TRUE@am__append_67 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_68 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CTR_TRUE@am__append_69 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_70 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_71 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_72 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_73 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_74 = plugins/gcm/libstrongswan-gcm.la +@USE_TEST_VECTORS_TRUE@am__append_75 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_76 = plugins/test_vectors/libstrongswan-test-vectors.la subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -162,7 +168,8 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ $(am__append_60) $(am__append_62) $(am__append_64) \ - $(am__append_66) $(am__append_68) $(am__append_70) + $(am__append_66) $(am__append_68) $(am__append_70) \ + $(am__append_72) $(am__append_74) $(am__append_76) am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \ printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \ @@ -187,8 +194,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ credentials/keys/shared_key.h \ credentials/certificates/certificate.c \ credentials/certificates/certificate.h \ - credentials/certificates/x509.h \ - credentials/certificates/x509.c credentials/certificates/ac.h \ + credentials/certificates/x509.h credentials/certificates/ac.h \ credentials/certificates/crl.h credentials/certificates/crl.c \ credentials/certificates/pkcs10.h \ credentials/certificates/ocsp_request.h \ @@ -238,7 +244,7 @@ am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ crypto_tester.lo diffie_hellman.lo aead.lo transform.lo \ credential_factory.lo builder.lo cred_encoding.lo \ private_key.lo public_key.lo shared_key.lo certificate.lo \ - x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \ + crl.lo ocsp_response.lo ietf_attributes.lo \ credential_manager.lo auth_cfg_wrapper.lo \ ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \ callback_cred.lo auth_cfg.lo database_factory.lo \ @@ -278,14 +284,16 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \ - plugins/md5 plugins/sha1 plugins/sha2 plugins/gmp \ - plugins/random plugins/hmac plugins/xcbc plugins/x509 \ - plugins/revocation plugins/pubkey plugins/pkcs1 plugins/pgp \ - plugins/dnskey plugins/pem plugins/curl plugins/ldap \ - plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \ - plugins/gcrypt plugins/fips_prf plugins/agent plugins/pkcs11 \ - plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors +DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \ + plugins/blowfish plugins/md4 plugins/md5 plugins/sha1 \ + plugins/sha2 plugins/gmp plugins/random plugins/hmac \ + plugins/xcbc plugins/x509 plugins/revocation \ + plugins/constraints plugins/pubkey plugins/pkcs1 plugins/pgp \ + plugins/dnskey plugins/pem plugins/curl plugins/soup \ + plugins/ldap plugins/mysql plugins/sqlite plugins/padlock \ + plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \ + plugins/pkcs11 plugins/ctr plugins/ccm plugins/gcm \ + plugins/test_vectors DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -431,9 +439,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -472,6 +478,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -507,8 +515,7 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ credentials/keys/shared_key.h \ credentials/certificates/certificate.c \ credentials/certificates/certificate.h \ - credentials/certificates/x509.h \ - credentials/certificates/x509.c credentials/certificates/ac.h \ + credentials/certificates/x509.h credentials/certificates/ac.h \ credentials/certificates/crl.h credentials/certificates/crl.c \ credentials/certificates/pkcs10.h \ credentials/certificates/ocsp_request.h \ @@ -559,7 +566,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ $(am__append_60) $(am__append_62) $(am__append_64) \ - $(am__append_66) $(am__append_68) $(am__append_70) + $(am__append_66) $(am__append_68) $(am__append_70) \ + $(am__append_72) $(am__append_74) $(am__append_76) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \ @@ -592,7 +600,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_FALSE@ $(am__append_55) $(am__append_57) \ @MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) \ @MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \ -@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) +@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \ +@MONOLITHIC_FALSE@ $(am__append_71) $(am__append_73) \ +@MONOLITHIC_FALSE@ $(am__append_75) # build plugins with their own Makefile ####################################### @@ -611,7 +621,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_TRUE@ $(am__append_55) $(am__append_57) \ @MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) \ @MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \ -@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) +@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \ +@MONOLITHIC_TRUE@ $(am__append_71) $(am__append_73) \ +@MONOLITHIC_TRUE@ $(am__append_75) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -749,7 +761,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -933,13 +944,6 @@ certificate.lo: credentials/certificates/certificate.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c -x509.lo: credentials/certificates/x509.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF $(DEPDIR)/x509.Tpo -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/x509.Tpo $(DEPDIR)/x509.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/certificates/x509.c' object='x509.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c - crl.lo: credentials/certificates/crl.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 6f549d42d..f80c2b93b 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -123,6 +123,100 @@ chunk_t asn1_build_known_oid(int n) return oid; } +/* + * Defined in header. + */ +chunk_t asn1_oid_from_string(char *str) +{ + enumerator_t *enumerator; + u_char buf[32]; + char *end; + int i = 0, pos = 0; + u_int val, first = 0; + + enumerator = enumerator_create_token(str, ".", ""); + while (enumerator->enumerate(enumerator, &str)) + { + val = strtoul(str, &end, 10); + if (end == str || pos > countof(buf)) + { + pos = 0; + break; + } + switch (i++) + { + case 0: + first = val; + break; + case 1: + buf[pos++] = first * 40 + val; + break; + default: + if (val < 128) + { + buf[pos++] = val; + } + else + { + buf[pos++] = 128 | (val >> 7); + buf[pos++] = (val % 256) & 0x7F; + } + break; + } + } + enumerator->destroy(enumerator); + + return chunk_clone(chunk_create(buf, pos)); +} + +/* + * Defined in header. + */ +char *asn1_oid_to_string(chunk_t oid) +{ + char buf[64], *pos = buf; + int len; + u_int val; + + if (!oid.len) + { + return NULL; + } + val = oid.ptr[0] / 40; + len = snprintf(buf, sizeof(buf), "%d.%d", val, oid.ptr[0] - val * 40); + oid = chunk_skip(oid, 1); + if (len < 0 || len >= sizeof(buf)) + { + return NULL; + } + pos += len; + + while (oid.len) + { + if (oid.ptr[0] < 128) + { + len = snprintf(pos, sizeof(buf) + buf - pos, ".%d", oid.ptr[0]); + oid = chunk_skip(oid, 1); + } + else + { + if (oid.len == 1) + { + return NULL; + } + val = ((u_int)(oid.ptr[0] & 0x7F) << 7) + oid.ptr[1]; + len = snprintf(pos, sizeof(buf) + buf - pos, ".%d", val); + oid = chunk_skip(oid, 2); + } + if (len < 0 || len >= sizeof(buf) + buf - pos) + { + return NULL; + } + pos += len; + } + return strdup(buf); +} + /* * Defined in header. */ diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index 866c28095..05a060827 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -114,6 +114,22 @@ int asn1_known_oid(chunk_t object); */ chunk_t asn1_build_known_oid(int n); +/** + * Convert human readable OID to ASN.1 DER encoding, without OID header. + * + * @param str OID string (e.g. 1.2.345.67.8) + * @return allocated ASN.1 encoded OID, chunk_empty on error + */ +chunk_t asn1_oid_from_string(char *str); + +/** + * Convert a DER encoded ASN.1 OID to a human readable string. + * + * @param oid DER encoded OID, without header + * @return human readable OID string, allocated, NULL on error + */ +char* asn1_oid_to_string(chunk_t oid); + /** * Returns the length of an ASN.1 object * The blob pointer is advanced past the tag length fields diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c index 3e5bbbabd..2a7a38a52 100644 --- a/src/libstrongswan/asn1/asn1_parser.c +++ b/src/libstrongswan/asn1/asn1_parser.c @@ -78,10 +78,8 @@ struct private_asn1_parser_t { chunk_t blobs[ASN1_MAX_LEVEL + 2]; }; -/** - * Implementation of asn1_parser_t.iterate - */ -static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object) +METHOD(asn1_parser_t, iterate, bool, + private_asn1_parser_t *this, int *objectID, chunk_t *object) { chunk_t *blob, *blob1; u_char *start_ptr; @@ -234,43 +232,33 @@ end: return this->success; } -/** - * Implementation of asn1_parser_t.get_level - */ -static u_int get_level(private_asn1_parser_t *this) +METHOD(asn1_parser_t, get_level, u_int, +private_asn1_parser_t *this) { return this->level0 + this->objects[this->line].level; } -/** - * Implementation of asn1_parser_t.set_top_level - */ -static void set_top_level(private_asn1_parser_t *this, u_int level0) +METHOD(asn1_parser_t, set_top_level, void, + private_asn1_parser_t *this, u_int level0) { this->level0 = level0; } -/** - * Implementation of asn1_parser_t.set_flags - */ -static void set_flags(private_asn1_parser_t *this, bool implicit, bool private) +METHOD(asn1_parser_t, set_flags, void, + private_asn1_parser_t *this, bool implicit, bool private) { this->implicit = implicit; this->private = private; } -/** - * Implementation of asn1_parser_t.success - */ -static bool success(private_asn1_parser_t *this) +METHOD(asn1_parser_t, success, bool, + private_asn1_parser_t *this) { return this->success; } -/** - * Implementation of asn1_parser_t.destroy - */ -static void destroy(private_asn1_parser_t *this) +METHOD(asn1_parser_t, destroy, void, + private_asn1_parser_t *this) { free(this); } @@ -280,20 +268,22 @@ static void destroy(private_asn1_parser_t *this) */ asn1_parser_t* asn1_parser_create(asn1Object_t const *objects, chunk_t blob) { - private_asn1_parser_t *this = malloc_thing(private_asn1_parser_t); - - memset(this, '\0', sizeof(private_asn1_parser_t)); - this->objects = objects; - this->blobs[0] = blob; - this->line = -1; - this->success = TRUE; - - this->public.iterate = (bool (*)(asn1_parser_t*, int*, chunk_t*))iterate; - this->public.get_level = (u_int (*)(asn1_parser_t*))get_level; - this->public.set_top_level = (void (*)(asn1_parser_t*, u_int))set_top_level; - this->public.set_flags = (void (*)(asn1_parser_t*, bool, bool))set_flags; - this->public.success = (bool (*)(asn1_parser_t*))success; - this->public.destroy = (void (*)(asn1_parser_t*))destroy; + private_asn1_parser_t *this; + + INIT(this, + .public = { + .iterate = _iterate, + .get_level = _get_level, + .set_top_level = _set_top_level, + .set_flags = _set_flags, + .success = _success, + .destroy = _destroy, + }, + .objects = objects, + .blobs[0] = blob, + .line = -1, + .success = TRUE, + ); return &this->public; } diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 1e5dec8a5..57a00a39e 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -10,360 +10,363 @@ #include "oid.h" const oid_t oid_names[] = { - {0x02, 7, 1, 0, "ITU-T Administration" }, /* 0 */ - { 0x82, 0, 1, 1, "" }, /* 1 */ - { 0x06, 0, 1, 2, "Germany ITU-T member" }, /* 2 */ - { 0x01, 0, 1, 3, "Deutsche Telekom AG" }, /* 3 */ - { 0x0A, 0, 1, 4, "" }, /* 4 */ - { 0x07, 0, 1, 5, "" }, /* 5 */ - { 0x14, 0, 0, 6, "ND" }, /* 6 */ - {0x09, 18, 1, 0, "data" }, /* 7 */ - { 0x92, 0, 1, 1, "" }, /* 8 */ - { 0x26, 0, 1, 2, "" }, /* 9 */ - { 0x89, 0, 1, 3, "" }, /* 10 */ - { 0x93, 0, 1, 4, "" }, /* 11 */ - { 0xF2, 0, 1, 5, "" }, /* 12 */ - { 0x2C, 0, 1, 6, "" }, /* 13 */ - { 0x64, 0, 1, 7, "pilot" }, /* 14 */ - { 0x01, 0, 1, 8, "pilotAttributeType" }, /* 15 */ - { 0x01, 17, 0, 9, "UID" }, /* 16 */ - { 0x19, 0, 0, 9, "DC" }, /* 17 */ - {0x55, 64, 1, 0, "X.500" }, /* 18 */ - { 0x04, 36, 1, 1, "X.509" }, /* 19 */ - { 0x03, 21, 0, 2, "CN" }, /* 20 */ - { 0x04, 22, 0, 2, "S" }, /* 21 */ - { 0x05, 23, 0, 2, "SN" }, /* 22 */ - { 0x06, 24, 0, 2, "C" }, /* 23 */ - { 0x07, 25, 0, 2, "L" }, /* 24 */ - { 0x08, 26, 0, 2, "ST" }, /* 25 */ - { 0x0A, 27, 0, 2, "O" }, /* 26 */ - { 0x0B, 28, 0, 2, "OU" }, /* 27 */ - { 0x0C, 29, 0, 2, "T" }, /* 28 */ - { 0x0D, 30, 0, 2, "D" }, /* 29 */ - { 0x24, 31, 0, 2, "userCertificate" }, /* 30 */ - { 0x29, 32, 0, 2, "N" }, /* 31 */ - { 0x2A, 33, 0, 2, "G" }, /* 32 */ - { 0x2B, 34, 0, 2, "I" }, /* 33 */ - { 0x2D, 35, 0, 2, "ID" }, /* 34 */ - { 0x48, 0, 0, 2, "role" }, /* 35 */ - { 0x1D, 0, 1, 1, "id-ce" }, /* 36 */ - { 0x09, 38, 0, 2, "subjectDirectoryAttrs" }, /* 37 */ - { 0x0E, 39, 0, 2, "subjectKeyIdentifier" }, /* 38 */ - { 0x0F, 40, 0, 2, "keyUsage" }, /* 39 */ - { 0x10, 41, 0, 2, "privateKeyUsagePeriod" }, /* 40 */ - { 0x11, 42, 0, 2, "subjectAltName" }, /* 41 */ - { 0x12, 43, 0, 2, "issuerAltName" }, /* 42 */ - { 0x13, 44, 0, 2, "basicConstraints" }, /* 43 */ - { 0x14, 45, 0, 2, "crlNumber" }, /* 44 */ - { 0x15, 46, 0, 2, "reasonCode" }, /* 45 */ - { 0x17, 47, 0, 2, "holdInstructionCode" }, /* 46 */ - { 0x18, 48, 0, 2, "invalidityDate" }, /* 47 */ - { 0x1B, 49, 0, 2, "deltaCrlIndicator" }, /* 48 */ - { 0x1C, 50, 0, 2, "issuingDistributionPoint" }, /* 49 */ - { 0x1D, 51, 0, 2, "certificateIssuer" }, /* 50 */ - { 0x1E, 52, 0, 2, "nameConstraints" }, /* 51 */ - { 0x1F, 53, 0, 2, "crlDistributionPoints" }, /* 52 */ - { 0x20, 55, 1, 2, "certificatePolicies" }, /* 53 */ - { 0x00, 0, 0, 3, "anyPolicy" }, /* 54 */ - { 0x21, 56, 0, 2, "policyMappings" }, /* 55 */ - { 0x23, 57, 0, 2, "authorityKeyIdentifier" }, /* 56 */ - { 0x24, 58, 0, 2, "policyConstraints" }, /* 57 */ - { 0x25, 60, 1, 2, "extendedKeyUsage" }, /* 58 */ - { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 59 */ - { 0x2E, 61, 0, 2, "freshestCRL" }, /* 60 */ - { 0x36, 62, 0, 2, "inhibitAnyPolicy" }, /* 61 */ - { 0x37, 63, 0, 2, "targetInformation" }, /* 62 */ - { 0x38, 0, 0, 2, "noRevAvail" }, /* 63 */ - {0x2A, 161, 1, 0, "" }, /* 64 */ - { 0x83, 77, 1, 1, "" }, /* 65 */ - { 0x08, 0, 1, 2, "jp" }, /* 66 */ - { 0x8C, 0, 1, 3, "" }, /* 67 */ - { 0x9A, 0, 1, 4, "" }, /* 68 */ - { 0x4B, 0, 1, 5, "" }, /* 69 */ - { 0x3D, 0, 1, 6, "" }, /* 70 */ - { 0x01, 0, 1, 7, "security" }, /* 71 */ - { 0x01, 0, 1, 8, "algorithm" }, /* 72 */ - { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 73 */ - { 0x02, 75, 0, 10, "camellia128-cbc" }, /* 74 */ - { 0x03, 76, 0, 10, "camellia192-cbc" }, /* 75 */ - { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 76 */ - { 0x86, 0, 1, 1, "" }, /* 77 */ - { 0x48, 0, 1, 2, "us" }, /* 78 */ - { 0x86, 120, 1, 3, "" }, /* 79 */ - { 0xF6, 85, 1, 4, "" }, /* 80 */ - { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 81 */ - { 0x07, 0, 1, 6, "Entrust" }, /* 82 */ - { 0x41, 0, 1, 7, "nsn-ce" }, /* 83 */ - { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 84 */ - { 0xF7, 0, 1, 4, "" }, /* 85 */ - { 0x0D, 0, 1, 5, "RSADSI" }, /* 86 */ - { 0x01, 115, 1, 6, "PKCS" }, /* 87 */ - { 0x01, 97, 1, 7, "PKCS-1" }, /* 88 */ - { 0x01, 90, 0, 8, "rsaEncryption" }, /* 89 */ - { 0x02, 91, 0, 8, "md2WithRSAEncryption" }, /* 90 */ - { 0x04, 92, 0, 8, "md5WithRSAEncryption" }, /* 91 */ - { 0x05, 93, 0, 8, "sha-1WithRSAEncryption" }, /* 92 */ - { 0x0B, 94, 0, 8, "sha256WithRSAEncryption" }, /* 93 */ - { 0x0C, 95, 0, 8, "sha384WithRSAEncryption" }, /* 94 */ - { 0x0D, 96, 0, 8, "sha512WithRSAEncryption" }, /* 95 */ - { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 96 */ - { 0x07, 104, 1, 7, "PKCS-7" }, /* 97 */ - { 0x01, 99, 0, 8, "data" }, /* 98 */ - { 0x02, 100, 0, 8, "signedData" }, /* 99 */ - { 0x03, 101, 0, 8, "envelopedData" }, /* 100 */ - { 0x04, 102, 0, 8, "signedAndEnvelopedData" }, /* 101 */ - { 0x05, 103, 0, 8, "digestedData" }, /* 102 */ - { 0x06, 0, 0, 8, "encryptedData" }, /* 103 */ - { 0x09, 0, 1, 7, "PKCS-9" }, /* 104 */ - { 0x01, 106, 0, 8, "E" }, /* 105 */ - { 0x02, 107, 0, 8, "unstructuredName" }, /* 106 */ - { 0x03, 108, 0, 8, "contentType" }, /* 107 */ - { 0x04, 109, 0, 8, "messageDigest" }, /* 108 */ - { 0x05, 110, 0, 8, "signingTime" }, /* 109 */ - { 0x06, 111, 0, 8, "counterSignature" }, /* 110 */ - { 0x07, 112, 0, 8, "challengePassword" }, /* 111 */ - { 0x08, 113, 0, 8, "unstructuredAddress" }, /* 112 */ - { 0x0E, 114, 0, 8, "extensionRequest" }, /* 113 */ - { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 114 */ - { 0x02, 118, 1, 6, "digestAlgorithm" }, /* 115 */ - { 0x02, 117, 0, 7, "md2" }, /* 116 */ - { 0x05, 0, 0, 7, "md5" }, /* 117 */ - { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 118 */ - { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 119 */ - { 0xCE, 0, 1, 3, "" }, /* 120 */ - { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 121 */ - { 0x02, 124, 1, 5, "id-publicKeyType" }, /* 122 */ - { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 123 */ - { 0x03, 154, 1, 5, "ellipticCurve" }, /* 124 */ - { 0x00, 146, 1, 6, "c-TwoCurve" }, /* 125 */ - { 0x01, 127, 0, 7, "c2pnb163v1" }, /* 126 */ - { 0x02, 128, 0, 7, "c2pnb163v2" }, /* 127 */ - { 0x03, 129, 0, 7, "c2pnb163v3" }, /* 128 */ - { 0x04, 130, 0, 7, "c2pnb176w1" }, /* 129 */ - { 0x05, 131, 0, 7, "c2tnb191v1" }, /* 130 */ - { 0x06, 132, 0, 7, "c2tnb191v2" }, /* 131 */ - { 0x07, 133, 0, 7, "c2tnb191v3" }, /* 132 */ - { 0x08, 134, 0, 7, "c2onb191v4" }, /* 133 */ - { 0x09, 135, 0, 7, "c2onb191v5" }, /* 134 */ - { 0x0A, 136, 0, 7, "c2pnb208w1" }, /* 135 */ - { 0x0B, 137, 0, 7, "c2tnb239v1" }, /* 136 */ - { 0x0C, 138, 0, 7, "c2tnb239v2" }, /* 137 */ - { 0x0D, 139, 0, 7, "c2tnb239v3" }, /* 138 */ - { 0x0E, 140, 0, 7, "c2onb239v4" }, /* 139 */ - { 0x0F, 141, 0, 7, "c2onb239v5" }, /* 140 */ - { 0x10, 142, 0, 7, "c2pnb272w1" }, /* 141 */ - { 0x11, 143, 0, 7, "c2pnb304w1" }, /* 142 */ - { 0x12, 144, 0, 7, "c2tnb359v1" }, /* 143 */ - { 0x13, 145, 0, 7, "c2pnb368w1" }, /* 144 */ - { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 145 */ - { 0x01, 0, 1, 6, "primeCurve" }, /* 146 */ - { 0x01, 148, 0, 7, "prime192v1" }, /* 147 */ - { 0x02, 149, 0, 7, "prime192v2" }, /* 148 */ - { 0x03, 150, 0, 7, "prime192v3" }, /* 149 */ - { 0x04, 151, 0, 7, "prime239v1" }, /* 150 */ - { 0x05, 152, 0, 7, "prime239v2" }, /* 151 */ - { 0x06, 153, 0, 7, "prime239v3" }, /* 152 */ - { 0x07, 0, 0, 7, "prime256v1" }, /* 153 */ - { 0x04, 0, 1, 5, "id-ecSigType" }, /* 154 */ - { 0x01, 156, 0, 6, "ecdsa-with-SHA1" }, /* 155 */ - { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 156 */ - { 0x01, 158, 0, 7, "ecdsa-with-SHA224" }, /* 157 */ - { 0x02, 159, 0, 7, "ecdsa-with-SHA256" }, /* 158 */ - { 0x03, 160, 0, 7, "ecdsa-with-SHA384" }, /* 159 */ - { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 160 */ - {0x2B, 309, 1, 0, "" }, /* 161 */ - { 0x06, 223, 1, 1, "dod" }, /* 162 */ - { 0x01, 0, 1, 2, "internet" }, /* 163 */ - { 0x04, 183, 1, 3, "private" }, /* 164 */ - { 0x01, 0, 1, 4, "enterprise" }, /* 165 */ - { 0x82, 176, 1, 5, "" }, /* 166 */ - { 0x37, 0, 1, 6, "Microsoft" }, /* 167 */ - { 0x0A, 172, 1, 7, "" }, /* 168 */ - { 0x03, 0, 1, 8, "" }, /* 169 */ - { 0x03, 171, 0, 9, "msSGC" }, /* 170 */ - { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 171 */ - { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 172 */ - { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 173 */ - { 0x02, 175, 0, 9, "msSmartcardLogon" }, /* 174 */ - { 0x03, 0, 0, 9, "msUPN" }, /* 175 */ - { 0x89, 0, 1, 5, "" }, /* 176 */ - { 0x31, 0, 1, 6, "" }, /* 177 */ - { 0x01, 0, 1, 7, "" }, /* 178 */ - { 0x01, 0, 1, 8, "" }, /* 179 */ - { 0x02, 0, 1, 9, "" }, /* 180 */ - { 0x02, 182, 0, 10, "" }, /* 181 */ - { 0x4B, 0, 0, 10, "TCGID" }, /* 182 */ - { 0x05, 0, 1, 3, "security" }, /* 183 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 184 */ - { 0x07, 0, 1, 5, "id-pkix" }, /* 185 */ - { 0x01, 190, 1, 6, "id-pe" }, /* 186 */ - { 0x01, 188, 0, 7, "authorityInfoAccess" }, /* 187 */ - { 0x03, 189, 0, 7, "qcStatements" }, /* 188 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 189 */ - { 0x02, 193, 1, 6, "id-qt" }, /* 190 */ - { 0x01, 192, 0, 7, "cps" }, /* 191 */ - { 0x02, 0, 0, 7, "unotice" }, /* 192 */ - { 0x03, 203, 1, 6, "id-kp" }, /* 193 */ - { 0x01, 195, 0, 7, "serverAuth" }, /* 194 */ - { 0x02, 196, 0, 7, "clientAuth" }, /* 195 */ - { 0x03, 197, 0, 7, "codeSigning" }, /* 196 */ - { 0x04, 198, 0, 7, "emailProtection" }, /* 197 */ - { 0x05, 199, 0, 7, "ipsecEndSystem" }, /* 198 */ - { 0x06, 200, 0, 7, "ipsecTunnel" }, /* 199 */ - { 0x07, 201, 0, 7, "ipsecUser" }, /* 200 */ - { 0x08, 202, 0, 7, "timeStamping" }, /* 201 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 202 */ - { 0x08, 205, 1, 6, "id-otherNames" }, /* 203 */ - { 0x05, 0, 0, 7, "xmppAddr" }, /* 204 */ - { 0x0A, 210, 1, 6, "id-aca" }, /* 205 */ - { 0x01, 207, 0, 7, "authenticationInfo" }, /* 206 */ - { 0x02, 208, 0, 7, "accessIdentity" }, /* 207 */ - { 0x03, 209, 0, 7, "chargingIdentity" }, /* 208 */ - { 0x04, 0, 0, 7, "group" }, /* 209 */ - { 0x0B, 211, 0, 6, "subjectInfoAccess" }, /* 210 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 211 */ - { 0x01, 220, 1, 7, "ocsp" }, /* 212 */ - { 0x01, 214, 0, 8, "basic" }, /* 213 */ - { 0x02, 215, 0, 8, "nonce" }, /* 214 */ - { 0x03, 216, 0, 8, "crl" }, /* 215 */ - { 0x04, 217, 0, 8, "response" }, /* 216 */ - { 0x05, 218, 0, 8, "noCheck" }, /* 217 */ - { 0x06, 219, 0, 8, "archiveCutoff" }, /* 218 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 219 */ - { 0x02, 221, 0, 7, "caIssuers" }, /* 220 */ - { 0x03, 222, 0, 7, "timeStamping" }, /* 221 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 222 */ - { 0x0E, 229, 1, 1, "oiw" }, /* 223 */ - { 0x03, 0, 1, 2, "secsig" }, /* 224 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 225 */ - { 0x07, 227, 0, 4, "des-cbc" }, /* 226 */ - { 0x1A, 228, 0, 4, "sha-1" }, /* 227 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 228 */ - { 0x24, 275, 1, 1, "TeleTrusT" }, /* 229 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 230 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 231 */ - { 0x01, 236, 1, 4, "rsaSignature" }, /* 232 */ - { 0x02, 234, 0, 5, "rsaSigWithripemd160" }, /* 233 */ - { 0x03, 235, 0, 5, "rsaSigWithripemd128" }, /* 234 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 235 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 236 */ - { 0x01, 238, 0, 5, "ecSignWithsha1" }, /* 237 */ - { 0x02, 239, 0, 5, "ecSignWithripemd160" }, /* 238 */ - { 0x03, 240, 0, 5, "ecSignWithmd2" }, /* 239 */ - { 0x04, 241, 0, 5, "ecSignWithmd5" }, /* 240 */ - { 0x05, 258, 1, 5, "ttt-ecg" }, /* 241 */ - { 0x01, 246, 1, 6, "fieldType" }, /* 242 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 243 */ - { 0x01, 0, 1, 8, "basisType" }, /* 244 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 245 */ - { 0x02, 248, 1, 6, "keyType" }, /* 246 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 247 */ - { 0x03, 249, 0, 6, "curve" }, /* 248 */ - { 0x04, 256, 1, 6, "signatures" }, /* 249 */ - { 0x01, 251, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 250 */ - { 0x02, 252, 0, 7, "ecgdsa-with-SHA1" }, /* 251 */ - { 0x03, 253, 0, 7, "ecgdsa-with-SHA224" }, /* 252 */ - { 0x04, 254, 0, 7, "ecgdsa-with-SHA256" }, /* 253 */ - { 0x05, 255, 0, 7, "ecgdsa-with-SHA384" }, /* 254 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 255 */ - { 0x05, 0, 1, 6, "module" }, /* 256 */ - { 0x01, 0, 0, 7, "1" }, /* 257 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 258 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 259 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 260 */ - { 0x01, 262, 0, 8, "brainpoolP160r1" }, /* 261 */ - { 0x02, 263, 0, 8, "brainpoolP160t1" }, /* 262 */ - { 0x03, 264, 0, 8, "brainpoolP192r1" }, /* 263 */ - { 0x04, 265, 0, 8, "brainpoolP192t1" }, /* 264 */ - { 0x05, 266, 0, 8, "brainpoolP224r1" }, /* 265 */ - { 0x06, 267, 0, 8, "brainpoolP224t1" }, /* 266 */ - { 0x07, 268, 0, 8, "brainpoolP256r1" }, /* 267 */ - { 0x08, 269, 0, 8, "brainpoolP256t1" }, /* 268 */ - { 0x09, 270, 0, 8, "brainpoolP320r1" }, /* 269 */ - { 0x0A, 271, 0, 8, "brainpoolP320t1" }, /* 270 */ - { 0x0B, 272, 0, 8, "brainpoolP384r1" }, /* 271 */ - { 0x0C, 273, 0, 8, "brainpoolP384t1" }, /* 272 */ - { 0x0D, 274, 0, 8, "brainpoolP512r1" }, /* 273 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 274 */ - { 0x81, 0, 1, 1, "" }, /* 275 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 276 */ - { 0x00, 0, 1, 3, "curve" }, /* 277 */ - { 0x01, 279, 0, 4, "sect163k1" }, /* 278 */ - { 0x02, 280, 0, 4, "sect163r1" }, /* 279 */ - { 0x03, 281, 0, 4, "sect239k1" }, /* 280 */ - { 0x04, 282, 0, 4, "sect113r1" }, /* 281 */ - { 0x05, 283, 0, 4, "sect113r2" }, /* 282 */ - { 0x06, 284, 0, 4, "secp112r1" }, /* 283 */ - { 0x07, 285, 0, 4, "secp112r2" }, /* 284 */ - { 0x08, 286, 0, 4, "secp160r1" }, /* 285 */ - { 0x09, 287, 0, 4, "secp160k1" }, /* 286 */ - { 0x0A, 288, 0, 4, "secp256k1" }, /* 287 */ - { 0x0F, 289, 0, 4, "sect163r2" }, /* 288 */ - { 0x10, 290, 0, 4, "sect283k1" }, /* 289 */ - { 0x11, 291, 0, 4, "sect283r1" }, /* 290 */ - { 0x16, 292, 0, 4, "sect131r1" }, /* 291 */ - { 0x17, 293, 0, 4, "sect131r2" }, /* 292 */ - { 0x18, 294, 0, 4, "sect193r1" }, /* 293 */ - { 0x19, 295, 0, 4, "sect193r2" }, /* 294 */ - { 0x1A, 296, 0, 4, "sect233k1" }, /* 295 */ - { 0x1B, 297, 0, 4, "sect233r1" }, /* 296 */ - { 0x1C, 298, 0, 4, "secp128r1" }, /* 297 */ - { 0x1D, 299, 0, 4, "secp128r2" }, /* 298 */ - { 0x1E, 300, 0, 4, "secp160r2" }, /* 299 */ - { 0x1F, 301, 0, 4, "secp192k1" }, /* 300 */ - { 0x20, 302, 0, 4, "secp224k1" }, /* 301 */ - { 0x21, 303, 0, 4, "secp224r1" }, /* 302 */ - { 0x22, 304, 0, 4, "secp384r1" }, /* 303 */ - { 0x23, 305, 0, 4, "secp521r1" }, /* 304 */ - { 0x24, 306, 0, 4, "sect409k1" }, /* 305 */ - { 0x25, 307, 0, 4, "sect409r1" }, /* 306 */ - { 0x26, 308, 0, 4, "sect571k1" }, /* 307 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 308 */ - {0x60, 0, 1, 0, "" }, /* 309 */ - { 0x86, 0, 1, 1, "" }, /* 310 */ - { 0x48, 0, 1, 2, "" }, /* 311 */ - { 0x01, 0, 1, 3, "organization" }, /* 312 */ - { 0x65, 331, 1, 4, "gov" }, /* 313 */ - { 0x03, 0, 1, 5, "csor" }, /* 314 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 315 */ - { 0x01, 326, 1, 7, "aes" }, /* 316 */ - { 0x02, 318, 0, 8, "id-aes128-CBC" }, /* 317 */ - { 0x06, 319, 0, 8, "id-aes128-GCM" }, /* 318 */ - { 0x07, 320, 0, 8, "id-aes128-CCM" }, /* 319 */ - { 0x16, 321, 0, 8, "id-aes192-CBC" }, /* 320 */ - { 0x1A, 322, 0, 8, "id-aes192-GCM" }, /* 321 */ - { 0x1B, 323, 0, 8, "id-aes192-CCM" }, /* 322 */ - { 0x2A, 324, 0, 8, "id-aes256-CBC" }, /* 323 */ - { 0x2E, 325, 0, 8, "id-aes256-GCM" }, /* 324 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 325 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 326 */ - { 0x01, 328, 0, 8, "id-SHA-256" }, /* 327 */ - { 0x02, 329, 0, 8, "id-SHA-384" }, /* 328 */ - { 0x03, 330, 0, 8, "id-SHA-512" }, /* 329 */ - { 0x04, 0, 0, 8, "id-SHA-224" }, /* 330 */ - { 0x86, 0, 1, 4, "" }, /* 331 */ - { 0xf8, 0, 1, 5, "" }, /* 332 */ - { 0x42, 345, 1, 6, "netscape" }, /* 333 */ - { 0x01, 340, 1, 7, "" }, /* 334 */ - { 0x01, 336, 0, 8, "nsCertType" }, /* 335 */ - { 0x03, 337, 0, 8, "nsRevocationUrl" }, /* 336 */ - { 0x04, 338, 0, 8, "nsCaRevocationUrl" }, /* 337 */ - { 0x08, 339, 0, 8, "nsCaPolicyUrl" }, /* 338 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 339 */ - { 0x03, 343, 1, 7, "directory" }, /* 340 */ - { 0x01, 0, 1, 8, "" }, /* 341 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 342 */ - { 0x04, 0, 1, 7, "policy" }, /* 343 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 344 */ - { 0x45, 0, 1, 6, "verisign" }, /* 345 */ - { 0x01, 0, 1, 7, "pki" }, /* 346 */ - { 0x09, 0, 1, 8, "attributes" }, /* 347 */ - { 0x02, 349, 0, 9, "messageType" }, /* 348 */ - { 0x03, 350, 0, 9, "pkiStatus" }, /* 349 */ - { 0x04, 351, 0, 9, "failInfo" }, /* 350 */ - { 0x05, 352, 0, 9, "senderNonce" }, /* 351 */ - { 0x06, 353, 0, 9, "recipientNonce" }, /* 352 */ - { 0x07, 354, 0, 9, "transID" }, /* 353 */ - { 0x08, 355, 0, 9, "extensionReq" }, /* 354 */ - { 0x08, 0, 0, 9, "extensionReq" } /* 355 */ + {0x02, 7, 1, 0, "ITU-T Administration" }, /* 0 */ + { 0x82, 0, 1, 1, "" }, /* 1 */ + { 0x06, 0, 1, 2, "Germany ITU-T member" }, /* 2 */ + { 0x01, 0, 1, 3, "Deutsche Telekom AG" }, /* 3 */ + { 0x0A, 0, 1, 4, "" }, /* 4 */ + { 0x07, 0, 1, 5, "" }, /* 5 */ + { 0x14, 0, 0, 6, "ND" }, /* 6 */ + {0x09, 18, 1, 0, "data" }, /* 7 */ + { 0x92, 0, 1, 1, "" }, /* 8 */ + { 0x26, 0, 1, 2, "" }, /* 9 */ + { 0x89, 0, 1, 3, "" }, /* 10 */ + { 0x93, 0, 1, 4, "" }, /* 11 */ + { 0xF2, 0, 1, 5, "" }, /* 12 */ + { 0x2C, 0, 1, 6, "" }, /* 13 */ + { 0x64, 0, 1, 7, "pilot" }, /* 14 */ + { 0x01, 0, 1, 8, "pilotAttributeType" }, /* 15 */ + { 0x01, 17, 0, 9, "UID" }, /* 16 */ + { 0x19, 0, 0, 9, "DC" }, /* 17 */ + {0x55, 64, 1, 0, "X.500" }, /* 18 */ + { 0x04, 36, 1, 1, "X.509" }, /* 19 */ + { 0x03, 21, 0, 2, "CN" }, /* 20 */ + { 0x04, 22, 0, 2, "S" }, /* 21 */ + { 0x05, 23, 0, 2, "SN" }, /* 22 */ + { 0x06, 24, 0, 2, "C" }, /* 23 */ + { 0x07, 25, 0, 2, "L" }, /* 24 */ + { 0x08, 26, 0, 2, "ST" }, /* 25 */ + { 0x0A, 27, 0, 2, "O" }, /* 26 */ + { 0x0B, 28, 0, 2, "OU" }, /* 27 */ + { 0x0C, 29, 0, 2, "T" }, /* 28 */ + { 0x0D, 30, 0, 2, "D" }, /* 29 */ + { 0x24, 31, 0, 2, "userCertificate" }, /* 30 */ + { 0x29, 32, 0, 2, "N" }, /* 31 */ + { 0x2A, 33, 0, 2, "G" }, /* 32 */ + { 0x2B, 34, 0, 2, "I" }, /* 33 */ + { 0x2D, 35, 0, 2, "ID" }, /* 34 */ + { 0x48, 0, 0, 2, "role" }, /* 35 */ + { 0x1D, 0, 1, 1, "id-ce" }, /* 36 */ + { 0x09, 38, 0, 2, "subjectDirectoryAttrs" }, /* 37 */ + { 0x0E, 39, 0, 2, "subjectKeyIdentifier" }, /* 38 */ + { 0x0F, 40, 0, 2, "keyUsage" }, /* 39 */ + { 0x10, 41, 0, 2, "privateKeyUsagePeriod" }, /* 40 */ + { 0x11, 42, 0, 2, "subjectAltName" }, /* 41 */ + { 0x12, 43, 0, 2, "issuerAltName" }, /* 42 */ + { 0x13, 44, 0, 2, "basicConstraints" }, /* 43 */ + { 0x14, 45, 0, 2, "crlNumber" }, /* 44 */ + { 0x15, 46, 0, 2, "reasonCode" }, /* 45 */ + { 0x17, 47, 0, 2, "holdInstructionCode" }, /* 46 */ + { 0x18, 48, 0, 2, "invalidityDate" }, /* 47 */ + { 0x1B, 49, 0, 2, "deltaCrlIndicator" }, /* 48 */ + { 0x1C, 50, 0, 2, "issuingDistributionPoint" }, /* 49 */ + { 0x1D, 51, 0, 2, "certificateIssuer" }, /* 50 */ + { 0x1E, 52, 0, 2, "nameConstraints" }, /* 51 */ + { 0x1F, 53, 0, 2, "crlDistributionPoints" }, /* 52 */ + { 0x20, 55, 1, 2, "certificatePolicies" }, /* 53 */ + { 0x00, 0, 0, 3, "anyPolicy" }, /* 54 */ + { 0x21, 56, 0, 2, "policyMappings" }, /* 55 */ + { 0x23, 57, 0, 2, "authorityKeyIdentifier" }, /* 56 */ + { 0x24, 58, 0, 2, "policyConstraints" }, /* 57 */ + { 0x25, 60, 1, 2, "extendedKeyUsage" }, /* 58 */ + { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 59 */ + { 0x2E, 61, 0, 2, "freshestCRL" }, /* 60 */ + { 0x36, 62, 0, 2, "inhibitAnyPolicy" }, /* 61 */ + { 0x37, 63, 0, 2, "targetInformation" }, /* 62 */ + { 0x38, 0, 0, 2, "noRevAvail" }, /* 63 */ + {0x2A, 161, 1, 0, "" }, /* 64 */ + { 0x83, 77, 1, 1, "" }, /* 65 */ + { 0x08, 0, 1, 2, "jp" }, /* 66 */ + { 0x8C, 0, 1, 3, "" }, /* 67 */ + { 0x9A, 0, 1, 4, "" }, /* 68 */ + { 0x4B, 0, 1, 5, "" }, /* 69 */ + { 0x3D, 0, 1, 6, "" }, /* 70 */ + { 0x01, 0, 1, 7, "security" }, /* 71 */ + { 0x01, 0, 1, 8, "algorithm" }, /* 72 */ + { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 73 */ + { 0x02, 75, 0, 10, "camellia128-cbc" }, /* 74 */ + { 0x03, 76, 0, 10, "camellia192-cbc" }, /* 75 */ + { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 76 */ + { 0x86, 0, 1, 1, "" }, /* 77 */ + { 0x48, 0, 1, 2, "us" }, /* 78 */ + { 0x86, 120, 1, 3, "" }, /* 79 */ + { 0xF6, 85, 1, 4, "" }, /* 80 */ + { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 81 */ + { 0x07, 0, 1, 6, "Entrust" }, /* 82 */ + { 0x41, 0, 1, 7, "nsn-ce" }, /* 83 */ + { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 84 */ + { 0xF7, 0, 1, 4, "" }, /* 85 */ + { 0x0D, 0, 1, 5, "RSADSI" }, /* 86 */ + { 0x01, 115, 1, 6, "PKCS" }, /* 87 */ + { 0x01, 97, 1, 7, "PKCS-1" }, /* 88 */ + { 0x01, 90, 0, 8, "rsaEncryption" }, /* 89 */ + { 0x02, 91, 0, 8, "md2WithRSAEncryption" }, /* 90 */ + { 0x04, 92, 0, 8, "md5WithRSAEncryption" }, /* 91 */ + { 0x05, 93, 0, 8, "sha-1WithRSAEncryption" }, /* 92 */ + { 0x0B, 94, 0, 8, "sha256WithRSAEncryption" }, /* 93 */ + { 0x0C, 95, 0, 8, "sha384WithRSAEncryption" }, /* 94 */ + { 0x0D, 96, 0, 8, "sha512WithRSAEncryption" }, /* 95 */ + { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 96 */ + { 0x07, 104, 1, 7, "PKCS-7" }, /* 97 */ + { 0x01, 99, 0, 8, "data" }, /* 98 */ + { 0x02, 100, 0, 8, "signedData" }, /* 99 */ + { 0x03, 101, 0, 8, "envelopedData" }, /* 100 */ + { 0x04, 102, 0, 8, "signedAndEnvelopedData" }, /* 101 */ + { 0x05, 103, 0, 8, "digestedData" }, /* 102 */ + { 0x06, 0, 0, 8, "encryptedData" }, /* 103 */ + { 0x09, 0, 1, 7, "PKCS-9" }, /* 104 */ + { 0x01, 106, 0, 8, "E" }, /* 105 */ + { 0x02, 107, 0, 8, "unstructuredName" }, /* 106 */ + { 0x03, 108, 0, 8, "contentType" }, /* 107 */ + { 0x04, 109, 0, 8, "messageDigest" }, /* 108 */ + { 0x05, 110, 0, 8, "signingTime" }, /* 109 */ + { 0x06, 111, 0, 8, "counterSignature" }, /* 110 */ + { 0x07, 112, 0, 8, "challengePassword" }, /* 111 */ + { 0x08, 113, 0, 8, "unstructuredAddress" }, /* 112 */ + { 0x0E, 114, 0, 8, "extensionRequest" }, /* 113 */ + { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 114 */ + { 0x02, 118, 1, 6, "digestAlgorithm" }, /* 115 */ + { 0x02, 117, 0, 7, "md2" }, /* 116 */ + { 0x05, 0, 0, 7, "md5" }, /* 117 */ + { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 118 */ + { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 119 */ + { 0xCE, 0, 1, 3, "" }, /* 120 */ + { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 121 */ + { 0x02, 124, 1, 5, "id-publicKeyType" }, /* 122 */ + { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 123 */ + { 0x03, 154, 1, 5, "ellipticCurve" }, /* 124 */ + { 0x00, 146, 1, 6, "c-TwoCurve" }, /* 125 */ + { 0x01, 127, 0, 7, "c2pnb163v1" }, /* 126 */ + { 0x02, 128, 0, 7, "c2pnb163v2" }, /* 127 */ + { 0x03, 129, 0, 7, "c2pnb163v3" }, /* 128 */ + { 0x04, 130, 0, 7, "c2pnb176w1" }, /* 129 */ + { 0x05, 131, 0, 7, "c2tnb191v1" }, /* 130 */ + { 0x06, 132, 0, 7, "c2tnb191v2" }, /* 131 */ + { 0x07, 133, 0, 7, "c2tnb191v3" }, /* 132 */ + { 0x08, 134, 0, 7, "c2onb191v4" }, /* 133 */ + { 0x09, 135, 0, 7, "c2onb191v5" }, /* 134 */ + { 0x0A, 136, 0, 7, "c2pnb208w1" }, /* 135 */ + { 0x0B, 137, 0, 7, "c2tnb239v1" }, /* 136 */ + { 0x0C, 138, 0, 7, "c2tnb239v2" }, /* 137 */ + { 0x0D, 139, 0, 7, "c2tnb239v3" }, /* 138 */ + { 0x0E, 140, 0, 7, "c2onb239v4" }, /* 139 */ + { 0x0F, 141, 0, 7, "c2onb239v5" }, /* 140 */ + { 0x10, 142, 0, 7, "c2pnb272w1" }, /* 141 */ + { 0x11, 143, 0, 7, "c2pnb304w1" }, /* 142 */ + { 0x12, 144, 0, 7, "c2tnb359v1" }, /* 143 */ + { 0x13, 145, 0, 7, "c2pnb368w1" }, /* 144 */ + { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 145 */ + { 0x01, 0, 1, 6, "primeCurve" }, /* 146 */ + { 0x01, 148, 0, 7, "prime192v1" }, /* 147 */ + { 0x02, 149, 0, 7, "prime192v2" }, /* 148 */ + { 0x03, 150, 0, 7, "prime192v3" }, /* 149 */ + { 0x04, 151, 0, 7, "prime239v1" }, /* 150 */ + { 0x05, 152, 0, 7, "prime239v2" }, /* 151 */ + { 0x06, 153, 0, 7, "prime239v3" }, /* 152 */ + { 0x07, 0, 0, 7, "prime256v1" }, /* 153 */ + { 0x04, 0, 1, 5, "id-ecSigType" }, /* 154 */ + { 0x01, 156, 0, 6, "ecdsa-with-SHA1" }, /* 155 */ + { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 156 */ + { 0x01, 158, 0, 7, "ecdsa-with-SHA224" }, /* 157 */ + { 0x02, 159, 0, 7, "ecdsa-with-SHA256" }, /* 158 */ + { 0x03, 160, 0, 7, "ecdsa-with-SHA384" }, /* 159 */ + { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 160 */ + {0x2B, 312, 1, 0, "" }, /* 161 */ + { 0x06, 226, 1, 1, "dod" }, /* 162 */ + { 0x01, 0, 1, 2, "internet" }, /* 163 */ + { 0x04, 186, 1, 3, "private" }, /* 164 */ + { 0x01, 0, 1, 4, "enterprise" }, /* 165 */ + { 0x82, 179, 1, 5, "" }, /* 166 */ + { 0x37, 176, 1, 6, "Microsoft" }, /* 167 */ + { 0x0A, 172, 1, 7, "" }, /* 168 */ + { 0x03, 0, 1, 8, "" }, /* 169 */ + { 0x03, 171, 0, 9, "msSGC" }, /* 170 */ + { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 171 */ + { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 172 */ + { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 173 */ + { 0x02, 175, 0, 9, "msSmartcardLogon" }, /* 174 */ + { 0x03, 0, 0, 9, "msUPN" }, /* 175 */ + { 0xA0, 0, 1, 6, "" }, /* 176 */ + { 0x2A, 0, 1, 7, "ITA" }, /* 177 */ + { 0x01, 0, 0, 8, "strongSwan" }, /* 178 */ + { 0x89, 0, 1, 5, "" }, /* 179 */ + { 0x31, 0, 1, 6, "" }, /* 180 */ + { 0x01, 0, 1, 7, "" }, /* 181 */ + { 0x01, 0, 1, 8, "" }, /* 182 */ + { 0x02, 0, 1, 9, "" }, /* 183 */ + { 0x02, 0, 1, 10, "" }, /* 184 */ + { 0x4B, 0, 0, 11, "TCGID" }, /* 185 */ + { 0x05, 0, 1, 3, "security" }, /* 186 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 187 */ + { 0x07, 0, 1, 5, "id-pkix" }, /* 188 */ + { 0x01, 193, 1, 6, "id-pe" }, /* 189 */ + { 0x01, 191, 0, 7, "authorityInfoAccess" }, /* 190 */ + { 0x03, 192, 0, 7, "qcStatements" }, /* 191 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 192 */ + { 0x02, 196, 1, 6, "id-qt" }, /* 193 */ + { 0x01, 195, 0, 7, "cps" }, /* 194 */ + { 0x02, 0, 0, 7, "unotice" }, /* 195 */ + { 0x03, 206, 1, 6, "id-kp" }, /* 196 */ + { 0x01, 198, 0, 7, "serverAuth" }, /* 197 */ + { 0x02, 199, 0, 7, "clientAuth" }, /* 198 */ + { 0x03, 200, 0, 7, "codeSigning" }, /* 199 */ + { 0x04, 201, 0, 7, "emailProtection" }, /* 200 */ + { 0x05, 202, 0, 7, "ipsecEndSystem" }, /* 201 */ + { 0x06, 203, 0, 7, "ipsecTunnel" }, /* 202 */ + { 0x07, 204, 0, 7, "ipsecUser" }, /* 203 */ + { 0x08, 205, 0, 7, "timeStamping" }, /* 204 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 205 */ + { 0x08, 208, 1, 6, "id-otherNames" }, /* 206 */ + { 0x05, 0, 0, 7, "xmppAddr" }, /* 207 */ + { 0x0A, 213, 1, 6, "id-aca" }, /* 208 */ + { 0x01, 210, 0, 7, "authenticationInfo" }, /* 209 */ + { 0x02, 211, 0, 7, "accessIdentity" }, /* 210 */ + { 0x03, 212, 0, 7, "chargingIdentity" }, /* 211 */ + { 0x04, 0, 0, 7, "group" }, /* 212 */ + { 0x0B, 214, 0, 6, "subjectInfoAccess" }, /* 213 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 214 */ + { 0x01, 223, 1, 7, "ocsp" }, /* 215 */ + { 0x01, 217, 0, 8, "basic" }, /* 216 */ + { 0x02, 218, 0, 8, "nonce" }, /* 217 */ + { 0x03, 219, 0, 8, "crl" }, /* 218 */ + { 0x04, 220, 0, 8, "response" }, /* 219 */ + { 0x05, 221, 0, 8, "noCheck" }, /* 220 */ + { 0x06, 222, 0, 8, "archiveCutoff" }, /* 221 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 222 */ + { 0x02, 224, 0, 7, "caIssuers" }, /* 223 */ + { 0x03, 225, 0, 7, "timeStamping" }, /* 224 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 225 */ + { 0x0E, 232, 1, 1, "oiw" }, /* 226 */ + { 0x03, 0, 1, 2, "secsig" }, /* 227 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 228 */ + { 0x07, 230, 0, 4, "des-cbc" }, /* 229 */ + { 0x1A, 231, 0, 4, "sha-1" }, /* 230 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 231 */ + { 0x24, 278, 1, 1, "TeleTrusT" }, /* 232 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 233 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 234 */ + { 0x01, 239, 1, 4, "rsaSignature" }, /* 235 */ + { 0x02, 237, 0, 5, "rsaSigWithripemd160" }, /* 236 */ + { 0x03, 238, 0, 5, "rsaSigWithripemd128" }, /* 237 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 238 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 239 */ + { 0x01, 241, 0, 5, "ecSignWithsha1" }, /* 240 */ + { 0x02, 242, 0, 5, "ecSignWithripemd160" }, /* 241 */ + { 0x03, 243, 0, 5, "ecSignWithmd2" }, /* 242 */ + { 0x04, 244, 0, 5, "ecSignWithmd5" }, /* 243 */ + { 0x05, 261, 1, 5, "ttt-ecg" }, /* 244 */ + { 0x01, 249, 1, 6, "fieldType" }, /* 245 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 246 */ + { 0x01, 0, 1, 8, "basisType" }, /* 247 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 248 */ + { 0x02, 251, 1, 6, "keyType" }, /* 249 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 250 */ + { 0x03, 252, 0, 6, "curve" }, /* 251 */ + { 0x04, 259, 1, 6, "signatures" }, /* 252 */ + { 0x01, 254, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 253 */ + { 0x02, 255, 0, 7, "ecgdsa-with-SHA1" }, /* 254 */ + { 0x03, 256, 0, 7, "ecgdsa-with-SHA224" }, /* 255 */ + { 0x04, 257, 0, 7, "ecgdsa-with-SHA256" }, /* 256 */ + { 0x05, 258, 0, 7, "ecgdsa-with-SHA384" }, /* 257 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 258 */ + { 0x05, 0, 1, 6, "module" }, /* 259 */ + { 0x01, 0, 0, 7, "1" }, /* 260 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 261 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 262 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 263 */ + { 0x01, 265, 0, 8, "brainpoolP160r1" }, /* 264 */ + { 0x02, 266, 0, 8, "brainpoolP160t1" }, /* 265 */ + { 0x03, 267, 0, 8, "brainpoolP192r1" }, /* 266 */ + { 0x04, 268, 0, 8, "brainpoolP192t1" }, /* 267 */ + { 0x05, 269, 0, 8, "brainpoolP224r1" }, /* 268 */ + { 0x06, 270, 0, 8, "brainpoolP224t1" }, /* 269 */ + { 0x07, 271, 0, 8, "brainpoolP256r1" }, /* 270 */ + { 0x08, 272, 0, 8, "brainpoolP256t1" }, /* 271 */ + { 0x09, 273, 0, 8, "brainpoolP320r1" }, /* 272 */ + { 0x0A, 274, 0, 8, "brainpoolP320t1" }, /* 273 */ + { 0x0B, 275, 0, 8, "brainpoolP384r1" }, /* 274 */ + { 0x0C, 276, 0, 8, "brainpoolP384t1" }, /* 275 */ + { 0x0D, 277, 0, 8, "brainpoolP512r1" }, /* 276 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 277 */ + { 0x81, 0, 1, 1, "" }, /* 278 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 279 */ + { 0x00, 0, 1, 3, "curve" }, /* 280 */ + { 0x01, 282, 0, 4, "sect163k1" }, /* 281 */ + { 0x02, 283, 0, 4, "sect163r1" }, /* 282 */ + { 0x03, 284, 0, 4, "sect239k1" }, /* 283 */ + { 0x04, 285, 0, 4, "sect113r1" }, /* 284 */ + { 0x05, 286, 0, 4, "sect113r2" }, /* 285 */ + { 0x06, 287, 0, 4, "secp112r1" }, /* 286 */ + { 0x07, 288, 0, 4, "secp112r2" }, /* 287 */ + { 0x08, 289, 0, 4, "secp160r1" }, /* 288 */ + { 0x09, 290, 0, 4, "secp160k1" }, /* 289 */ + { 0x0A, 291, 0, 4, "secp256k1" }, /* 290 */ + { 0x0F, 292, 0, 4, "sect163r2" }, /* 291 */ + { 0x10, 293, 0, 4, "sect283k1" }, /* 292 */ + { 0x11, 294, 0, 4, "sect283r1" }, /* 293 */ + { 0x16, 295, 0, 4, "sect131r1" }, /* 294 */ + { 0x17, 296, 0, 4, "sect131r2" }, /* 295 */ + { 0x18, 297, 0, 4, "sect193r1" }, /* 296 */ + { 0x19, 298, 0, 4, "sect193r2" }, /* 297 */ + { 0x1A, 299, 0, 4, "sect233k1" }, /* 298 */ + { 0x1B, 300, 0, 4, "sect233r1" }, /* 299 */ + { 0x1C, 301, 0, 4, "secp128r1" }, /* 300 */ + { 0x1D, 302, 0, 4, "secp128r2" }, /* 301 */ + { 0x1E, 303, 0, 4, "secp160r2" }, /* 302 */ + { 0x1F, 304, 0, 4, "secp192k1" }, /* 303 */ + { 0x20, 305, 0, 4, "secp224k1" }, /* 304 */ + { 0x21, 306, 0, 4, "secp224r1" }, /* 305 */ + { 0x22, 307, 0, 4, "secp384r1" }, /* 306 */ + { 0x23, 308, 0, 4, "secp521r1" }, /* 307 */ + { 0x24, 309, 0, 4, "sect409k1" }, /* 308 */ + { 0x25, 310, 0, 4, "sect409r1" }, /* 309 */ + { 0x26, 311, 0, 4, "sect571k1" }, /* 310 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 311 */ + {0x60, 0, 1, 0, "" }, /* 312 */ + { 0x86, 0, 1, 1, "" }, /* 313 */ + { 0x48, 0, 1, 2, "" }, /* 314 */ + { 0x01, 0, 1, 3, "organization" }, /* 315 */ + { 0x65, 334, 1, 4, "gov" }, /* 316 */ + { 0x03, 0, 1, 5, "csor" }, /* 317 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 318 */ + { 0x01, 329, 1, 7, "aes" }, /* 319 */ + { 0x02, 321, 0, 8, "id-aes128-CBC" }, /* 320 */ + { 0x06, 322, 0, 8, "id-aes128-GCM" }, /* 321 */ + { 0x07, 323, 0, 8, "id-aes128-CCM" }, /* 322 */ + { 0x16, 324, 0, 8, "id-aes192-CBC" }, /* 323 */ + { 0x1A, 325, 0, 8, "id-aes192-GCM" }, /* 324 */ + { 0x1B, 326, 0, 8, "id-aes192-CCM" }, /* 325 */ + { 0x2A, 327, 0, 8, "id-aes256-CBC" }, /* 326 */ + { 0x2E, 328, 0, 8, "id-aes256-GCM" }, /* 327 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 328 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 329 */ + { 0x01, 331, 0, 8, "id-SHA-256" }, /* 330 */ + { 0x02, 332, 0, 8, "id-SHA-384" }, /* 331 */ + { 0x03, 333, 0, 8, "id-SHA-512" }, /* 332 */ + { 0x04, 0, 0, 8, "id-SHA-224" }, /* 333 */ + { 0x86, 0, 1, 4, "" }, /* 334 */ + { 0xf8, 0, 1, 5, "" }, /* 335 */ + { 0x42, 348, 1, 6, "netscape" }, /* 336 */ + { 0x01, 343, 1, 7, "" }, /* 337 */ + { 0x01, 339, 0, 8, "nsCertType" }, /* 338 */ + { 0x03, 340, 0, 8, "nsRevocationUrl" }, /* 339 */ + { 0x04, 341, 0, 8, "nsCaRevocationUrl" }, /* 340 */ + { 0x08, 342, 0, 8, "nsCaPolicyUrl" }, /* 341 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 342 */ + { 0x03, 346, 1, 7, "directory" }, /* 343 */ + { 0x01, 0, 1, 8, "" }, /* 344 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 345 */ + { 0x04, 0, 1, 7, "policy" }, /* 346 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 347 */ + { 0x45, 0, 1, 6, "verisign" }, /* 348 */ + { 0x01, 0, 1, 7, "pki" }, /* 349 */ + { 0x09, 0, 1, 8, "attributes" }, /* 350 */ + { 0x02, 352, 0, 9, "messageType" }, /* 351 */ + { 0x03, 353, 0, 9, "pkiStatus" }, /* 352 */ + { 0x04, 354, 0, 9, "failInfo" }, /* 353 */ + { 0x05, 355, 0, 9, "senderNonce" }, /* 354 */ + { 0x06, 356, 0, 9, "recipientNonce" }, /* 355 */ + { 0x07, 357, 0, 9, "transID" }, /* 356 */ + { 0x08, 358, 0, 9, "extensionReq" }, /* 357 */ + { 0x08, 0, 0, 9, "extensionReq" } /* 358 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 16c9e854b..b6ee9a10d 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -49,8 +49,11 @@ extern const oid_t oid_names[]; #define OID_DELTA_CRL_INDICATOR 48 #define OID_NAME_CONSTRAINTS 51 #define OID_CRL_DISTRIBUTION_POINTS 52 +#define OID_CERTIFICATE_POLICIES 53 #define OID_ANY_POLICY 54 +#define OID_POLICY_MAPPINGS 55 #define OID_AUTHORITY_KEY_ID 56 +#define OID_POLICY_CONSTRAINTS 57 #define OID_EXTENDED_KEY_USAGE 58 #define OID_FRESHEST_CRL 60 #define OID_INHIBIT_ANY_POLICY 61 @@ -117,92 +120,95 @@ extern const oid_t oid_names[]; #define OID_ECDSA_WITH_SHA384 159 #define OID_ECDSA_WITH_SHA512 160 #define OID_USER_PRINCIPAL_NAME 175 -#define OID_TCGID 182 -#define OID_AUTHORITY_INFO_ACCESS 187 -#define OID_IP_ADDR_BLOCKS 189 -#define OID_SERVER_AUTH 194 -#define OID_CLIENT_AUTH 195 -#define OID_OCSP_SIGNING 202 -#define OID_XMPP_ADDR 204 -#define OID_AUTHENTICATION_INFO 206 -#define OID_ACCESS_IDENTITY 207 -#define OID_CHARGING_IDENTITY 208 -#define OID_GROUP 209 -#define OID_OCSP 212 -#define OID_BASIC 213 -#define OID_NONCE 214 -#define OID_CRL 215 -#define OID_RESPONSE 216 -#define OID_NO_CHECK 217 -#define OID_ARCHIVE_CUTOFF 218 -#define OID_SERVICE_LOCATOR 219 -#define OID_CA_ISSUERS 220 -#define OID_DES_CBC 226 -#define OID_SHA1 227 -#define OID_SHA1_WITH_RSA_OIW 228 -#define OID_ECGDSA_PUBKEY 247 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 250 -#define OID_ECGDSA_SIG_WITH_SHA1 251 -#define OID_ECGDSA_SIG_WITH_SHA224 252 -#define OID_ECGDSA_SIG_WITH_SHA256 253 -#define OID_ECGDSA_SIG_WITH_SHA384 254 -#define OID_ECGDSA_SIG_WITH_SHA512 255 -#define OID_SECT163K1 278 -#define OID_SECT163R1 279 -#define OID_SECT239K1 280 -#define OID_SECT113R1 281 -#define OID_SECT113R2 282 -#define OID_SECT112R1 283 -#define OID_SECT112R2 284 -#define OID_SECT160R1 285 -#define OID_SECT160K1 286 -#define OID_SECT256K1 287 -#define OID_SECT163R2 288 -#define OID_SECT283K1 289 -#define OID_SECT283R1 290 -#define OID_SECT131R1 291 -#define OID_SECT131R2 292 -#define OID_SECT193R1 293 -#define OID_SECT193R2 294 -#define OID_SECT233K1 295 -#define OID_SECT233R1 296 -#define OID_SECT128R1 297 -#define OID_SECT128R2 298 -#define OID_SECT160R2 299 -#define OID_SECT192K1 300 -#define OID_SECT224K1 301 -#define OID_SECT224R1 302 -#define OID_SECT384R1 303 -#define OID_SECT521R1 304 -#define OID_SECT409K1 305 -#define OID_SECT409R1 306 -#define OID_SECT571K1 307 -#define OID_SECT571R1 308 -#define OID_AES128_CBC 317 -#define OID_AES128_GCM 318 -#define OID_AES128_CCM 319 -#define OID_AES192_CBC 320 -#define OID_AES192_GCM 321 -#define OID_AES192_CCM 322 -#define OID_AES256_CBC 323 -#define OID_AES256_GCM 324 -#define OID_AES256_CCM 325 -#define OID_SHA256 327 -#define OID_SHA384 328 -#define OID_SHA512 329 -#define OID_SHA224 330 -#define OID_NS_REVOCATION_URL 336 -#define OID_NS_CA_REVOCATION_URL 337 -#define OID_NS_CA_POLICY_URL 338 -#define OID_NS_COMMENT 339 -#define OID_EMPLOYEE_NUMBER 342 -#define OID_PKI_MESSAGE_TYPE 348 -#define OID_PKI_STATUS 349 -#define OID_PKI_FAIL_INFO 350 -#define OID_PKI_SENDER_NONCE 351 -#define OID_PKI_RECIPIENT_NONCE 352 -#define OID_PKI_TRANS_ID 353 +#define OID_STRONGSWAN 178 +#define OID_TCGID 185 +#define OID_AUTHORITY_INFO_ACCESS 190 +#define OID_IP_ADDR_BLOCKS 192 +#define OID_POLICY_QUALIFIER_CPS 194 +#define OID_POLICY_QUALIFIER_UNOTICE 195 +#define OID_SERVER_AUTH 197 +#define OID_CLIENT_AUTH 198 +#define OID_OCSP_SIGNING 205 +#define OID_XMPP_ADDR 207 +#define OID_AUTHENTICATION_INFO 209 +#define OID_ACCESS_IDENTITY 210 +#define OID_CHARGING_IDENTITY 211 +#define OID_GROUP 212 +#define OID_OCSP 215 +#define OID_BASIC 216 +#define OID_NONCE 217 +#define OID_CRL 218 +#define OID_RESPONSE 219 +#define OID_NO_CHECK 220 +#define OID_ARCHIVE_CUTOFF 221 +#define OID_SERVICE_LOCATOR 222 +#define OID_CA_ISSUERS 223 +#define OID_DES_CBC 229 +#define OID_SHA1 230 +#define OID_SHA1_WITH_RSA_OIW 231 +#define OID_ECGDSA_PUBKEY 250 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 253 +#define OID_ECGDSA_SIG_WITH_SHA1 254 +#define OID_ECGDSA_SIG_WITH_SHA224 255 +#define OID_ECGDSA_SIG_WITH_SHA256 256 +#define OID_ECGDSA_SIG_WITH_SHA384 257 +#define OID_ECGDSA_SIG_WITH_SHA512 258 +#define OID_SECT163K1 281 +#define OID_SECT163R1 282 +#define OID_SECT239K1 283 +#define OID_SECT113R1 284 +#define OID_SECT113R2 285 +#define OID_SECT112R1 286 +#define OID_SECT112R2 287 +#define OID_SECT160R1 288 +#define OID_SECT160K1 289 +#define OID_SECT256K1 290 +#define OID_SECT163R2 291 +#define OID_SECT283K1 292 +#define OID_SECT283R1 293 +#define OID_SECT131R1 294 +#define OID_SECT131R2 295 +#define OID_SECT193R1 296 +#define OID_SECT193R2 297 +#define OID_SECT233K1 298 +#define OID_SECT233R1 299 +#define OID_SECT128R1 300 +#define OID_SECT128R2 301 +#define OID_SECT160R2 302 +#define OID_SECT192K1 303 +#define OID_SECT224K1 304 +#define OID_SECT224R1 305 +#define OID_SECT384R1 306 +#define OID_SECT521R1 307 +#define OID_SECT409K1 308 +#define OID_SECT409R1 309 +#define OID_SECT571K1 310 +#define OID_SECT571R1 311 +#define OID_AES128_CBC 320 +#define OID_AES128_GCM 321 +#define OID_AES128_CCM 322 +#define OID_AES192_CBC 323 +#define OID_AES192_GCM 324 +#define OID_AES192_CCM 325 +#define OID_AES256_CBC 326 +#define OID_AES256_GCM 327 +#define OID_AES256_CCM 328 +#define OID_SHA256 330 +#define OID_SHA384 331 +#define OID_SHA512 332 +#define OID_SHA224 333 +#define OID_NS_REVOCATION_URL 339 +#define OID_NS_CA_REVOCATION_URL 340 +#define OID_NS_CA_POLICY_URL 341 +#define OID_NS_COMMENT 342 +#define OID_EMPLOYEE_NUMBER 345 +#define OID_PKI_MESSAGE_TYPE 351 +#define OID_PKI_STATUS 352 +#define OID_PKI_FAIL_INFO 353 +#define OID_PKI_SENDER_NONCE 354 +#define OID_PKI_RECIPIENT_NONCE 355 +#define OID_PKI_TRANS_ID 356 -#define OID_MAX 356 +#define OID_MAX 359 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 36db0299c..e2931c7dd 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -51,11 +51,11 @@ 0x1D "certificateIssuer" 0x1E "nameConstraints" OID_NAME_CONSTRAINTS 0x1F "crlDistributionPoints" OID_CRL_DISTRIBUTION_POINTS - 0x20 "certificatePolicies" + 0x20 "certificatePolicies" OID_CERTIFICATE_POLICIES 0x00 "anyPolicy" OID_ANY_POLICY - 0x21 "policyMappings" + 0x21 "policyMappings" OID_POLICY_MAPPINGS 0x23 "authorityKeyIdentifier" OID_AUTHORITY_KEY_ID - 0x24 "policyConstraints" + 0x24 "policyConstraints" OID_POLICY_CONSTRAINTS 0x25 "extendedKeyUsage" OID_EXTENDED_KEY_USAGE 0x00 "anyExtendedKeyUsage" 0x2E "freshestCRL" OID_FRESHEST_CRL @@ -124,7 +124,7 @@ 0x01 "id-ecPublicKey" OID_EC_PUBLICKEY 0x03 "ellipticCurve" 0x00 "c-TwoCurve" - 0x01 "c2pnb163v1" OID_C2PNB163V1 + 0x01 "c2pnb163v1" OID_C2PNB163V1 0x02 "c2pnb163v2" OID_C2PNB163V2 0x03 "c2pnb163v3" OID_C2PNB163V3 0x04 "c2pnb176w1" OID_C2PNB176W1 @@ -174,13 +174,16 @@ 0x02 "msCertificateTypeExtension" 0x02 "msSmartcardLogon" 0x03 "msUPN" OID_USER_PRINCIPAL_NAME + 0xA0 "" + 0x2A "ITA" + 0x01 "strongSwan" OID_STRONGSWAN 0x89 "" 0x31 "" 0x01 "" 0x01 "" 0x02 "" 0x02 "" - 0x4B "TCGID" OID_TCGID + 0x4B "TCGID" OID_TCGID 0x05 "security" 0x05 "mechanisms" 0x07 "id-pkix" @@ -189,8 +192,8 @@ 0x03 "qcStatements" 0x07 "ipAddrBlocks" OID_IP_ADDR_BLOCKS 0x02 "id-qt" - 0x01 "cps" - 0x02 "unotice" + 0x01 "cps" OID_POLICY_QUALIFIER_CPS + 0x02 "unotice" OID_POLICY_QUALIFIER_UNOTICE 0x03 "id-kp" 0x01 "serverAuth" OID_SERVER_AUTH 0x02 "clientAuth" OID_CLIENT_AUTH diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index ce718b9cb..23a3f62d9 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -131,11 +131,13 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_REVOCATION_CERT: { certificate_t *cert = (certificate_t*)entry->value; cert->destroy(cert); break; } + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -147,6 +149,8 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: break; } } @@ -172,6 +176,8 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: /* integer type */ enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -182,10 +188,12 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: + case AUTH_HELPER_REVOCATION_CERT: /* pointer type */ enumerator->current->value = va_arg(args, void*); break; @@ -237,6 +245,8 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) case AUTH_RULE_EAP_TYPE: return (void*)EAP_NAK; case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: return (void*)0; case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: @@ -248,10 +258,12 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: + case AUTH_HELPER_REVOCATION_CERT: default: return NULL; } @@ -274,6 +286,8 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: /* integer type */ entry->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -284,10 +298,12 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: + case AUTH_HELPER_REVOCATION_CERT: /* pointer type */ entry->value = va_arg(args, void*); break; @@ -358,38 +374,45 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: { - cert_validation_t validated, required; + uintptr_t validated; - required = (uintptr_t)value; - validated = (uintptr_t)get(this, t1); - switch (required) + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &validated)) { - case VALIDATION_FAILED: - /* no constraint */ - break; - case VALIDATION_SKIPPED: - if (validated == VALIDATION_SKIPPED) - { - break; - } - /* FALL */ - case VALIDATION_GOOD: - if (validated == VALIDATION_GOOD) - { - break; - } - /* FALL */ - default: - success = FALSE; - if (log_error) + if (t2 == t1) + { + switch ((uintptr_t)value) { - DBG1(DBG_CFG, "constraint check failed: %N is %N, " - "but requires at least %N", auth_rule_names, - t1, cert_validation_names, validated, - cert_validation_names, required); + case VALIDATION_FAILED: + /* no constraint */ + break; + case VALIDATION_SKIPPED: + if (validated == VALIDATION_SKIPPED) + { + break; + } + /* FALL */ + case VALIDATION_GOOD: + if (validated == VALIDATION_GOOD) + { + break; + } + /* FALL */ + default: + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: " + "%N is %N, but requires at least %N", + auth_rule_names, t1, + cert_validation_names, validated, + cert_validation_names, (uintptr_t)value); + } + break; } - break; + } } + e2->destroy(e2); break; } case AUTH_RULE_IDENTITY: @@ -473,10 +496,76 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, e2->destroy(e2); break; } + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: + { + uintptr_t strength; + + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &strength)) + { + if (t2 == t1) + { + if ((uintptr_t)value > strength) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %d bit " + "public keys, but %d bit key used", + (uintptr_t)value, strength); + } + } + } + else if (t2 == AUTH_RULE_RSA_STRENGTH) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %d bit ECDSA, " + "but RSA used", (uintptr_t)value); + } + } + else if (t2 == AUTH_RULE_ECDSA_STRENGTH) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %d bit RSA, " + "but ECDSA used", (uintptr_t)value); + } + } + } + e2->destroy(e2); + break; + } + case AUTH_RULE_CERT_POLICY: + { + char *oid1, *oid2; + + oid1 = (char*)value; + success = FALSE; + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &oid2)) + { + if (t2 == t1 && streq(oid1, oid2)) + { + success = TRUE; + break; + } + } + e2->destroy(e2); + if (!success && log_error) + { + DBG1(DBG_CFG, "constraint requires cert policy %s", oid1); + } + break; + } case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: + case AUTH_HELPER_REVOCATION_CERT: /* skip helpers */ continue; } @@ -523,6 +612,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_REVOCATION_CERT: { certificate_t *cert = (certificate_t*)value; @@ -534,6 +624,8 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_AUTH_CLASS: case AUTH_RULE_EAP_TYPE: case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: { add(this, type, (uintptr_t)value); break; @@ -548,6 +640,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy add(this, type, id->clone(id)); break; } + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -600,6 +693,8 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: { if (i1->value == i2->value) { @@ -613,6 +708,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_REVOCATION_CERT: { certificate_t *c1, *c2; @@ -643,6 +739,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) } continue; } + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -725,11 +822,13 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_REVOCATION_CERT: { certificate_t *cert = (certificate_t*)entry->value; clone->add(clone, entry->type, cert->get_ref(cert)); break; } + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -741,6 +840,8 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: clone->add(clone, entry->type, (uintptr_t)entry->value); break; } diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 19624a2fe..489ce1134 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -90,6 +90,12 @@ enum auth_rule_t { * The group membership constraint is fulfilled if the subject is member of * one group defined in the constraints. */ AUTH_RULE_GROUP, + /** required RSA public key strength, u_int in bits */ + AUTH_RULE_RSA_STRENGTH, + /** required ECDSA public key strength, u_int in bits */ + AUTH_RULE_ECDSA_STRENGTH, + /** certificatePolicy constraint, numerical OID as char* */ + AUTH_RULE_CERT_POLICY, /** intermediate certificate, certificate_t* */ AUTH_HELPER_IM_CERT, @@ -99,6 +105,8 @@ enum auth_rule_t { AUTH_HELPER_IM_HASH_URL, /** Hash and URL of a end-entity certificate, char* */ AUTH_HELPER_SUBJECT_HASH_URL, + /** revocation certificate (CRL, OCSP), certificate_t* */ + AUTH_HELPER_REVOCATION_CERT, }; /** diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index c43e5fd5d..f9a277a2c 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -43,8 +43,16 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_CRL_DISTRIBUTION_POINTS", "BUILD_OCSP_ACCESS_LOCATIONS", "BUILD_PATHLEN", + "BUILD_PERMITTED_NAME_CONSTRAINTS", + "BUILD_EXCLUDED_NAME_CONSTRAINTS", + "BUILD_CERTIFICATE_POLICIES", + "BUILD_POLICY_MAPPINGS", + "BUILD_POLICY_REQUIRE_EXPLICIT", + "BUILD_POLICY_INHIBIT_MAPPING", + "BUILD_POLICY_INHIBIT_ANY", "BUILD_X509_FLAG", "BUILD_REVOKED_ENUMERATOR", + "BUILD_BASE_CRL", "BUILD_CHALLENGE_PWD", "BUILD_PKCS11_MODULE", "BUILD_PKCS11_SLOT", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index dc87da2a4..325b668cd 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -87,16 +87,32 @@ enum builder_part_t { BUILD_CA_CERT, /** a certificate, certificate_t* */ BUILD_CERT, - /** CRL distribution point URIs, linked_list_t* containing char* */ + /** CRL distribution point URIs, x509_cdp_t* */ BUILD_CRL_DISTRIBUTION_POINTS, /** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */ BUILD_OCSP_ACCESS_LOCATIONS, /** certificate path length constraint */ BUILD_PATHLEN, + /** permitted X509 name constraints, linked_list_t* of identification_t* */ + BUILD_PERMITTED_NAME_CONSTRAINTS, + /** excluded X509 name constraints, linked_list_t* of identification_t* */ + BUILD_EXCLUDED_NAME_CONSTRAINTS, + /** certificatePolicy OIDs, linked_list_t* of x509_cert_policy_t* */ + BUILD_CERTIFICATE_POLICIES, + /** policyMapping OIDs, linked_list_t* of x509_policy_mapping_t* */ + BUILD_POLICY_MAPPINGS, + /** requireExplicitPolicy constraint, int */ + BUILD_POLICY_REQUIRE_EXPLICIT, + /** inhibitPolicyMapping constraint, int */ + BUILD_POLICY_INHIBIT_MAPPING, + /** inhibitAnyPolicy constraint, int */ + BUILD_POLICY_INHIBIT_ANY, /** enforce an additional X509 flag, x509_flag_t */ BUILD_X509_FLAG, /** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */ BUILD_REVOKED_ENUMERATOR, + /** Base CRL serial for a delta CRL, chunk_t, */ + BUILD_BASE_CRL, /** PKCS#10 challenge password */ BUILD_CHALLENGE_PWD, /** friendly name of a PKCS#11 module, null terminated char* */ diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h index 1e67c23ab..733d9d612 100644 --- a/src/libstrongswan/credentials/cert_validator.h +++ b/src/libstrongswan/credentials/cert_validator.h @@ -40,12 +40,13 @@ struct cert_validator_t { * @param subject subject certificate to check * @param issuer issuer of subject * @param online wheter to do online revocation checking - * @param pathlen the current length of the path up to the root CA + * @param pathlen the current length of the path bottom-up + * @param anchor is issuer trusted root anchor * @param auth container for resulting authentication info */ bool (*validate)(cert_validator_t *this, certificate_t *subject, - certificate_t *issuer, bool online, int pathlen, - auth_cfg_t *auth); + certificate_t *issuer, bool online, u_int pathlen, + bool anchor, auth_cfg_t *auth); }; #endif /** CERT_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 9425311fb..2f3497474 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -71,6 +71,21 @@ struct crl_t { */ chunk_t (*get_authKeyIdentifier)(crl_t *this); + /** + * Is this CRL a delta CRL? + * + * @param base_crl gets to baseCrlNumber, if this is a delta CRL + * @return TRUE if delta CRL + */ + bool (*is_delta_crl)(crl_t *this, chunk_t *base_crl); + + /** + * Create an enumerator over Freshest CRL distribution points and issuers. + * + * @return enumerator over x509_cdp_t + */ + enumerator_t* (*create_delta_crl_uri_enumerator)(crl_t *this); + /** * Create an enumerator over all revoked certificates. * diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c deleted file mode 100644 index 66dc192c1..000000000 --- a/src/libstrongswan/credentials/certificates/x509.c +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "x509.h" - -ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS, - "X509_NONE", - "X509_CA", - "X509_AA", - "X509_OCSP_SIGNER", - "X509_SERVER_AUTH", - "X509_CLIENT_AUTH", - "X509_SELF_SIGNED", - "X509_IP_ADDR_BLOCKS", -); - diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 6e0a5002a..fec02dbad 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -24,10 +24,15 @@ #include #include -#define X509_NO_PATH_LEN_CONSTRAINT -1 +/* constraints are currently restricted to the range 0..127 */ +#define X509_NO_CONSTRAINT 255 typedef struct x509_t x509_t; +typedef struct x509_cert_policy_t x509_cert_policy_t; +typedef struct x509_policy_mapping_t x509_policy_mapping_t; +typedef struct x509_cdp_t x509_cdp_t; typedef enum x509_flag_t x509_flag_t; +typedef enum x509_constraint_t x509_constraint_t; /** * X.509 certificate flags. @@ -49,12 +54,55 @@ enum x509_flag_t { X509_SELF_SIGNED = (1<<5), /** cert has an ipAddrBlocks extension */ X509_IP_ADDR_BLOCKS = (1<<6), + /** cert has CRL sign key usage */ + X509_CRL_SIGN = (1<<7), }; /** - * enum names for x509 flags + * Different numerical X.509 constraints. */ -extern enum_name_t *x509_flag_names; +enum x509_constraint_t { + /** pathLenConstraint basicConstraints */ + X509_PATH_LEN, + /** inhibitPolicyMapping policyConstraint */ + X509_INHIBIT_POLICY_MAPPING, + /** requireExplicitPolicy policyConstraint */ + X509_REQUIRE_EXPLICIT_POLICY, + /** inhibitAnyPolicy constraint */ + X509_INHIBIT_ANY_POLICY, +}; + +/** + * X.509 certPolicy extension. + */ +struct x509_cert_policy_t { + /** OID of certPolicy */ + chunk_t oid; + /** Certification Practice Statement URI qualifier */ + char *cps_uri; + /** UserNotice Text qualifier */ + char *unotice_text; +}; + +/** + * X.509 policyMapping extension + */ +struct x509_policy_mapping_t { + /** OID of issuerDomainPolicy */ + chunk_t issuer; + /** OID of subjectDomainPolicy */ + chunk_t subject; +}; + +/** + * X.509 CRL distributionPoint + */ +struct x509_cdp_t { + /** CDP URI, as string */ + char *uri; + /** CRL issuer */ + identification_t *issuer; +}; /** * X.509 certificate interface. @@ -98,11 +146,12 @@ struct x509_t { chunk_t (*get_authKeyIdentifier)(x509_t *this); /** - * Get an optional path length constraint. + * Get a numerical X.509 constraint. * - * @return pathLenConstraint, -1 if no constraint exists + * @param type type of constraint to get + * @return constraint, X509_NO_CONSTRAINT if none found */ - int (*get_pathLenConstraint)(x509_t *this); + u_int (*get_constraint)(x509_t *this, x509_constraint_t type); /** * Create an enumerator over all subjectAltNames. @@ -112,9 +161,9 @@ struct x509_t { enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this); /** - * Create an enumerator over all CRL URIs. + * Create an enumerator over all CRL URIs and CRL Issuers. * - * @return enumerator over URIs as char* + * @return enumerator over x509_cdp_t */ enumerator_t* (*create_crl_uri_enumerator)(x509_t *this); @@ -131,6 +180,30 @@ struct x509_t { * @return enumerator over ipAddrBlocks as traffic_selector_t* */ enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this); + + /** + * Create an enumerator over name constraints. + * + * @param perm TRUE for permitted, FALSE for excluded subtrees + * @return enumerator over subtrees as identification_t + */ + enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm); + + /** + * Create an enumerator over certificate policies. + * + * @return enumerator over x509_cert_policy_t + */ + enumerator_t* (*create_cert_policy_enumerator)(x509_t *this); + + /** + * Create an enumerator over policy mappings. + * + * @return enumerator over x509_policy_mapping + */ + enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this); + + }; #endif /** X509_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 97e8d8887..27b97eab3 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -452,8 +452,8 @@ static void cache_queue(private_credential_manager_t *this) * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, - certificate_t *subject, certificate_t *issuer, - bool online, int pathlen, auth_cfg_t *auth) + certificate_t *subject, certificate_t *issuer, bool online, + int pathlen, bool trusted, auth_cfg_t *auth) { time_t not_before, not_after; cert_validator_t *validator; @@ -471,29 +471,12 @@ static bool check_certificate(private_credential_manager_t *this, ¬_before, FALSE, ¬_after, FALSE); return FALSE; } - if (issuer->get_type(issuer) == CERT_X509 && - subject->get_type(subject) == CERT_X509) - { - int pathlen_constraint; - x509_t *x509; - - /* check path length constraint */ - x509 = (x509_t*)issuer; - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && - pathlen > pathlen_constraint) - { - DBG1(DBG_CFG, "path length of %d violates constraint of %d", - pathlen, pathlen_constraint); - return FALSE; - } - } enumerator = this->validators->create_enumerator(this->validators); while (enumerator->enumerate(enumerator, &validator)) { if (!validator->validate(validator, subject, issuer, - online, pathlen, auth)) + online, pathlen, trusted, auth)) { enumerator->destroy(enumerator); return FALSE; @@ -550,6 +533,37 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this, return issuer; } +/** + * Get the strength of certificate, add it to auth + */ +static void get_key_strength(certificate_t *cert, auth_cfg_t *auth) +{ + uintptr_t strength; + public_key_t *key; + key_type_t type; + + key = cert->get_public_key(cert); + if (key) + { + type = key->get_type(key); + strength = key->get_keysize(key); + DBG2(DBG_CFG, " certificate \"%Y\" key: %d bit %N", + cert->get_subject(cert), strength, key_type_names, type); + switch (type) + { + case KEY_RSA: + auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength); + break; + case KEY_ECDSA: + auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength); + break; + default: + break; + } + key->destroy(key); + } +} + /** * try to verify the trust chain of subject, return TRUE if trusted */ @@ -562,7 +576,9 @@ static bool verify_trust_chain(private_credential_manager_t *this, int pathlen; auth = auth_cfg_create(); + get_key_strength(subject, auth); current = subject->get_ref(subject); + auth->add(auth, AUTH_RULE_SUBJECT_CERT, current->get_ref(current)); for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++) { @@ -607,13 +623,17 @@ static bool verify_trust_chain(private_credential_manager_t *this, break; } } - if (!check_certificate(this, current, issuer, online, pathlen, - current == subject ? auth : NULL)) + if (!check_certificate(this, current, issuer, online, + pathlen, trusted, auth)) { trusted = FALSE; issuer->destroy(issuer); break; } + if (issuer) + { + get_key_strength(issuer, auth); + } current->destroy(current); current = issuer; if (trusted) @@ -636,6 +656,14 @@ static bool verify_trust_chain(private_credential_manager_t *this, return trusted; } +/** + * List find match function for certificates + */ +static bool cert_equals(certificate_t *a, certificate_t *b) +{ + return a->equals(a, b); +} + /** * enumerator for trusted certificates */ @@ -656,6 +684,8 @@ typedef struct { certificate_t *pretrusted; /** currently enumerating auth config */ auth_cfg_t *auth; + /** list of failed candidates */ + linked_list_t *failed; } trusted_enumerator_t; METHOD(enumerator_t, trusted_enumerate, bool, @@ -683,11 +713,14 @@ METHOD(enumerator_t, trusted_enumerate, bool, verify_trust_chain(this->this, this->pretrusted, this->auth, TRUE, this->online)) { - this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, - this->pretrusted->get_ref(this->pretrusted)); DBG1(DBG_CFG, " using trusted certificate \"%Y\"", this->pretrusted->get_subject(this->pretrusted)); *cert = this->pretrusted; + if (!this->auth->get(this->auth, AUTH_RULE_SUBJECT_CERT)) + { /* add cert to auth info, if not returned by trustchain */ + this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, + this->pretrusted->get_ref(this->pretrusted)); + } if (auth) { *auth = this->auth; @@ -705,6 +738,12 @@ METHOD(enumerator_t, trusted_enumerate, bool, continue; } + if (this->failed->find_first(this->failed, (void*)cert_equals, + NULL, current) == SUCCESS) + { /* check each candidate only once */ + continue; + } + DBG1(DBG_CFG, " using certificate \"%Y\"", current->get_subject(current)); if (verify_trust_chain(this->this, current, this->auth, FALSE, @@ -717,6 +756,7 @@ METHOD(enumerator_t, trusted_enumerate, bool, } return TRUE; } + this->failed->insert_last(this->failed, current->get_ref(current)); } return FALSE; } @@ -727,6 +767,7 @@ METHOD(enumerator_t, trusted_destroy, void, DESTROY_IF(this->pretrusted); DESTROY_IF(this->auth); DESTROY_IF(this->candidates); + this->failed->destroy_offset(this->failed, offsetof(certificate_t, destroy)); free(this); } @@ -745,6 +786,7 @@ METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*, .type = type, .id = id, .online = online, + .failed = linked_list_create(), ); return &enumerator->public; } diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c index 5e8458616..225fabe31 100644 --- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c +++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c @@ -132,7 +132,8 @@ static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert) } } else if (rule != AUTH_HELPER_SUBJECT_CERT && - rule != AUTH_HELPER_IM_CERT) + rule != AUTH_HELPER_IM_CERT && + rule != AUTH_HELPER_REVOCATION_CERT) { /* handle only HELPER certificates */ continue; } diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c index c29a99f1f..e023e8443 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.c +++ b/src/libstrongswan/credentials/sets/mem_cred.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperwsil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -54,6 +56,11 @@ struct private_mem_cred_t { * List of shared keys, as shared_entry_t */ linked_list_t *shared; + + /** + * List of CDPs, as cdp_t + */ + linked_list_t *cdps; }; /** @@ -144,21 +151,104 @@ static bool certificate_equals(certificate_t *item, certificate_t *cert) return item->equals(item, cert); } +/** + * Add a certificate the the cache. Returns a reference to "cert" or a + * previously cached certificate that equals "cert". + */ +static certificate_t *add_cert_internal(private_mem_cred_t *this, bool trusted, + certificate_t *cert) +{ + certificate_t *cached; + this->lock->write_lock(this->lock); + if (this->untrusted->find_first(this->untrusted, + (linked_list_match_t)certificate_equals, + (void**)&cached, cert) == SUCCESS) + { + cert->destroy(cert); + cert = cached->get_ref(cached); + } + else + { + if (trusted) + { + this->trusted->insert_first(this->trusted, cert->get_ref(cert)); + } + this->untrusted->insert_first(this->untrusted, cert->get_ref(cert)); + } + this->lock->unlock(this->lock); + return cert; +} + METHOD(mem_cred_t, add_cert, void, private_mem_cred_t *this, bool trusted, certificate_t *cert) { + certificate_t *cached = add_cert_internal(this, trusted, cert); + cached->destroy(cached); +} + +METHOD(mem_cred_t, add_cert_ref, certificate_t*, + private_mem_cred_t *this, bool trusted, certificate_t *cert) +{ + return add_cert_internal(this, trusted, cert); +} + +METHOD(mem_cred_t, add_crl, bool, + private_mem_cred_t *this, crl_t *crl) +{ + certificate_t *current, *cert = &crl->certificate; + enumerator_t *enumerator; + bool new = TRUE; + this->lock->write_lock(this->lock); - if (this->untrusted->find_last(this->untrusted, - (linked_list_match_t)certificate_equals, NULL, cert) != SUCCESS) + enumerator = this->untrusted->create_enumerator(this->untrusted); + while (enumerator->enumerate(enumerator, (void**)¤t)) { - if (trusted) + if (current->get_type(current) == CERT_X509_CRL) { - this->trusted->insert_last(this->trusted, cert->get_ref(cert)); + bool found = FALSE; + crl_t *crl_c = (crl_t*)current; + chunk_t authkey = crl->get_authKeyIdentifier(crl); + chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c); + + /* compare authorityKeyIdentifiers if available */ + if (chunk_equals(authkey, authkey_c)) + { + found = TRUE; + } + else + { + identification_t *issuer = cert->get_issuer(cert); + identification_t *issuer_c = current->get_issuer(current); + + /* otherwise compare issuer distinguished names */ + if (issuer->equals(issuer, issuer_c)) + { + found = TRUE; + } + } + if (found) + { + new = crl_is_newer(crl, crl_c); + if (new) + { + this->untrusted->remove_at(this->untrusted, enumerator); + } + else + { + cert->destroy(cert); + } + break; + } } - this->untrusted->insert_last(this->untrusted, cert->get_ref(cert)); } - cert->destroy(cert); + enumerator->destroy(enumerator); + + if (new) + { + this->untrusted->insert_first(this->untrusted, cert); + } this->lock->unlock(this->lock); + return new; } /** @@ -218,7 +308,7 @@ METHOD(mem_cred_t, add_key, void, private_mem_cred_t *this, private_key_t *key) { this->lock->write_lock(this->lock); - this->keys->insert_last(this->keys, key); + this->keys->insert_first(this->keys, key); this->lock->unlock(this->lock); } @@ -342,32 +432,137 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, (void*)shared_filter, data, (void*)shared_data_destroy); } -METHOD(mem_cred_t, add_shared, void, - private_mem_cred_t *this, shared_key_t *shared, ...) +METHOD(mem_cred_t, add_shared_list, void, + private_mem_cred_t *this, shared_key_t *shared, linked_list_t* owners) { shared_entry_t *entry; - identification_t *id; - va_list args; INIT(entry, .shared = shared, - .owners = linked_list_create(), + .owners = owners, ); + this->lock->write_lock(this->lock); + this->shared->insert_first(this->shared, entry); + this->lock->unlock(this->lock); +} + +METHOD(mem_cred_t, add_shared, void, + private_mem_cred_t *this, shared_key_t *shared, ...) +{ + identification_t *id; + linked_list_t *owners = linked_list_create(); + va_list args; + va_start(args, shared); do { id = va_arg(args, identification_t*); if (id) { - entry->owners->insert_last(entry->owners, id); + owners->insert_first(owners, id); } } while (id); va_end(args); + add_shared_list(this, shared, owners); +} + +/** + * Certificate distribution point + */ +typedef struct { + certificate_type_t type; + identification_t *id; + char *uri; +} cdp_t; + +/** + * Destroy a CDP entry + */ +static void cdp_destroy(cdp_t *this) +{ + this->id->destroy(this->id); + free(this->uri); + free(this); +} + +METHOD(mem_cred_t, add_cdp, void, + private_mem_cred_t *this, certificate_type_t type, + identification_t *id, char *uri) +{ + cdp_t *cdp; + + INIT(cdp, + .type = type, + .id = id->clone(id), + .uri = strdup(uri), + ); + this->lock->write_lock(this->lock); + this->cdps->insert_last(this->cdps, cdp); + this->lock->unlock(this->lock); +} + +/** + * CDP enumerator data + */ +typedef struct { + certificate_type_t type; + identification_t *id; + rwlock_t *lock; +} cdp_data_t; + +/** + * Clean up CDP enumerator data + */ +static void cdp_data_destroy(cdp_data_t *data) +{ + data->lock->unlock(data->lock); + free(data); +} + +/** + * CDP enumerator filter + */ +static bool cdp_filter(cdp_data_t *data, cdp_t **cdp, char **uri) +{ + if (data->type != CERT_ANY && data->type != (*cdp)->type) + { + return FALSE; + } + if (data->id && !(*cdp)->id->matches((*cdp)->id, data->id)) + { + return FALSE; + } + *uri = (*cdp)->uri; + return TRUE; +} + +METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, + private_mem_cred_t *this, certificate_type_t type, identification_t *id) +{ + cdp_data_t *data; + + INIT(data, + .type = type, + .id = id, + .lock = this->lock, + ); + this->lock->read_lock(this->lock); + return enumerator_create_filter(this->cdps->create_enumerator(this->cdps), + (void*)cdp_filter, data, (void*)cdp_data_destroy); + +} + +METHOD(mem_cred_t, clear_secrets, void, + private_mem_cred_t *this) +{ this->lock->write_lock(this->lock); - this->shared->insert_last(this->shared, entry); + this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy)); + this->shared->destroy_function(this->shared, (void*)shared_entry_destroy); + this->keys = linked_list_create(); + this->shared = linked_list_create(); this->lock->unlock(this->lock); } @@ -379,13 +574,13 @@ METHOD(mem_cred_t, clear_, void, offsetof(certificate_t, destroy)); this->untrusted->destroy_offset(this->untrusted, offsetof(certificate_t, destroy)); - this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy)); - this->shared->destroy_function(this->shared, (void*)shared_entry_destroy); + this->cdps->destroy_function(this->cdps, (void*)cdp_destroy); this->trusted = linked_list_create(); this->untrusted = linked_list_create(); - this->keys = linked_list_create(); - this->shared = linked_list_create(); + this->cdps = linked_list_create(); this->lock->unlock(this->lock); + + clear_secrets(this); } METHOD(mem_cred_t, destroy, void, @@ -396,6 +591,7 @@ METHOD(mem_cred_t, destroy, void, this->untrusted->destroy(this->untrusted); this->keys->destroy(this->keys); this->shared->destroy(this->shared); + this->cdps->destroy(this->cdps); this->lock->destroy(this->lock); free(this); } @@ -413,19 +609,25 @@ mem_cred_t *mem_cred_create() .create_shared_enumerator = _create_shared_enumerator, .create_private_enumerator = _create_private_enumerator, .create_cert_enumerator = _create_cert_enumerator, - .create_cdp_enumerator = (void*)return_null, + .create_cdp_enumerator = _create_cdp_enumerator, .cache_cert = (void*)nop, }, .add_cert = _add_cert, + .add_cert_ref = _add_cert_ref, + .add_crl = _add_crl, .add_key = _add_key, .add_shared = _add_shared, + .add_shared_list = _add_shared_list, + .add_cdp = _add_cdp, .clear = _clear_, + .clear_secrets = _clear_secrets, .destroy = _destroy, }, .trusted = linked_list_create(), .untrusted = linked_list_create(), .keys = linked_list_create(), .shared = linked_list_create(), + .cdps = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ); diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h index b26e43d6c..eb46b065b 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.h +++ b/src/libstrongswan/credentials/sets/mem_cred.h @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -24,6 +26,8 @@ typedef struct mem_cred_t mem_cred_t; #include +#include +#include /** * Generic in-memory credential set. @@ -43,6 +47,26 @@ struct mem_cred_t { */ void (*add_cert)(mem_cred_t *this, bool trusted, certificate_t *cert); + /** + * Add a certificate to the credential set, returning a reference to it or + * to a cached duplicate. + * + * @param trusted TRUE to serve certificate as trusted + * @param cert certificate, reference gets owned by set + * @return reference to cert or a previously cached duplicate + */ + certificate_t *(*add_cert_ref)(mem_cred_t *this, bool trusted, + certificate_t *cert); + + /** + * Add an X.509 CRL to the credential set. + * + * @param crl CRL, gets owned by set + * @return TRUE, if the CRL is newer than an existing one (or + * new at all) + */ + bool (*add_crl)(mem_cred_t *this, crl_t *crl); + /** * Add a private key to the credential set. * @@ -54,15 +78,39 @@ struct mem_cred_t { * Add a shared key to the credential set. * * @param shared shared key to add, gets owned by set - * @param ... NULL terminated list of owners identification_t* + * @param ... NULL terminated list of owners (identification_t*) */ void (*add_shared)(mem_cred_t *this, shared_key_t *shared, ...); + /** + * Add a shared key to the credential set. + * + * @param shared shared key to add, gets owned by set + * @param owners list of owners (identification_t*), gets owned + */ + void (*add_shared_list)(mem_cred_t *this, shared_key_t *shared, + linked_list_t *owners); + /** + * Add a certificate distribution point to the set. + * + * @param type type of the certificate + * @param id certificate ID CDP has a cert for, gets cloned + * @param uri CDP URI, gets strduped + */ + void (*add_cdp)(mem_cred_t *this, certificate_type_t type, + identification_t *id, char *uri); + /** * Clear all credentials from the credential set. */ void (*clear)(mem_cred_t *this); + /** + * Clear the secrets (private and shared keys, not the certificates) from + * the credential set. + */ + void (*clear_secrets)(mem_cred_t *this); + /** * Destroy a mem_cred_t. */ diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index f2f01987d..2d13896d6 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -20,13 +20,29 @@ #include #include +const char *default_plugin_name = "default"; + typedef struct entry_t entry_t; + struct entry_t { - /* algorithm */ + /** + * algorithm + */ u_int algo; - /* benchmarked speed */ + + /** + * plugin that registered this algorithm + */ + const char *plugin_name; + + /** + * benchmarked speed + */ u_int speed; - /* constructor */ + + /** + * constructor + */ union { crypter_constructor_t create_crypter; aead_constructor_t create_aead; @@ -128,7 +144,8 @@ METHOD(crypto_factory_t, create_crypter, crypter_t*, { if (this->test_on_create && !this->tester->test_crypter(this->tester, algo, key_size, - entry->create_crypter, NULL)) + entry->create_crypter, NULL, + default_plugin_name)) { continue; } @@ -160,7 +177,8 @@ METHOD(crypto_factory_t, create_aead, aead_t*, { if (this->test_on_create && !this->tester->test_aead(this->tester, algo, key_size, - entry->create_aead, NULL)) + entry->create_aead, NULL, + default_plugin_name)) { continue; } @@ -191,7 +209,8 @@ METHOD(crypto_factory_t, create_signer, signer_t*, { if (this->test_on_create && !this->tester->test_signer(this->tester, algo, - entry->create_signer, NULL)) + entry->create_signer, NULL, + default_plugin_name)) { continue; } @@ -223,7 +242,8 @@ METHOD(crypto_factory_t, create_hasher, hasher_t*, { if (this->test_on_create && algo != HASH_PREFERRED && !this->tester->test_hasher(this->tester, algo, - entry->create_hasher, NULL)) + entry->create_hasher, NULL, + default_plugin_name)) { continue; } @@ -254,7 +274,8 @@ METHOD(crypto_factory_t, create_prf, prf_t*, { if (this->test_on_create && !this->tester->test_prf(this->tester, algo, - entry->create_prf, NULL)) + entry->create_prf, NULL, + default_plugin_name)) { continue; } @@ -286,7 +307,8 @@ METHOD(crypto_factory_t, create_rng, rng_t*, { if (this->test_on_create && !this->tester->test_rng(this->tester, quality, - entry->create_rng, NULL)) + entry->create_rng, NULL, + default_plugin_name)) { continue; } @@ -350,7 +372,8 @@ METHOD(crypto_factory_t, create_dh, diffie_hellman_t*, * Insert an algorithm entry to a list */ static void add_entry(private_crypto_factory_t *this, linked_list_t *list, - int algo, u_int speed, void *create) + int algo, const char *plugin_name, + u_int speed, void *create) { entry_t *entry, *current; linked_list_t *tmp; @@ -358,6 +381,7 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list, INIT(entry, .algo = algo, + .plugin_name = plugin_name, .speed = speed, ); entry->create = create; @@ -391,16 +415,16 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list, } METHOD(crypto_factory_t, add_crypter, void, - private_crypto_factory_t *this, encryption_algorithm_t algo, - crypter_constructor_t create) + private_crypto_factory_t *this, encryption_algorithm_t algo, + const char *plugin_name, crypter_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_crypter(this->tester, algo, 0, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->crypters, algo, speed, create); + add_entry(this, this->crypters, algo, plugin_name, speed, create); } } @@ -425,16 +449,16 @@ METHOD(crypto_factory_t, remove_crypter, void, } METHOD(crypto_factory_t, add_aead, void, - private_crypto_factory_t *this, encryption_algorithm_t algo, - aead_constructor_t create) + private_crypto_factory_t *this, encryption_algorithm_t algo, + const char *plugin_name, aead_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_aead(this->tester, algo, 0, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->aeads, algo, speed, create); + add_entry(this, this->aeads, algo, plugin_name, speed, create); } } @@ -459,16 +483,16 @@ METHOD(crypto_factory_t, remove_aead, void, } METHOD(crypto_factory_t, add_signer, void, - private_crypto_factory_t *this, integrity_algorithm_t algo, - signer_constructor_t create) + private_crypto_factory_t *this, integrity_algorithm_t algo, + const char *plugin_name, signer_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_signer(this->tester, algo, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->signers, algo, speed, create); + add_entry(this, this->signers, algo, plugin_name, speed, create); } } @@ -493,16 +517,16 @@ METHOD(crypto_factory_t, remove_signer, void, } METHOD(crypto_factory_t, add_hasher, void, - private_crypto_factory_t *this, hash_algorithm_t algo, - hasher_constructor_t create) + private_crypto_factory_t *this, hash_algorithm_t algo, + const char *plugin_name, hasher_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_hasher(this->tester, algo, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->hashers, algo, speed, create); + add_entry(this, this->hashers, algo, plugin_name, speed, create); } } @@ -527,16 +551,16 @@ METHOD(crypto_factory_t, remove_hasher, void, } METHOD(crypto_factory_t, add_prf, void, - private_crypto_factory_t *this, pseudo_random_function_t algo, - prf_constructor_t create) + private_crypto_factory_t *this, pseudo_random_function_t algo, + const char *plugin_name, prf_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_prf(this->tester, algo, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->prfs, algo, speed, create); + add_entry(this, this->prfs, algo, plugin_name, speed, create); } } @@ -562,15 +586,15 @@ METHOD(crypto_factory_t, remove_prf, void, METHOD(crypto_factory_t, add_rng, void, private_crypto_factory_t *this, rng_quality_t quality, - rng_constructor_t create) + const char *plugin_name, rng_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_rng(this->tester, quality, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->rngs, quality, speed, create); + add_entry(this, this->rngs, quality, plugin_name, speed, create); } } @@ -595,10 +619,10 @@ METHOD(crypto_factory_t, remove_rng, void, } METHOD(crypto_factory_t, add_dh, void, - private_crypto_factory_t *this, diffie_hellman_group_t group, - dh_constructor_t create) + private_crypto_factory_t *this, diffie_hellman_group_t group, + const char *plugin_name, dh_constructor_t create) { - add_entry(this, this->dhs, group, 0, create); + add_entry(this, this->dhs, group, plugin_name, 0, create); } METHOD(crypto_factory_t, remove_dh, void, @@ -660,9 +684,11 @@ static enumerator_t *create_enumerator(private_crypto_factory_t *this, /** * Filter function to enumerate algorithm, not entry */ -static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *algo) +static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *algo, + void *i2, const char **plugin_name) { *algo = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; return TRUE; } @@ -681,9 +707,11 @@ METHOD(crypto_factory_t, create_aead_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ -static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo) +static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo, + void *i2, const char **plugin_name) { *algo = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; return TRUE; } @@ -696,9 +724,11 @@ METHOD(crypto_factory_t, create_signer_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ -static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo) +static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo, + void *i2, const char **plugin_name) { *algo = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; return TRUE; } @@ -711,9 +741,11 @@ METHOD(crypto_factory_t, create_hasher_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ -static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo) +static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo, + void *i2, const char **plugin_name) { *algo = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; return TRUE; } @@ -726,9 +758,11 @@ METHOD(crypto_factory_t, create_prf_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ -static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group) +static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group, + void *i2, const char **plugin_name) { *group = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; return TRUE; } @@ -738,6 +772,22 @@ METHOD(crypto_factory_t, create_dh_enumerator, enumerator_t*, return create_enumerator(this, this->dhs, dh_filter); } +/** + * Filter function to enumerate algorithm, not entry + */ +static bool rng_filter(void *n, entry_t **entry, rng_quality_t *quality, + void *i2, const char **plugin_name) +{ + *quality = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; + return TRUE; +} + +METHOD(crypto_factory_t, create_rng_enumerator, enumerator_t*, + private_crypto_factory_t *this) +{ + return create_enumerator(this, this->rngs, rng_filter); +} METHOD(crypto_factory_t, add_test_vector, void, private_crypto_factory_t *this, transform_type_t type, void *vector) { @@ -812,6 +862,7 @@ crypto_factory_t *crypto_factory_create() .create_hasher_enumerator = _create_hasher_enumerator, .create_prf_enumerator = _create_prf_enumerator, .create_dh_enumerator = _create_dh_enumerator, + .create_rng_enumerator = _create_rng_enumerator, .add_test_vector = _add_test_vector, .destroy = _destroy, }, diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h index ff06eda7b..8e5db6355 100644 --- a/src/libstrongswan/crypto/crypto_factory.h +++ b/src/libstrongswan/crypto/crypto_factory.h @@ -33,6 +33,8 @@ typedef struct crypto_factory_t crypto_factory_t; #include #include +#define CRYPTO_MAX_ALG_LINE 120 /* characters */ + /** * Constructor function for crypters */ @@ -144,11 +146,12 @@ struct crypto_factory_t { * Register a crypter constructor. * * @param algo algorithm to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo, - crypter_constructor_t create); + const char *plugin_name, crypter_constructor_t create); /** * Unregister a crypter constructor. @@ -168,21 +171,23 @@ struct crypto_factory_t { * Register a aead constructor. * * @param algo algorithm to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo, - aead_constructor_t create); + const char *plugin_name, aead_constructor_t create); /** * Register a signer constructor. * * @param algo algorithm to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_signer)(crypto_factory_t *this, integrity_algorithm_t algo, - signer_constructor_t create); + const char *plugin_name, signer_constructor_t create); /** * Unregister a signer constructor. @@ -198,11 +203,12 @@ struct crypto_factory_t { * create_hasher(HASH_PREFERRED). * * @param algo algorithm to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_hasher)(crypto_factory_t *this, hash_algorithm_t algo, - hasher_constructor_t create); + const char *plugin_name, hasher_constructor_t create); /** * Unregister a hasher constructor. @@ -215,11 +221,12 @@ struct crypto_factory_t { * Register a prf constructor. * * @param algo algorithm to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_prf)(crypto_factory_t *this, pseudo_random_function_t algo, - prf_constructor_t create); + const char *plugin_name, prf_constructor_t create); /** * Unregister a prf constructor. @@ -232,9 +239,11 @@ struct crypto_factory_t { * Register a source of randomness. * * @param quality quality of randomness this RNG serves + * @param plugin_name plugin that registered this algorithm * @param create constructor function for such a quality */ - void (*add_rng)(crypto_factory_t *this, rng_quality_t quality, rng_constructor_t create); + void (*add_rng)(crypto_factory_t *this, rng_quality_t quality, + const char *plugin_name, rng_constructor_t create); /** * Unregister a source of randomness. @@ -247,11 +256,12 @@ struct crypto_factory_t { * Register a diffie hellman constructor. * * @param group dh group to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_dh)(crypto_factory_t *this, diffie_hellman_group_t group, - dh_constructor_t create); + const char *plugin_name, dh_constructor_t create); /** * Unregister a diffie hellman constructor. @@ -302,6 +312,13 @@ struct crypto_factory_t { */ enumerator_t* (*create_dh_enumerator)(crypto_factory_t *this); + /** + * Create an enumerator over all registered random generators. + * + * @return enumerator over rng_quality_t + */ + enumerator_t* (*create_rng_enumerator)(crypto_factory_t *this); + /** * Add a test vector to the crypto factory. * diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index d17485ff2..276f4329a 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -165,7 +165,7 @@ static u_int bench_crypter(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_crypter, bool, private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, - crypter_constructor_t create, u_int *speed) + crypter_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; crypter_test_vector_t *vector; @@ -188,7 +188,11 @@ METHOD(crypto_tester_t, test_crypter, bool, } crypter = create(alg, vector->key_size); if (!crypter) - { /* key size not supported... */ + { + DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported", + encryption_algorithm_names, alg, plugin_name, + BITS_PER_BYTE * vector->key_size); + failed = TRUE; continue; } @@ -231,31 +235,40 @@ METHOD(crypto_tester_t, test_crypter, bool, crypter->destroy(crypter); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - encryption_algorithm_names, alg, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + encryption_algorithm_names, alg, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", - this->required ? "disabled" : "enabled ", - encryption_algorithm_names, alg); - return !this->required; + if (failed) + { + DBG1(DBG_LIB,"disable %N[%s]: no key size supported", + encryption_algorithm_names, alg, plugin_name); + return FALSE; + } + else + { + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", + this->required ? "disabled" : "enabled ", + encryption_algorithm_names, alg, plugin_name); + return !this->required; + } } if (!failed) { if (speed) { *speed = bench_crypter(this, alg, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - encryption_algorithm_names, alg, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + encryption_algorithm_names, alg, tested, plugin_name, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - encryption_algorithm_names, alg, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + encryption_algorithm_names, alg, plugin_name, tested); } } return !failed; @@ -311,7 +324,7 @@ static u_int bench_aead(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_aead, bool, private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, - aead_constructor_t create, u_int *speed) + aead_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; aead_test_vector_t *vector; @@ -335,7 +348,11 @@ METHOD(crypto_tester_t, test_aead, bool, } aead = create(alg, vector->key_size); if (!aead) - { /* key size not supported... */ + { + DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported", + encryption_algorithm_names, alg, plugin_name, + BITS_PER_BYTE * vector->key_size); + failed = TRUE; continue; } @@ -388,31 +405,40 @@ METHOD(crypto_tester_t, test_aead, bool, aead->destroy(aead); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - encryption_algorithm_names, alg, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + encryption_algorithm_names, alg, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", - this->required ? "disabled" : "enabled ", - encryption_algorithm_names, alg); - return !this->required; + if (failed) + { + DBG1(DBG_LIB,"disable %N[%s]: no key size supported", + encryption_algorithm_names, alg, plugin_name); + return FALSE; + } + else + { + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", + this->required ? "disabled" : "enabled ", + encryption_algorithm_names, alg, plugin_name); + return !this->required; + } } if (!failed) { if (speed) { *speed = bench_aead(this, alg, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - encryption_algorithm_names, alg, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + encryption_algorithm_names, alg, plugin_name, tested, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - encryption_algorithm_names, alg, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + encryption_algorithm_names, alg, plugin_name, tested); } } return !failed; @@ -460,7 +486,7 @@ static u_int bench_signer(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_signer, bool, private_crypto_tester_t *this, integrity_algorithm_t alg, - signer_constructor_t create, u_int *speed) + signer_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; signer_test_vector_t *vector; @@ -482,8 +508,8 @@ METHOD(crypto_tester_t, test_signer, bool, signer = create(alg); if (!signer) { - DBG1(DBG_LIB, "disabled %N: creating instance failed", - integrity_algorithm_names, alg); + DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", + integrity_algorithm_names, alg, plugin_name); failed = TRUE; break; } @@ -538,17 +564,17 @@ METHOD(crypto_tester_t, test_signer, bool, signer->destroy(signer); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - integrity_algorithm_names, alg, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + integrity_algorithm_names, alg, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? "disabled" : "enabled ", - integrity_algorithm_names, alg); + integrity_algorithm_names, alg, plugin_name); return !this->required; } if (!failed) @@ -556,13 +582,13 @@ METHOD(crypto_tester_t, test_signer, bool, if (speed) { *speed = bench_signer(this, alg, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - integrity_algorithm_names, alg, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + integrity_algorithm_names, alg, plugin_name, tested, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - integrity_algorithm_names, alg, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + integrity_algorithm_names, alg, plugin_name, tested); } } return !failed; @@ -604,7 +630,7 @@ static u_int bench_hasher(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_hasher, bool, private_crypto_tester_t *this, hash_algorithm_t alg, - hasher_constructor_t create, u_int *speed) + hasher_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; hasher_test_vector_t *vector; @@ -626,8 +652,8 @@ METHOD(crypto_tester_t, test_hasher, bool, hasher = create(alg); if (!hasher) { - DBG1(DBG_LIB, "disabled %N: creating instance failed", - hash_algorithm_names, alg); + DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", + hash_algorithm_names, alg, plugin_name); failed = TRUE; break; } @@ -669,17 +695,17 @@ METHOD(crypto_tester_t, test_hasher, bool, hasher->destroy(hasher); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - hash_algorithm_names, alg, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + hash_algorithm_names, alg, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? "disabled" : "enabled ", - hash_algorithm_names, alg); + hash_algorithm_names, alg, plugin_name); return !this->required; } if (!failed) @@ -687,13 +713,13 @@ METHOD(crypto_tester_t, test_hasher, bool, if (speed) { *speed = bench_hasher(this, alg, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - hash_algorithm_names, alg, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + hash_algorithm_names, alg, plugin_name, tested, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - hash_algorithm_names, alg, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + hash_algorithm_names, alg, plugin_name, tested); } } return !failed; @@ -735,7 +761,7 @@ static u_int bench_prf(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_prf, bool, private_crypto_tester_t *this, pseudo_random_function_t alg, - prf_constructor_t create, u_int *speed) + prf_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; prf_test_vector_t *vector; @@ -757,8 +783,8 @@ METHOD(crypto_tester_t, test_prf, bool, prf = create(alg); if (!prf) { - DBG1(DBG_LIB, "disabled %N: creating instance failed", - pseudo_random_function_names, alg); + DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", + pseudo_random_function_names, alg, plugin_name); failed = TRUE; break; } @@ -811,17 +837,17 @@ METHOD(crypto_tester_t, test_prf, bool, prf->destroy(prf); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - pseudo_random_function_names, alg, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + pseudo_random_function_names, alg, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? "disabled" : "enabled ", - pseudo_random_function_names, alg); + pseudo_random_function_names, alg, plugin_name); return !this->required; } if (!failed) @@ -829,13 +855,13 @@ METHOD(crypto_tester_t, test_prf, bool, if (speed) { *speed = bench_prf(this, alg, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - pseudo_random_function_names, alg, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + pseudo_random_function_names, alg, plugin_name, tested, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - pseudo_random_function_names, alg, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + pseudo_random_function_names, alg, plugin_name, tested); } } return !failed; @@ -874,7 +900,7 @@ static u_int bench_rng(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_rng, bool, private_crypto_tester_t *this, rng_quality_t quality, - rng_constructor_t create, u_int *speed) + rng_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; rng_test_vector_t *vector; @@ -883,8 +909,8 @@ METHOD(crypto_tester_t, test_rng, bool, if (!this->rng_true && quality == RNG_TRUE) { - DBG1(DBG_LIB, "enabled %N: skipping test (disabled by config)", - rng_quality_names, quality); + DBG1(DBG_LIB, "enabled %N[%s]: skipping test (disabled by config)", + rng_quality_names, quality, plugin_name); return TRUE; } @@ -903,8 +929,8 @@ METHOD(crypto_tester_t, test_rng, bool, rng = create(quality); if (!rng) { - DBG1(DBG_LIB, "disabled %N: creating instance failed", - rng_quality_names, quality); + DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", + rng_quality_names, quality, plugin_name); failed = TRUE; break; } @@ -933,17 +959,17 @@ METHOD(crypto_tester_t, test_rng, bool, rng->destroy(rng); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - rng_quality_names, quality, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + rng_quality_names, quality, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? ", disabled" : "enabled ", - rng_quality_names, quality); + rng_quality_names, quality, plugin_name); return !this->required; } if (!failed) @@ -951,13 +977,13 @@ METHOD(crypto_tester_t, test_rng, bool, if (speed) { *speed = bench_rng(this, quality, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - rng_quality_names, quality, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + rng_quality_names, quality, plugin_name, tested, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - rng_quality_names, quality, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + rng_quality_names, quality, plugin_name, tested); } } return !failed; diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h index cef0b3c18..019c87c39 100644 --- a/src/libstrongswan/crypto/crypto_tester.h +++ b/src/libstrongswan/crypto/crypto_tester.h @@ -143,7 +143,7 @@ struct crypto_tester_t { */ bool (*test_crypter)(crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, crypter_constructor_t create, - u_int *speed); + u_int *speed, const char *plugin_name); /** * Test an aead algorithm, optionally using a specified key size. @@ -156,7 +156,7 @@ struct crypto_tester_t { */ bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, aead_constructor_t create, - u_int *speed); + u_int *speed, const char *plugin_name); /** * Test a signer algorithm. * @@ -166,7 +166,8 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_signer)(crypto_tester_t *this, integrity_algorithm_t alg, - signer_constructor_t create, u_int *speed); + signer_constructor_t create, + u_int *speed, const char *plugin_name); /** * Test a hasher algorithm. * @@ -176,7 +177,8 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_hasher)(crypto_tester_t *this, hash_algorithm_t alg, - hasher_constructor_t create, u_int *speed); + hasher_constructor_t create, + u_int *speed, const char *plugin_name); /** * Test a PRF algorithm. * @@ -186,7 +188,8 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_prf)(crypto_tester_t *this, pseudo_random_function_t alg, - prf_constructor_t create, u_int *speed); + prf_constructor_t create, + u_int *speed, const char *plugin_name); /** * Test a RNG implementation. * @@ -196,7 +199,8 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_rng)(crypto_tester_t *this, rng_quality_t quality, - rng_constructor_t create, u_int *speed); + rng_constructor_t create, + u_int *speed, const char *plugin_name); /** * Add a test vector to test a crypter. * diff --git a/src/libstrongswan/eap/eap.h b/src/libstrongswan/eap/eap.h index 1d55747a4..e98a3a211 100644 --- a/src/libstrongswan/eap/eap.h +++ b/src/libstrongswan/eap/eap.h @@ -82,7 +82,7 @@ extern enum_name_t *eap_type_short_names; * Lookup the EAP method type from a string. * * @param name EAP method name (such as "md5", "aka") - * @return method type, 0 if unkown + * @return method type, 0 if unknown */ eap_type_t eap_type_from_string(char *name); diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c index 258a5b410..5c811bd17 100644 --- a/src/libstrongswan/enum.c +++ b/src/libstrongswan/enum.c @@ -43,7 +43,7 @@ int enum_from_name(enum_name_t *e, char *name) { do { - int i, count = e->last - e->first; + int i, count = e->last - e->first + 1; for (i = 0; i < count; i++) { diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c index c81de032c..b007c8b08 100644 --- a/src/libstrongswan/fetcher/fetcher_manager.c +++ b/src/libstrongswan/fetcher/fetcher_manager.c @@ -92,7 +92,7 @@ static status_t fetch(private_fetcher_manager_t *this, va_start(args, response); while (good) { - opt = va_arg(args, fetcher_option_t); + opt = va_arg(args, int); switch (opt) { case FETCH_REQUEST_DATA: @@ -109,7 +109,7 @@ static status_t fetch(private_fetcher_manager_t *this, good = fetcher->set_option(fetcher, opt, va_arg(args, u_int)); continue; case FETCH_END: - break;; + break; } break; } diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c index c9cad44ae..e962aba70 100644 --- a/src/libstrongswan/integrity_checker.c +++ b/src/libstrongswan/integrity_checker.c @@ -57,11 +57,8 @@ struct private_integrity_checker_t { int checksum_count; }; -/** - * Implementation of integrity_checker_t.build_file - */ -static u_int32_t build_file(private_integrity_checker_t *this, char *file, - size_t *len) +METHOD(integrity_checker_t, build_file, u_int32_t, + private_integrity_checker_t *this, char *file, size_t *len) { u_int32_t checksum; chunk_t contents; @@ -136,11 +133,8 @@ static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli) return 0; } -/** - * Implementation of integrity_checker_t.build_segment - */ -static u_int32_t build_segment(private_integrity_checker_t *this, void *sym, - size_t *len) +METHOD(integrity_checker_t, build_segment, u_int32_t, + private_integrity_checker_t *this, void *sym, size_t *len) { chunk_t segment; Dl_info dli; @@ -180,11 +174,8 @@ static integrity_checksum_t *find_checksum(private_integrity_checker_t *this, return NULL; } -/** - * Implementation of integrity_checker_t.check_file - */ -static bool check_file(private_integrity_checker_t *this, - char *name, char *file) +METHOD(integrity_checker_t, check_file, bool, + private_integrity_checker_t *this, char *name, char *file) { integrity_checksum_t *cs; u_int32_t sum; @@ -217,11 +208,8 @@ static bool check_file(private_integrity_checker_t *this, return TRUE; } -/** - * Implementation of integrity_checker_t.check_segment - */ -static bool check_segment(private_integrity_checker_t *this, - char *name, void *sym) +METHOD(integrity_checker_t, check_segment, bool, + private_integrity_checker_t *this, char *name, void *sym) { integrity_checksum_t *cs; u_int32_t sum; @@ -254,10 +242,8 @@ static bool check_segment(private_integrity_checker_t *this, return TRUE; } -/** - * Implementation of integrity_checker_t.check - */ -static bool check(private_integrity_checker_t *this, char *name, void *sym) +METHOD(integrity_checker_t, check, bool, + private_integrity_checker_t *this, char *name, void *sym) { Dl_info dli; @@ -277,10 +263,8 @@ static bool check(private_integrity_checker_t *this, char *name, void *sym) return TRUE; } -/** - * Implementation of integrity_checker_t.destroy. - */ -static void destroy(private_integrity_checker_t *this) +METHOD(integrity_checker_t, destroy, void, + private_integrity_checker_t *this) { if (this->handle) { @@ -294,17 +278,19 @@ static void destroy(private_integrity_checker_t *this) */ integrity_checker_t *integrity_checker_create(char *checksum_library) { - private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t); - - this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file; - this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file; - this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment; - this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment; - this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check; - this->public.destroy = (void(*)(integrity_checker_t*))destroy; + private_integrity_checker_t *this; + + INIT(this, + .public = { + .check_file = _check_file, + .build_file = _build_file, + .check_segment = _check_segment, + .build_segment = _build_segment, + .check = _check, + .destroy = _destroy, + }, + ); - this->checksum_count = 0; - this->handle = NULL; if (checksum_library) { this->handle = dlopen(checksum_library, RTLD_LAZY); diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 99a520852..9835cd5b9 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c index 22b47e334..1c060b6c8 100644 --- a/src/libstrongswan/plugins/aes/aes_plugin.c +++ b/src/libstrongswan/plugins/aes/aes_plugin.c @@ -18,6 +18,8 @@ #include #include "aes_crypter.h" +static const char *plugin_name = "aes"; + typedef struct private_aes_plugin_t private_aes_plugin_t; /** @@ -54,7 +56,7 @@ plugin_t *aes_plugin_create() }, ); - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, (crypter_constructor_t)aes_crypter_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/af_alg/Makefile.am b/src/libstrongswan/plugins/af_alg/Makefile.am new file mode 100644 index 000000000..a33fd30b6 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/Makefile.am @@ -0,0 +1,20 @@ + +INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-af-alg.la +else +plugin_LTLIBRARIES = libstrongswan-af-alg.la +endif + +libstrongswan_af_alg_la_SOURCES = \ + af_alg_plugin.h af_alg_plugin.c \ + af_alg_ops.h af_alg_ops.c \ + af_alg_hasher.h af_alg_hasher.c \ + af_alg_signer.h af_alg_signer.c \ + af_alg_prf.h af_alg_prf.c \ + af_alg_crypter.h af_alg_crypter.c + +libstrongswan_af_alg_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in new file mode 100644 index 000000000..aa8df979e --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/Makefile.in @@ -0,0 +1,612 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/af_alg +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_af_alg_la_LIBADD = +am_libstrongswan_af_alg_la_OBJECTS = af_alg_plugin.lo af_alg_ops.lo \ + af_alg_hasher.lo af_alg_signer.lo af_alg_prf.lo \ + af_alg_crypter.lo +libstrongswan_af_alg_la_OBJECTS = \ + $(am_libstrongswan_af_alg_la_OBJECTS) +libstrongswan_af_alg_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_af_alg_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_af_alg_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_af_alg_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_af_alg_la_SOURCES) +DIST_SOURCES = $(libstrongswan_af_alg_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-af-alg.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-af-alg.la +libstrongswan_af_alg_la_SOURCES = \ + af_alg_plugin.h af_alg_plugin.c \ + af_alg_ops.h af_alg_ops.c \ + af_alg_hasher.h af_alg_hasher.c \ + af_alg_signer.h af_alg_signer.c \ + af_alg_prf.h af_alg_prf.c \ + af_alg_crypter.h af_alg_crypter.c + +libstrongswan_af_alg_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/af_alg/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/af_alg/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES) + $(libstrongswan_af_alg_la_LINK) $(am_libstrongswan_af_alg_la_rpath) $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_crypter.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_hasher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_ops.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_prf.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_signer.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c new file mode 100644 index 000000000..3416ad8d2 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c @@ -0,0 +1,237 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_crypter.h" +#include "af_alg_ops.h" + +typedef struct private_af_alg_crypter_t private_af_alg_crypter_t; + +/** + * Private data of af_alg_crypter_t + */ +struct private_af_alg_crypter_t { + + /** + * Public part of this class. + */ + af_alg_crypter_t public; + + /** + * AF_ALG operations + */ + af_alg_ops_t *ops; + + /** + * Size of the truncated signature + */ + size_t block_size; + + /** + * Size of the keymat + */ + size_t keymat_size; + + /** + * Size of initialization vector + */ + size_t iv_size; +}; + +/** + * Algorithm database + */ +static struct { + encryption_algorithm_t id; + char *name; + size_t block_size; + /* key size of the algorithm */ + size_t key_size; + /* size of the keying material (key + nonce for ctr mode) */ + size_t keymat_size; + size_t iv_size; +} algs[] = { + {ENCR_DES, "cbc(des)", 8, 8, 8, 8, }, + {ENCR_3DES, "cbc(des3_ede)", 8, 24, 24, 8, }, + {ENCR_AES_CBC, "cbc(aes)", 16, 16, 16, 16, }, + {ENCR_AES_CBC, "cbc(aes)", 16, 24, 24, 16, }, + {ENCR_AES_CBC, "cbc(aes)", 16, 32, 32, 16, }, + {ENCR_AES_CTR, "rfc3686(ctr(aes))", 1, 16, 20, 8, }, + {ENCR_AES_CTR, "rfc3686(ctr(aes))", 1, 24, 28, 8, }, + {ENCR_AES_CTR, "rfc3686(ctr(aes))", 1, 32, 36, 8, }, + {ENCR_CAMELLIA_CBC, "cbc(camellia)", 16, 16, 16, 16, }, + {ENCR_CAMELLIA_CBC, "cbc(camellia)", 16, 24, 24, 16, }, + {ENCR_CAMELLIA_CBC, "cbc(camellia)", 16, 32, 32, 16, }, + {ENCR_CAMELLIA_CTR, "rfc3686(ctr(camellia))", 1, 16, 20, 8, }, + {ENCR_CAMELLIA_CTR, "rfc3686(ctr(camellia))", 1, 24, 28, 8, }, + {ENCR_CAMELLIA_CTR, "rfc3686(ctr(camellia))", 1, 32, 36, 8, }, + {ENCR_CAST, "cbc(cast5)", 8, 16, 16, 8, }, + {ENCR_BLOWFISH, "cbc(blowfish)", 8, 16, 16, 8, }, + {ENCR_BLOWFISH, "cbc(blowfish)", 8, 24, 24, 8, }, + {ENCR_BLOWFISH, "cbc(blowfish)", 8, 32, 32, 8, }, + {ENCR_SERPENT_CBC, "cbc(serpent)", 16, 16, 16, 16, }, + {ENCR_SERPENT_CBC, "cbc(serpent)", 16, 24, 24, 16, }, + {ENCR_SERPENT_CBC, "cbc(serpent)", 16, 32, 32, 16, }, + {ENCR_TWOFISH_CBC, "cbc(twofish)", 16, 16, 16, 16, }, + {ENCR_TWOFISH_CBC, "cbc(twofish)", 16, 24, 24, 16, }, + {ENCR_TWOFISH_CBC, "cbc(twofish)", 16, 32, 32, 16, }, +}; + +/** + * See header. + */ +void af_alg_crypter_probe() +{ + encryption_algorithm_t prev = -1; + af_alg_ops_t *ops; + int i; + + for (i = 0; i < countof(algs); i++) + { + if (prev != algs[i].id) + { + ops = af_alg_ops_create("skcipher", algs[i].name); + if (ops) + { + ops->destroy(ops); + lib->crypto->add_crypter(lib->crypto, algs[i].id, af_alg_plugin_name, + (crypter_constructor_t)af_alg_crypter_create); + } + } + prev = algs[i].id; + } +} + +/** + * Get the kernel algorithm string and block/key size for our identifier + */ +static size_t lookup_alg(encryption_algorithm_t algo, char **name, + size_t key_size, size_t *keymat_size, size_t *iv_size) +{ + int i; + + for (i = 0; i < countof(algs); i++) + { + if (algs[i].id == algo && + (key_size == 0 || algs[i].key_size == key_size)) + { + *name = algs[i].name; + *keymat_size = algs[i].keymat_size; + *iv_size = algs[i].iv_size; + return algs[i].block_size; + } + } + return 0; +} + +METHOD(crypter_t, decrypt, void, + private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) +{ + if (dst) + { + *dst = chunk_alloc(data.len); + this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, dst->ptr); + } + else + { + this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, data.ptr); + } +} + +METHOD(crypter_t, encrypt, void, + private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) +{ + if (dst) + { + *dst = chunk_alloc(data.len); + this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, dst->ptr); + } + else + { + this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, data.ptr); + } +} + +METHOD(crypter_t, get_block_size, size_t, + private_af_alg_crypter_t *this) +{ + return this->block_size; +} + +METHOD(crypter_t, get_iv_size, size_t, + private_af_alg_crypter_t *this) +{ + return this->iv_size; +} + +METHOD(crypter_t, get_key_size, size_t, + private_af_alg_crypter_t *this) +{ + return this->keymat_size; +} + +METHOD(crypter_t, set_key, void, + private_af_alg_crypter_t *this, chunk_t key) +{ + this->ops->set_key(this->ops, key); +} + +METHOD(crypter_t, destroy, void, + private_af_alg_crypter_t *this) +{ + this->ops->destroy(this->ops); + free(this); +} + +/* + * Described in header + */ +af_alg_crypter_t *af_alg_crypter_create(encryption_algorithm_t algo, + size_t key_size) +{ + private_af_alg_crypter_t *this; + size_t block_size, keymat_size, iv_size; + char *name; + + block_size = lookup_alg(algo, &name, key_size, &keymat_size, &iv_size); + if (!block_size) + { /* not supported by kernel */ + return NULL; + } + + INIT(this, + .public = { + .crypter = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .block_size = block_size, + .keymat_size = keymat_size, + .iv_size = iv_size, + .ops = af_alg_ops_create("skcipher", name), + ); + + if (!this->ops) + { + free(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.h b/src/libstrongswan/plugins/af_alg/af_alg_crypter.h new file mode 100644 index 000000000..711d2fc35 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup af_alg_crypter af_alg_crypter + * @{ @ingroup af_alg + */ + +#ifndef AF_ALG_CRYPTER_H_ +#define AF_ALG_CRYPTER_H_ + +typedef struct af_alg_crypter_t af_alg_crypter_t; + +#include + +/** + * Implementation of signers using AF_ALG. + */ +struct af_alg_crypter_t { + + /** + * The crypter_t interface. + */ + crypter_t crypter; +}; + +/** + * Constructor to create af_alg_crypter_t. + * + * @param algo algorithm to implement + * @param key_size key size in bytes + * @return af_alg_crypter_t, NULL if not supported + */ +af_alg_crypter_t *af_alg_crypter_create(encryption_algorithm_t algo, + size_t key_size); + +/** + * Probe algorithms and register af_alg_crypter_create(). + */ +void af_alg_crypter_probe(); + +#endif /** AF_ALG_CRYPTER_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.c b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c new file mode 100644 index 000000000..7c6297d44 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c @@ -0,0 +1,170 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_hasher.h" +#include "af_alg_ops.h" + +typedef struct private_af_alg_hasher_t private_af_alg_hasher_t; + +/** + * Private data of af_alg_hasher_t + */ +struct private_af_alg_hasher_t { + + /** + * Public part of this class. + */ + af_alg_hasher_t public; + + /** + * AF_ALG operations + */ + af_alg_ops_t *ops; + + /** + * Size of the hash + */ + size_t size; +}; + +/** + * Algorithm database + */ +static struct { + hash_algorithm_t id; + char *name; + size_t size; +} algs[] = { + {HASH_SHA1, "sha1", HASH_SIZE_SHA1 }, + {HASH_MD5, "md5", HASH_SIZE_MD5 }, + {HASH_SHA224, "sha224", HASH_SIZE_SHA224 }, + {HASH_SHA256, "sha256", HASH_SIZE_SHA256 }, + {HASH_SHA384, "sha384", HASH_SIZE_SHA384 }, + {HASH_SHA512, "sha512", HASH_SIZE_SHA512 }, + {HASH_MD4, "md4", HASH_SIZE_MD4 }, +}; + +/** + * See header. + */ +void af_alg_hasher_probe() +{ + af_alg_ops_t *ops; + int i; + + for (i = 0; i < countof(algs); i++) + { + ops = af_alg_ops_create("hash", algs[i].name); + if (ops) + { + ops->destroy(ops); + lib->crypto->add_hasher(lib->crypto, algs[i].id, af_alg_plugin_name, + (hasher_constructor_t)af_alg_hasher_create); + } + } +} + +/** + * Get the kernel algorithm string and hash size for our identifier + */ +static size_t lookup_alg(hash_algorithm_t algo, char **name) +{ + int i; + + for (i = 0; i < countof(algs); i++) + { + if (algs[i].id == algo) + { + *name = algs[i].name; + return algs[i].size; + } + } + return 0; +} + +METHOD(hasher_t, get_hash_size, size_t, + private_af_alg_hasher_t *this) +{ + return this->size; +} + +METHOD(hasher_t, reset, void, + private_af_alg_hasher_t *this) +{ + this->ops->reset(this->ops); +} + +METHOD(hasher_t, get_hash, void, + private_af_alg_hasher_t *this, chunk_t chunk, u_int8_t *hash) +{ + this->ops->hash(this->ops, chunk, hash, this->size); +} + +METHOD(hasher_t, allocate_hash, void, + private_af_alg_hasher_t *this, chunk_t chunk, chunk_t *hash) +{ + if (hash) + { + *hash = chunk_alloc(get_hash_size(this)); + get_hash(this, chunk, hash->ptr); + } + else + { + get_hash(this, chunk, NULL); + } +} + +METHOD(hasher_t, destroy, void, + private_af_alg_hasher_t *this) +{ + this->ops->destroy(this->ops); + free(this); +} + +/* + * Described in header + */ +af_alg_hasher_t *af_alg_hasher_create(hash_algorithm_t algo) +{ + private_af_alg_hasher_t *this; + char *name; + size_t size; + + size = lookup_alg(algo, &name); + if (!size) + { /* not supported by kernel */ + return NULL; + } + + INIT(this, + .public = { + .hasher = { + .get_hash = _get_hash, + .allocate_hash = _allocate_hash, + .get_hash_size = _get_hash_size, + .reset = _reset, + .destroy = _destroy, + }, + }, + .ops = af_alg_ops_create("hash", name), + .size = size, + ); + if (!this->ops) + { + free(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.h b/src/libstrongswan/plugins/af_alg/af_alg_hasher.h new file mode 100644 index 000000000..e0833e23a --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup af_alg_hasher af_alg_hasher + * @{ @ingroup af_alg + */ + +#ifndef af_alg_HASHER_H_ +#define af_alg_HASHER_H_ + +typedef struct af_alg_hasher_t af_alg_hasher_t; + +#include + +/** + * Implementation of hashers using AF_ALG. + */ +struct af_alg_hasher_t { + + /** + * Implements hasher_t interface. + */ + hasher_t hasher; +}; + +/** + * Constructor to create af_alg_hasher_t. + * + * @param algo algorithm + * @return af_alg_hasher_t, NULL if not supported + */ +af_alg_hasher_t *af_alg_hasher_create(hash_algorithm_t algo); + +/** + * Probe algorithms and register af_alg_hasher_create(). + */ +void af_alg_hasher_probe(); + +#endif /** af_alg_HASHER_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.c b/src/libstrongswan/plugins/af_alg/af_alg_ops.c new file mode 100644 index 000000000..7bf1d90db --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.c @@ -0,0 +1,226 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_ops.h" + +#include +#include +#include + +#include + +const char *af_alg_plugin_name = "af-alg"; + +typedef struct private_af_alg_ops_t private_af_alg_ops_t; + +/** + * Private data of an af_alg_ops_t object. + */ +struct private_af_alg_ops_t { + + /** + * Public af_alg_ops_t interface. + */ + af_alg_ops_t public; + + /** + * Transform FD + */ + int tfm; + + /** + * Operation FD + */ + int op; +}; + +METHOD(af_alg_ops_t, reset, void, + private_af_alg_ops_t *this) +{ + if (this->op != -1) + { + close(this->op); + this->op = -1; + } +} + +METHOD(af_alg_ops_t, hash, void, + private_af_alg_ops_t *this, chunk_t data, char *out, size_t outlen) +{ + ssize_t len; + + while (this->op == -1) + { + this->op = accept(this->tfm, NULL, 0); + if (this->op == -1) + { + DBG1(DBG_LIB, "opening AF_ALG hasher failed: %s", strerror(errno)); + sleep(1); + } + } + do + { + len = send(this->op, data.ptr, data.len, out ? 0 : MSG_MORE); + if (len == -1) + { + DBG1(DBG_LIB, "writing to AF_ALG hasher failed: %s", strerror(errno)); + sleep(1); + } + else + { + data = chunk_skip(data, len); + } + } + while (data.len); + + if (out) + { + while (read(this->op, out, outlen) != outlen) + { + DBG1(DBG_LIB, "reading AF_ALG hasher failed: %s", strerror(errno)); + sleep(1); + } + reset(this); + } +} + +METHOD(af_alg_ops_t, crypt, void, + private_af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data, + char *out) +{ + struct msghdr msg = {}; + struct cmsghdr *cmsg; + struct af_alg_iv *ivm; + struct iovec iov; + char buf[CMSG_SPACE(sizeof(type)) + + CMSG_SPACE(offsetof(struct af_alg_iv, iv) + iv.len)]; + ssize_t len; + int op; + + while ((op = accept(this->tfm, NULL, 0)) == -1) + { + DBG1(DBG_LIB, "accepting AF_ALG crypter failed: %s", strerror(errno)); + sleep(1); + } + + memset(buf, 0, sizeof(buf)); + + msg.msg_control = buf; + msg.msg_controllen = sizeof(buf); + + cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_OP; + cmsg->cmsg_len = CMSG_LEN(sizeof(type)); + *(u_int32_t*)CMSG_DATA(cmsg) = type; + + cmsg = CMSG_NXTHDR(&msg, cmsg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_IV; + cmsg->cmsg_len = CMSG_LEN(offsetof(struct af_alg_iv, iv) + iv.len); + ivm = (void*)CMSG_DATA(cmsg); + ivm->ivlen = iv.len; + memcpy(ivm->iv, iv.ptr, iv.len); + + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + + while (data.len) + { + iov.iov_base = data.ptr; + iov.iov_len = data.len; + + len = sendmsg(op, &msg, 0); + if (len == -1) + { + DBG1(DBG_LIB, "writing to AF_ALG crypter failed: %s", + strerror(errno)); + sleep(1); + continue; + } + if (read(op, out, len) != len) + { + DBG1(DBG_LIB, "reading from AF_ALG crypter failed: %s", + strerror(errno)); + } + data = chunk_skip(data, len); + /* no IV for subsequent data chunks */ + msg.msg_controllen = 0; + } + close(op); +} + +METHOD(af_alg_ops_t, set_key, void, + private_af_alg_ops_t *this, chunk_t key) +{ + if (setsockopt(this->tfm, SOL_ALG, ALG_SET_KEY, key.ptr, key.len) == -1) + { + DBG1(DBG_LIB, "setting AF_ALG key failed: %s", strerror(errno)); + } +} + +METHOD(af_alg_ops_t, destroy, void, + private_af_alg_ops_t *this) +{ + close(this->tfm); + if (this->op != -1) + { + close(this->op); + } + free(this); +} + +/** + * See header + */ +af_alg_ops_t *af_alg_ops_create(char *type, char *alg) +{ + private_af_alg_ops_t *this; + struct sockaddr_alg sa = { + .salg_family = AF_ALG, + }; + + strncpy(sa.salg_type, type, sizeof(sa.salg_type)); + strncpy(sa.salg_name, alg, sizeof(sa.salg_name)); + + INIT(this, + .public = { + .hash = _hash, + .reset = _reset, + .crypt = _crypt, + .set_key = _set_key, + .destroy = _destroy, + }, + .tfm = socket(AF_ALG, SOCK_SEQPACKET, 0), + .op = -1, + ); + if (this->tfm == -1) + { + DBG1(DBG_LIB, "opening AF_ALG socket failed: %s", strerror(errno)); + free(this); + return NULL; + } + if (bind(this->tfm, (struct sockaddr*)&sa, sizeof(sa)) == -1) + { + if (errno != ENOENT) + { /* fail silently if algorithm not supported */ + DBG1(DBG_LIB, "binding AF_ALG socket for '%s' failed: %s", + sa.salg_name, strerror(errno)); + } + destroy(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.h b/src/libstrongswan/plugins/af_alg/af_alg_ops.h new file mode 100644 index 000000000..b7d642c00 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.h @@ -0,0 +1,92 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** +* @defgroup af_alg_ops af_alg_ops + * @{ @ingroup af_alg + */ + +#ifndef AF_ALG_OPS_H_ +#define AF_ALG_OPS_H_ + +#include + +#include + +#ifndef AF_ALG +#define AF_ALG 38 +#endif /* AF_ALG */ + +#ifndef SOL_ALG +#define SOL_ALG 279 +#endif /* SOL_ALG */ + +extern const char *af_alg_plugin_name; + +typedef struct af_alg_ops_t af_alg_ops_t; + +/** + * Helper to run AF_ALG operations. + */ +struct af_alg_ops_t { + + /** + * Hash a chunk of data. + * + * @param data data to hash + * @param out buffer to write hash to, NULL for append mode + * @param outlen number of bytes to read into out + */ + void (*hash)(af_alg_ops_t *this, chunk_t data, char *out, size_t outlen); + + /** + * Reset hasher state. + */ + void (*reset)(af_alg_ops_t *this); + + /** + * En-/Decrypt a chunk of data. + * + * @param type crypto operation (ALG_OP_DECRYPT/ALG_OP_ENCRYPT) + * @param iv iv to use + * @param data data to encrypt/decrypt + * @param out buffer write processed data to + */ + void (*crypt)(af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data, + char *out); + + /** + * Set the key for en-/decryption or HMAC/XCBC operations. + * + * @param key key to set for transform + */ + void (*set_key)(af_alg_ops_t *this, chunk_t key); + + /** + * Destroy a af_alg_ops_t. + */ + void (*destroy)(af_alg_ops_t *this); +}; + +/** + * Create a af_alg_ops instance. + * + * @param type algorithm type (hash, skcipher) + * @param alg algorithm name + * @return TRUE if AF_ALG socket bound successfully + */ +af_alg_ops_t *af_alg_ops_create(char *type, char *alg); + +#endif /** AF_ALG_OPS_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_plugin.c b/src/libstrongswan/plugins/af_alg/af_alg_plugin.c new file mode 100644 index 000000000..54e39f1a0 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_plugin.c @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_plugin.h" + +#include + +#include "af_alg_hasher.h" +#include "af_alg_signer.h" +#include "af_alg_prf.h" +#include "af_alg_crypter.h" + +typedef struct private_af_alg_plugin_t private_af_alg_plugin_t; + +/** + * private data of af_alg_plugin + */ +struct private_af_alg_plugin_t { + + /** + * public functions + */ + af_alg_plugin_t public; +}; + +METHOD(plugin_t, destroy, void, + private_af_alg_plugin_t *this) +{ + lib->crypto->remove_hasher(lib->crypto, + (hasher_constructor_t)af_alg_hasher_create); + lib->crypto->remove_signer(lib->crypto, + (signer_constructor_t)af_alg_signer_create); + lib->crypto->remove_prf(lib->crypto, + (prf_constructor_t)af_alg_prf_create); + lib->crypto->remove_crypter(lib->crypto, + (crypter_constructor_t)af_alg_crypter_create); + + free(this); +} + +/* + * see header file + */ +plugin_t *af_alg_plugin_create() +{ + private_af_alg_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); + + af_alg_hasher_probe(); + af_alg_signer_probe(); + af_alg_prf_probe(); + af_alg_crypter_probe(); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_plugin.h b/src/libstrongswan/plugins/af_alg/af_alg_plugin.h new file mode 100644 index 000000000..18c069831 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup af_alg af_alg + * @ingroup plugins + * + * @defgroup af_alg_plugin af_alg_plugin + * @{ @ingroup af_alg + */ + +#ifndef AF_ALG_PLUGIN_H_ +#define AF_ALG_PLUGIN_H_ + +#include + +typedef struct af_alg_plugin_t af_alg_plugin_t; + +/** + * Plugin providing the AF_ALG interface to the Linux Crypto API. + */ +struct af_alg_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** AF_ALG_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.c b/src/libstrongswan/plugins/af_alg/af_alg_prf.c new file mode 100644 index 000000000..575906bae --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.c @@ -0,0 +1,211 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_prf.h" +#include "af_alg_ops.h" + +typedef struct private_af_alg_prf_t private_af_alg_prf_t; + +/** + * Private data of a af_alg_prf_t object. + */ +struct private_af_alg_prf_t { + + /** + * Public af_alg_prf_t interface. + */ + af_alg_prf_t public; + + /** + * AF_ALG operations + */ + af_alg_ops_t *ops; + + /** + * Size of the PRF output + */ + size_t block_size; + + /** + * Default key size + */ + size_t key_size; + + /** + * Using an XCBC algorithm? + */ + bool xcbc; +}; + +/** + * Algorithm database + */ +static struct { + pseudo_random_function_t id; + char *name; + size_t block_size; + bool xcbc; +} algs[] = { + {PRF_HMAC_SHA1, "hmac(sha1)", 20, FALSE, }, + {PRF_HMAC_SHA2_256, "hmac(sha256)", 32, FALSE, }, + {PRF_HMAC_MD5, "hmac(md5)", 16, FALSE, }, + {PRF_HMAC_SHA2_384, "hmac(sha384)", 48, FALSE, }, + {PRF_HMAC_SHA2_512, "hmac(sha512)", 64, FALSE, }, + {PRF_AES128_XCBC, "xcbc(aes)", 16, TRUE, }, + {PRF_CAMELLIA128_XCBC, "xcbc(camellia)", 16, TRUE, }, +}; + +/** + * See header. + */ +void af_alg_prf_probe() +{ + af_alg_ops_t *ops; + int i; + + for (i = 0; i < countof(algs); i++) + { + ops = af_alg_ops_create("hash", algs[i].name); + if (ops) + { + ops->destroy(ops); + lib->crypto->add_prf(lib->crypto, algs[i].id, af_alg_plugin_name, + (prf_constructor_t)af_alg_prf_create); + } + } +} + +/** + * Get the kernel algorithm string and block size for our identifier + */ +static size_t lookup_alg(integrity_algorithm_t algo, char **name, bool *xcbc) +{ + int i; + + for (i = 0; i < countof(algs); i++) + { + if (algs[i].id == algo) + { + *name = algs[i].name; + *xcbc = algs[i].xcbc; + return algs[i].block_size; + } + } + return 0; +} + +METHOD(prf_t, get_bytes, void, + private_af_alg_prf_t *this, chunk_t seed, u_int8_t *buffer) +{ + this->ops->hash(this->ops, seed, buffer, this->block_size); +} + +METHOD(prf_t, allocate_bytes, void, + private_af_alg_prf_t *this, chunk_t seed, chunk_t *chunk) +{ + if (chunk) + { + *chunk = chunk_alloc(this->block_size); + get_bytes(this, seed, chunk->ptr); + } + else + { + get_bytes(this, seed, NULL); + } +} + +METHOD(prf_t, get_block_size, size_t, + private_af_alg_prf_t *this) +{ + return this->block_size; +} + +METHOD(prf_t, get_key_size, size_t, + private_af_alg_prf_t *this) +{ + return this->block_size; +} + +METHOD(prf_t, set_key, void, + private_af_alg_prf_t *this, chunk_t key) +{ + char buf[this->block_size]; + + if (this->xcbc) + { + /* The kernel currently does not support variable length XCBC keys, + * do RFC4434 key padding/reduction manually. */ + if (key.len < this->block_size) + { + memset(buf, 0, this->block_size); + memcpy(buf, key.ptr, key.len); + key = chunk_from_thing(buf); + } + else if (key.len > this->block_size) + { + memset(buf, 0, this->block_size); + this->ops->set_key(this->ops, chunk_from_thing(buf)); + this->ops->hash(this->ops, key, buf, this->block_size); + key = chunk_from_thing(buf); + } + } + this->ops->set_key(this->ops, key); +} + +METHOD(prf_t, destroy, void, + private_af_alg_prf_t *this) +{ + this->ops->destroy(this->ops); + free(this); +} + +/* + * Described in header. + */ +af_alg_prf_t *af_alg_prf_create(pseudo_random_function_t algo) +{ + private_af_alg_prf_t *this; + size_t block_size; + bool xcbc; + char *name; + + block_size = lookup_alg(algo, &name, &xcbc); + if (!block_size) + { /* not supported by kernel */ + return NULL; + } + + INIT(this, + .public = { + .prf = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .get_block_size = _get_block_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .ops = af_alg_ops_create("hash", name), + .block_size = block_size, + .xcbc = xcbc, + ); + if (!this->ops) + { + free(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.h b/src/libstrongswan/plugins/af_alg/af_alg_prf.h new file mode 100644 index 000000000..a3dea5649 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup af_alg_prf af_alg_prf + * @{ @ingroup af_alg + */ + +#ifndef AF_ALG_PRF_H_ +#define AF_ALG_PRF_H_ + +typedef struct af_alg_prf_t af_alg_prf_t; + +#include + +/** + * Implementation of PRFs using AF_ALG. + */ +struct af_alg_prf_t { + + /** + * Implements prf_t interface. + */ + prf_t prf; +}; + +/** + * Creates a new af_alg_prf_t object. + * + * @param algo algorithm to implement + * @return af_alg_prf_t object, NULL if hash not supported + */ +af_alg_prf_t *af_alg_prf_create(pseudo_random_function_t algo); + +/** + * Probe algorithms and register af_alg_prf_create(). + */ +void af_alg_prf_probe(); + +#endif /** AF_ALG_PRF_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c new file mode 100644 index 000000000..3d6f907bf --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c @@ -0,0 +1,206 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_signer.h" +#include "af_alg_ops.h" + +typedef struct private_af_alg_signer_t private_af_alg_signer_t; + +/** + * Private data structure with signing context. + */ +struct private_af_alg_signer_t { + + /** + * Public interface of af_alg_signer_t. + */ + af_alg_signer_t public; + + /** + * AF_ALG operations + */ + af_alg_ops_t *ops; + + /** + * Size of the truncated signature + */ + size_t block_size; + + /** + * Default key size + */ + size_t key_size; +}; + +/** + * Algorithm database + */ +static struct { + integrity_algorithm_t id; + char *name; + size_t block_size; + size_t key_size; +} algs[] = { + {AUTH_HMAC_SHA1_96, "hmac(sha1)", 12, 20, }, + {AUTH_HMAC_SHA1_128, "hmac(sha1)", 16, 20, }, + {AUTH_HMAC_SHA1_160, "hmac(sha1)", 20, 20, }, + {AUTH_HMAC_SHA2_256_96, "hmac(sha256)", 12, 32, }, + {AUTH_HMAC_SHA2_256_128, "hmac(sha256)", 16, 32, }, + {AUTH_HMAC_MD5_96, "hmac(md5)", 12, 16, }, + {AUTH_HMAC_MD5_128, "hmac(md5)", 16, 16, }, + {AUTH_HMAC_SHA2_256_256, "hmac(sha384)", 32, 32, }, + {AUTH_HMAC_SHA2_384_192, "hmac(sha384)", 24, 48, }, + {AUTH_HMAC_SHA2_384_384, "hmac(sha384)", 48, 48, }, + {AUTH_HMAC_SHA2_512_256, "hmac(sha512)", 32, 64, }, + {AUTH_AES_XCBC_96, "xcbc(aes)", 12, 16, }, + {AUTH_CAMELLIA_XCBC_96, "xcbc(camellia)", 12, 16, }, +}; + +/** + * See header. + */ +void af_alg_signer_probe() +{ + af_alg_ops_t *ops; + int i; + + for (i = 0; i < countof(algs); i++) + { + ops = af_alg_ops_create("hash", algs[i].name); + if (ops) + { + ops->destroy(ops); + lib->crypto->add_signer(lib->crypto, algs[i].id, af_alg_plugin_name, + (signer_constructor_t)af_alg_signer_create); + } + } +} + +/** + * Get the kernel algorithm string and block/key size for our identifier + */ +static size_t lookup_alg(integrity_algorithm_t algo, char **name, + size_t *key_size) +{ + int i; + + for (i = 0; i < countof(algs); i++) + { + if (algs[i].id == algo) + { + *name = algs[i].name; + *key_size = algs[i].key_size; + return algs[i].block_size; + } + } + return 0; +} + +METHOD(signer_t, get_signature, void, + private_af_alg_signer_t *this, chunk_t data, u_int8_t *buffer) +{ + this->ops->hash(this->ops, data, buffer, this->block_size); +} + +METHOD(signer_t, allocate_signature, void, + private_af_alg_signer_t *this, chunk_t data, chunk_t *chunk) +{ + if (chunk) + { + *chunk = chunk_alloc(this->block_size); + get_signature(this, data, chunk->ptr); + } + else + { + get_signature(this, data, NULL); + } +} + +METHOD(signer_t, verify_signature, bool, + private_af_alg_signer_t *this, chunk_t data, chunk_t signature) +{ + char sig[this->block_size]; + + if (signature.len != this->block_size) + { + return FALSE; + } + get_signature(this, data, sig); + return memeq(signature.ptr, sig, signature.len); +} + +METHOD(signer_t, get_key_size, size_t, + private_af_alg_signer_t *this) +{ + return this->key_size; +} + +METHOD(signer_t, get_block_size, size_t, + private_af_alg_signer_t *this) +{ + return this->block_size; +} + +METHOD(signer_t, set_key, void, + private_af_alg_signer_t *this, chunk_t key) +{ + this->ops->set_key(this->ops, key); +} + +METHOD(signer_t, destroy, void, + private_af_alg_signer_t *this) +{ + this->ops->destroy(this->ops); + free(this); +} + +/* + * Described in header + */ +af_alg_signer_t *af_alg_signer_create(integrity_algorithm_t algo) +{ + private_af_alg_signer_t *this; + size_t block_size, key_size; + char *name; + + block_size = lookup_alg(algo, &name, &key_size); + if (!block_size) + { /* not supported by kernel */ + return NULL; + } + + INIT(this, + .public = { + .signer = { + .get_signature = _get_signature, + .allocate_signature = _allocate_signature, + .verify_signature = _verify_signature, + .get_key_size = _get_key_size, + .get_block_size = _get_block_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .ops = af_alg_ops_create("hash", name), + .block_size = block_size, + .key_size = key_size, + ); + if (!this->ops) + { + free(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.h b/src/libstrongswan/plugins/af_alg/af_alg_signer.h new file mode 100644 index 000000000..b1d90707f --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup af_alg_signer af_alg_signer + * @{ @ingroup af_alg + */ + +#ifndef AF_ALG_SIGNER_H_ +#define AF_ALG_SIGNER_H_ + +typedef struct af_alg_signer_t af_alg_signer_t; + +#include + +/** + * Implementation of signers using AF_ALG. + */ +struct af_alg_signer_t { + + /** + * Implements signer_t interface. + */ + signer_t signer; +}; + +/** + * Creates a new af_alg_signer_t. + * + * @param algo algorithm to implement + * @return af_alg_signer_t, NULL if not supported + */ +af_alg_signer_t *af_alg_signer_create(integrity_algorithm_t algo); + +/** + * Probe algorithms and register af_alg_signer_create(). + */ +void af_alg_signer_probe(); + +#endif /** AF_ALG_SIGNER_H_ @}*/ diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index 9f65f4ffb..1a3533f03 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index d310843ac..251722f60 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c index 6ab093d7b..5232eca28 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c +++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c @@ -19,6 +19,8 @@ #include #include "blowfish_crypter.h" +static const char *plugin_name = "blowfish"; + typedef struct private_blowfish_plugin_t private_blowfish_plugin_t; /** @@ -55,7 +57,7 @@ plugin_t *blowfish_plugin_create() }, ); - lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, + lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name, (crypter_constructor_t)blowfish_crypter_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in index 017d75c48..371e5b2f4 100644 --- a/src/libstrongswan/plugins/ccm/Makefile.in +++ b/src/libstrongswan/plugins/ccm/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.c b/src/libstrongswan/plugins/ccm/ccm_plugin.c index 5fc3b14d7..a4c89b548 100644 --- a/src/libstrongswan/plugins/ccm/ccm_plugin.c +++ b/src/libstrongswan/plugins/ccm/ccm_plugin.c @@ -19,6 +19,8 @@ #include "ccm_aead.h" +static const char *plugin_name = "ccm"; + typedef struct private_ccm_plugin_t private_ccm_plugin_t; /** @@ -47,23 +49,34 @@ METHOD(plugin_t, destroy, void, plugin_t *ccm_plugin_create() { private_ccm_plugin_t *this; + crypter_t *crypter; INIT(this, .public.plugin.destroy = _destroy, ); - lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8, - (aead_constructor_t)ccm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12, - (aead_constructor_t)ccm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16, - (aead_constructor_t)ccm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8, - (aead_constructor_t)ccm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12, - (aead_constructor_t)ccm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, - (aead_constructor_t)ccm_aead_create); + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8, plugin_name, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12, plugin_name, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16, plugin_name, + (aead_constructor_t)ccm_aead_create); + } + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 0); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8, plugin_name, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12, plugin_name, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, plugin_name, + (aead_constructor_t)ccm_aead_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/constraints/Makefile.am b/src/libstrongswan/plugins/constraints/Makefile.am new file mode 100644 index 000000000..d80d39a2d --- /dev/null +++ b/src/libstrongswan/plugins/constraints/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-constraints.la +else +plugin_LTLIBRARIES = libstrongswan-constraints.la +endif + +libstrongswan_constraints_la_SOURCES = \ + constraints_plugin.h constraints_plugin.c \ + constraints_validator.h constraints_validator.c + +libstrongswan_constraints_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in new file mode 100644 index 000000000..382bfef98 --- /dev/null +++ b/src/libstrongswan/plugins/constraints/Makefile.in @@ -0,0 +1,604 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/constraints +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_constraints_la_LIBADD = +am_libstrongswan_constraints_la_OBJECTS = constraints_plugin.lo \ + constraints_validator.lo +libstrongswan_constraints_la_OBJECTS = \ + $(am_libstrongswan_constraints_la_OBJECTS) +libstrongswan_constraints_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_constraints_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_constraints_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_constraints_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_constraints_la_SOURCES) +DIST_SOURCES = $(libstrongswan_constraints_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-constraints.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-constraints.la +libstrongswan_constraints_la_SOURCES = \ + constraints_plugin.h constraints_plugin.c \ + constraints_validator.h constraints_validator.c + +libstrongswan_constraints_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/constraints/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/constraints/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES) + $(libstrongswan_constraints_la_LINK) $(am_libstrongswan_constraints_la_rpath) $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints_validator.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.c b/src/libstrongswan/plugins/constraints/constraints_plugin.c new file mode 100644 index 000000000..1c3f0c835 --- /dev/null +++ b/src/libstrongswan/plugins/constraints/constraints_plugin.c @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "constraints_plugin.h" + +#include +#include "constraints_validator.h" + +typedef struct private_constraints_plugin_t private_constraints_plugin_t; + +/** + * private data of constraints_plugin + */ +struct private_constraints_plugin_t { + + /** + * public functions + */ + constraints_plugin_t public; + + /** + * Validator implementation instance. + */ + constraints_validator_t *validator; +}; + +METHOD(plugin_t, destroy, void, + private_constraints_plugin_t *this) +{ + lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator); + this->validator->destroy(this->validator); + free(this); +} + +/* + * see header file + */ +plugin_t *constraints_plugin_create() +{ + private_constraints_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .validator = constraints_validator_create(), + ); + lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.h b/src/libstrongswan/plugins/constraints/constraints_plugin.h new file mode 100644 index 000000000..7042a4d92 --- /dev/null +++ b/src/libstrongswan/plugins/constraints/constraints_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup constraints constraints + * @ingroup plugins + * + * @defgroup constraints_plugin constraints_plugin + * @{ @ingroup constraints + */ + +#ifndef CONSTRAINTS_PLUGIN_H_ +#define CONSTRAINTS_PLUGIN_H_ + +#include + +typedef struct constraints_plugin_t constraints_plugin_t; + +/** + * Advanced X509 constraint checking. + */ +struct constraints_plugin_t { + + /** + * Implements plugin_t. interface. + */ + plugin_t plugin; +}; + +#endif /** CONSTRAINTS_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c new file mode 100644 index 000000000..b54d813df --- /dev/null +++ b/src/libstrongswan/plugins/constraints/constraints_validator.c @@ -0,0 +1,578 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "constraints_validator.h" + +#include +#include +#include +#include + +typedef struct private_constraints_validator_t private_constraints_validator_t; + +/** + * Private data of an constraints_validator_t object. + */ +struct private_constraints_validator_t { + + /** + * Public constraints_validator_t interface. + */ + constraints_validator_t public; +}; + +/** + * Check pathlen constraint of issuer certificate + */ +static bool check_pathlen(x509_t *issuer, int pathlen) +{ + u_int pathlen_constraint; + + pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN); + if (pathlen_constraint != X509_NO_CONSTRAINT && + pathlen > pathlen_constraint) + { + DBG1(DBG_CFG, "path length of %d violates constraint of %d", + pathlen, pathlen_constraint); + return FALSE; + } + return TRUE; +} + +/** + * Check if a FQDN/RFC822 constraint matches (suffix match) + */ +static bool suffix_matches(identification_t *constraint, identification_t *id) +{ + chunk_t c, i; + + c = constraint->get_encoding(constraint); + i = id->get_encoding(id); + + return i.len >= c.len && chunk_equals(c, chunk_skip(i, i.len - c.len)); +} + +/** + * Check if a DN constraint matches (RDN prefix match) + */ +static bool dn_matches(identification_t *constraint, identification_t *id) +{ + enumerator_t *ec, *ei; + id_part_t pc, pi; + chunk_t cc, ci; + bool match = TRUE; + + ec = constraint->create_part_enumerator(constraint); + ei = id->create_part_enumerator(id); + while (ec->enumerate(ec, &pc, &cc)) + { + if (!ei->enumerate(ei, &pi, &ci) || + pi != pc || !chunk_equals(cc, ci)) + { + match = FALSE; + break; + } + } + ec->destroy(ec); + ei->destroy(ei); + + return match; +} + +/** + * Check if a certificate matches to a NameConstraint + */ +static bool name_constraint_matches(identification_t *constraint, + certificate_t *cert, bool permitted) +{ + x509_t *x509 = (x509_t*)cert; + enumerator_t *enumerator; + identification_t *id; + id_type_t type; + bool matches = permitted; + + type = constraint->get_type(constraint); + if (type == ID_DER_ASN1_DN) + { + matches = dn_matches(constraint, cert->get_subject(cert)); + if (matches != permitted) + { + return matches; + } + } + + enumerator = x509->create_subjectAltName_enumerator(x509); + while (enumerator->enumerate(enumerator, &id)) + { + if (id->get_type(id) == type) + { + switch (type) + { + case ID_FQDN: + case ID_RFC822_ADDR: + matches = suffix_matches(constraint, id); + break; + case ID_DER_ASN1_DN: + matches = dn_matches(constraint, id); + break; + default: + DBG1(DBG_CFG, "%N NameConstraint matching not implemented", + id_type_names, type); + matches = FALSE; + break; + } + } + if (matches != permitted) + { + break; + } + } + enumerator->destroy(enumerator); + + return matches; +} + +/** + * Check if a permitted or excluded NameConstraint has been inherited to sub-CA + */ +static bool name_constraint_inherited(identification_t *constraint, + x509_t *x509, bool permitted) +{ + enumerator_t *enumerator; + identification_t *id; + bool inherited = FALSE; + id_type_t type; + + if (!(x509->get_flags(x509) & X509_CA)) + { /* not a sub-CA, not required */ + return TRUE; + } + + type = constraint->get_type(constraint); + enumerator = x509->create_name_constraint_enumerator(x509, permitted); + while (enumerator->enumerate(enumerator, &id)) + { + if (id->get_type(id) == type) + { + switch (type) + { + case ID_FQDN: + case ID_RFC822_ADDR: + if (permitted) + { /* permitted constraint can be narrowed */ + inherited = suffix_matches(constraint, id); + } + else + { /* excluded constraint can be widened */ + inherited = suffix_matches(id, constraint); + } + break; + case ID_DER_ASN1_DN: + if (permitted) + { + inherited = dn_matches(constraint, id); + } + else + { + inherited = dn_matches(id, constraint); + } + break; + default: + DBG1(DBG_CFG, "%N NameConstraint matching not implemented", + id_type_names, type); + inherited = FALSE; + break; + } + } + if (inherited) + { + break; + } + } + enumerator->destroy(enumerator); + return inherited; +} + +/** + * Check name constraints + */ +static bool check_name_constraints(certificate_t *subject, x509_t *issuer) +{ + enumerator_t *enumerator; + identification_t *constraint; + + enumerator = issuer->create_name_constraint_enumerator(issuer, TRUE); + while (enumerator->enumerate(enumerator, &constraint)) + { + if (!name_constraint_matches(constraint, subject, TRUE)) + { + DBG1(DBG_CFG, "certificate '%Y' does not match permitted name " + "constraint '%Y'", subject->get_subject(subject), constraint); + enumerator->destroy(enumerator); + return FALSE; + } + if (!name_constraint_inherited(constraint, (x509_t*)subject, TRUE)) + { + DBG1(DBG_CFG, "intermediate CA '%Y' does not inherit permitted name " + "constraint '%Y'", subject->get_subject(subject), constraint); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + + enumerator = issuer->create_name_constraint_enumerator(issuer, FALSE); + while (enumerator->enumerate(enumerator, &constraint)) + { + if (name_constraint_matches(constraint, subject, FALSE)) + { + DBG1(DBG_CFG, "certificate '%Y' matches excluded name " + "constraint '%Y'", subject->get_subject(subject), constraint); + enumerator->destroy(enumerator); + return FALSE; + } + if (!name_constraint_inherited(constraint, (x509_t*)subject, FALSE)) + { + DBG1(DBG_CFG, "intermediate CA '%Y' does not inherit excluded name " + "constraint '%Y'", subject->get_subject(subject), constraint); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + return TRUE; +} + +/** + * Special OID for anyPolicy + */ +static chunk_t any_policy = chunk_from_chars(0x55,0x1d,0x20,0x00); + +/** + * Check if an issuer certificate has a given policy OID + */ +static bool has_policy(x509_t *issuer, chunk_t oid) +{ + x509_policy_mapping_t *mapping; + x509_cert_policy_t *policy; + enumerator_t *enumerator; + + enumerator = issuer->create_cert_policy_enumerator(issuer); + while (enumerator->enumerate(enumerator, &policy)) + { + if (chunk_equals(oid, policy->oid) || + chunk_equals(any_policy, policy->oid)) + { + enumerator->destroy(enumerator); + return TRUE; + } + } + enumerator->destroy(enumerator); + + /* fall back to a mapped policy */ + enumerator = issuer->create_policy_mapping_enumerator(issuer); + while (enumerator->enumerate(enumerator, &mapping)) + { + if (chunk_equals(mapping->subject, oid)) + { + enumerator->destroy(enumerator); + return TRUE; + } + } + enumerator->destroy(enumerator); + return FALSE; +} + +/** + * Check certificatePolicies. + */ +static bool check_policy(x509_t *subject, x509_t *issuer, bool check, + auth_cfg_t *auth) +{ + certificate_t *cert = (certificate_t*)subject; + x509_policy_mapping_t *mapping; + x509_cert_policy_t *policy; + enumerator_t *enumerator; + char *oid; + + /* verify if policyMappings in subject are valid */ + enumerator = subject->create_policy_mapping_enumerator(subject); + while (enumerator->enumerate(enumerator, &mapping)) + { + if (!has_policy(issuer, mapping->issuer)) + { + oid = asn1_oid_to_string(mapping->issuer); + DBG1(DBG_CFG, "certificate '%Y' maps policy from %s, but issuer " + "misses it", cert->get_subject(cert), oid); + free(oid); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + + if (check) + { + enumerator = subject->create_cert_policy_enumerator(subject); + while (enumerator->enumerate(enumerator, &policy)) + { + if (!has_policy(issuer, policy->oid)) + { + oid = asn1_oid_to_string(policy->oid); + DBG1(DBG_CFG, "policy %s missing in issuing certificate '%Y'", + oid, cert->get_issuer(cert)); + free(oid); + enumerator->destroy(enumerator); + return FALSE; + } + if (auth) + { + oid = asn1_oid_to_string(policy->oid); + if (oid) + { + auth->add(auth, AUTH_RULE_CERT_POLICY, oid); + } + } + } + enumerator->destroy(enumerator); + } + + return TRUE; +} + +/** + * Check len certificates in trustchain for inherited policies + */ +static bool has_policy_chain(linked_list_t *chain, x509_t *subject, int len) +{ + enumerator_t *enumerator; + x509_t *issuer; + bool valid = TRUE; + + enumerator = chain->create_enumerator(chain); + while (len-- > 0 && enumerator->enumerate(enumerator, &issuer)) + { + if (!check_policy(subject, issuer, TRUE, NULL)) + { + valid = FALSE; + break; + } + subject = issuer; + } + enumerator->destroy(enumerator); + return valid; +} + +/** + * Check len certificates in trustchain to have no policyMappings + */ +static bool has_no_policy_mapping(linked_list_t *chain, int len) +{ + enumerator_t *enumerator, *mappings; + x509_policy_mapping_t *mapping; + certificate_t *cert; + x509_t *x509; + bool valid = TRUE; + + enumerator = chain->create_enumerator(chain); + while (len-- > 0 && enumerator->enumerate(enumerator, &x509)) + { + mappings = x509->create_policy_mapping_enumerator(x509); + valid = !mappings->enumerate(mappings, &mapping); + mappings->destroy(mappings); + if (!valid) + { + cert = (certificate_t*)x509; + DBG1(DBG_CFG, "found policyMapping in certificate '%Y', but " + "inhibitPolicyMapping in effect", cert->get_subject(cert)); + break; + } + } + enumerator->destroy(enumerator); + return valid; +} + +/** + * Check len certificates in trustchain to have no anyPolicies + */ +static bool has_no_any_policy(linked_list_t *chain, int len) +{ + enumerator_t *enumerator, *policies; + x509_cert_policy_t *policy; + certificate_t *cert; + x509_t *x509; + bool valid = TRUE; + + enumerator = chain->create_enumerator(chain); + while (len-- > 0 && enumerator->enumerate(enumerator, &x509)) + { + policies = x509->create_cert_policy_enumerator(x509); + while (policies->enumerate(policies, &policy)) + { + if (chunk_equals(policy->oid, any_policy)) + { + cert = (certificate_t*)x509; + DBG1(DBG_CFG, "found anyPolicy in certificate '%Y', but " + "inhibitAnyPolicy in effect", cert->get_subject(cert)); + valid = FALSE; + break; + } + } + policies->destroy(policies); + } + enumerator->destroy(enumerator); + return valid; +} + +/** + * Check requireExplicitPolicy and inhibitPolicyMapping constraints + */ +static bool check_policy_constraints(x509_t *issuer, u_int pathlen, + auth_cfg_t *auth) +{ + certificate_t *subject; + bool valid = TRUE; + + subject = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (subject) + { + if (subject->get_type(subject) == CERT_X509) + { + enumerator_t *enumerator; + linked_list_t *chain; + certificate_t *cert; + auth_rule_t rule; + x509_t *x509; + int len = 0; + u_int expl, inh; + + /* prepare trustchain to validate */ + chain = linked_list_create(); + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &rule, &cert)) + { + if (rule == AUTH_RULE_IM_CERT && + cert->get_type(cert) == CERT_X509) + { + chain->insert_last(chain, cert); + } + } + enumerator->destroy(enumerator); + chain->insert_last(chain, issuer); + + /* search for requireExplicitPolicy constraints */ + enumerator = chain->create_enumerator(chain); + while (enumerator->enumerate(enumerator, &x509)) + { + expl = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); + if (expl != X509_NO_CONSTRAINT) + { + if (!has_policy_chain(chain, (x509_t*)subject, len - expl)) + { + valid = FALSE; + break; + } + } + len++; + } + enumerator->destroy(enumerator); + + /* search for inhibitPolicyMapping/inhibitAnyPolicy constraints */ + len = 0; + chain->insert_first(chain, subject); + enumerator = chain->create_enumerator(chain); + while (enumerator->enumerate(enumerator, &x509)) + { + inh = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); + if (inh != X509_NO_CONSTRAINT) + { + if (!has_no_policy_mapping(chain, len - inh)) + { + valid = FALSE; + break; + } + } + inh = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY); + if (inh != X509_NO_CONSTRAINT) + { + if (!has_no_any_policy(chain, len - inh)) + { + valid = FALSE; + break; + } + } + len++; + } + enumerator->destroy(enumerator); + + chain->destroy(chain); + } + } + return valid; +} + +METHOD(cert_validator_t, validate, bool, + private_constraints_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, u_int pathlen, bool anchor, + auth_cfg_t *auth) +{ + if (issuer->get_type(issuer) == CERT_X509 && + subject->get_type(subject) == CERT_X509) + { + if (!check_pathlen((x509_t*)issuer, pathlen)) + { + return FALSE; + } + if (!check_name_constraints(subject, (x509_t*)issuer)) + { + return FALSE; + } + if (!check_policy((x509_t*)subject, (x509_t*)issuer, !pathlen, auth)) + { + return FALSE; + } + if (anchor) + { + if (!check_policy_constraints((x509_t*)issuer, pathlen, auth)) + { + return FALSE; + } + } + } + return TRUE; +} + +METHOD(constraints_validator_t, destroy, void, + private_constraints_validator_t *this) +{ + free(this); +} + +/** + * See header + */ +constraints_validator_t *constraints_validator_create() +{ + private_constraints_validator_t *this; + + INIT(this, + .public = { + .validator.validate = _validate, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.h b/src/libstrongswan/plugins/constraints/constraints_validator.h new file mode 100644 index 000000000..44582d6c8 --- /dev/null +++ b/src/libstrongswan/plugins/constraints/constraints_validator.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup constraints_validator constraints_validator + * @{ @ingroup constraints + */ + +#ifndef CONSTRAINTS_VALIDATOR_H_ +#define CONSTRAINTS_VALIDATOR_H_ + +#include + +typedef struct constraints_validator_t constraints_validator_t; + +/** + * Certificate validator doing advanced X509 constraint checking. + */ +struct constraints_validator_t { + + /** + * Implements cert_validator_t interface. + */ + cert_validator_t validator; + + /** + * Destroy a constraints_validator_t. + */ + void (*destroy)(constraints_validator_t *this); +}; + +/** + * Create a constraints_validator instance. + */ +constraints_validator_t *constraints_validator_create(); + +#endif /** CONSTRAINTS_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in index b51f57113..2f6be07e2 100644 --- a/src/libstrongswan/plugins/ctr/Makefile.in +++ b/src/libstrongswan/plugins/ctr/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.c b/src/libstrongswan/plugins/ctr/ctr_plugin.c index 5e47f23ec..9f1bf957f 100644 --- a/src/libstrongswan/plugins/ctr/ctr_plugin.c +++ b/src/libstrongswan/plugins/ctr/ctr_plugin.c @@ -19,6 +19,8 @@ #include "ctr_ipsec_crypter.h" +static const char *plugin_name = "ctr"; + typedef struct private_ctr_plugin_t private_ctr_plugin_t; /** @@ -47,6 +49,7 @@ METHOD(plugin_t, destroy, void, plugin_t *ctr_plugin_create() { private_ctr_plugin_t *this; + crypter_t *crypter; INIT(this, .public = { @@ -56,10 +59,19 @@ plugin_t *ctr_plugin_create() }, ); - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, - (crypter_constructor_t)ctr_ipsec_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, - (crypter_constructor_t)ctr_ipsec_crypter_create); - + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, plugin_name, + (crypter_constructor_t)ctr_ipsec_crypter_create); + } + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 16); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name, + (crypter_constructor_t)ctr_ipsec_crypter_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index 9cc99063c..e61c73041 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c index 4835f6461..82e24e810 100644 --- a/src/libstrongswan/plugins/curl/curl_fetcher.c +++ b/src/libstrongswan/plugins/curl/curl_fetcher.c @@ -104,6 +104,7 @@ METHOD(fetcher_t, fetch, status_t, METHOD(fetcher_t, set_option, bool, private_curl_fetcher_t *this, fetcher_option_t option, ...) { + bool supported = TRUE; va_list args; va_start(args, option); @@ -115,7 +116,7 @@ METHOD(fetcher_t, set_option, bool, curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, (char*)data.ptr); curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, data.len); - return TRUE; + break; } case FETCH_REQUEST_TYPE: { @@ -124,30 +125,33 @@ METHOD(fetcher_t, set_option, bool, snprintf(header, BUF_LEN, "Content-Type: %s", request_type); this->headers = curl_slist_append(this->headers, header); - return TRUE; + break; } case FETCH_REQUEST_HEADER: { char *header = va_arg(args, char*); this->headers = curl_slist_append(this->headers, header); - return TRUE; + break; } case FETCH_HTTP_VERSION_1_0: { curl_easy_setopt(this->curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); - return TRUE; + break; } case FETCH_TIMEOUT: { curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, va_arg(args, u_int)); - return TRUE; + break; } default: - return FALSE; + supported = FALSE; + break; } + va_end(args); + return supported; } METHOD(fetcher_t, destroy, void, diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c index e00fcfc03..387da03aa 100644 --- a/src/libstrongswan/plugins/curl/curl_plugin.c +++ b/src/libstrongswan/plugins/curl/curl_plugin.c @@ -34,10 +34,8 @@ struct private_curl_plugin_t { curl_plugin_t public; }; -/** - * Implementation of curl_plugin_t.curltroy - */ -static void destroy(private_curl_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_curl_plugin_t *this) { lib->fetcher->remove_fetcher(lib->fetcher, (fetcher_constructor_t)curl_fetcher_create); @@ -51,9 +49,15 @@ static void destroy(private_curl_plugin_t *this) plugin_t *curl_plugin_create() { CURLcode res; - private_curl_plugin_t *this = malloc_thing(private_curl_plugin_t); + private_curl_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); res = curl_global_init(CURL_GLOBAL_NOTHING); if (res == CURLE_OK) diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index 0e8fa7315..e45988ca9 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c index 43b457ce2..d420d789e 100644 --- a/src/libstrongswan/plugins/des/des_plugin.c +++ b/src/libstrongswan/plugins/des/des_plugin.c @@ -18,6 +18,8 @@ #include #include "des_crypter.h" +static const char *plugin_name = "des"; + typedef struct private_des_plugin_t private_des_plugin_t; /** @@ -54,11 +56,11 @@ plugin_t *des_plugin_create() }, ); - lib->crypto->add_crypter(lib->crypto, ENCR_3DES, + lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name, (crypter_constructor_t)des_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES, + lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name, (crypter_constructor_t)des_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, + lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name, (crypter_constructor_t)des_crypter_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index 7f4529211..d1dce4679 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c index bc0ee30ae..d11b149df 100644 --- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c +++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c @@ -31,10 +31,8 @@ struct private_dnskey_plugin_t { dnskey_plugin_t public; }; -/** - * Implementation of dnskey_plugin_t.dnskeytroy - */ -static void destroy(private_dnskey_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_dnskey_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)dnskey_public_key_load); @@ -46,10 +44,15 @@ static void destroy(private_dnskey_plugin_t *this) */ plugin_t *dnskey_plugin_create() { - private_dnskey_plugin_t *this = malloc_thing(private_dnskey_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + private_dnskey_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)dnskey_public_key_load); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE, diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 7e2a1ccdf..ab1ed6d00 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c index ad03fa585..ee71f6efd 100644 --- a/src/libstrongswan/plugins/fips_prf/fips_prf.c +++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c @@ -106,7 +106,8 @@ static void chunk_mod(size_t length, chunk_t chunk, u_int8_t buffer[]) * 0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78, * 0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16 */ -static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[]) +METHOD(prf_t, get_bytes, void, + private_fips_prf_t *this, chunk_t seed, u_int8_t w[]) { int i; u_int8_t xval[this->b]; @@ -139,34 +140,26 @@ static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[]) /* 3.3 done already, mod q not used */ } -/** - * Implementation of prf_t.get_block_size. - */ -static size_t get_block_size(private_fips_prf_t *this) +METHOD(prf_t, get_block_size, size_t, + private_fips_prf_t *this) { return 2 * this->b; } -/** - * Implementation of prf_t.allocate_bytes. - */ -static void allocate_bytes(private_fips_prf_t *this, chunk_t seed, chunk_t *chunk) +METHOD(prf_t, allocate_bytes, void, + private_fips_prf_t *this, chunk_t seed, chunk_t *chunk) { *chunk = chunk_alloc(get_block_size(this)); get_bytes(this, seed, chunk->ptr); } -/** - * Implementation of prf_t.get_key_size. - */ -static size_t get_key_size(private_fips_prf_t *this) +METHOD(prf_t, get_key_size, size_t, + private_fips_prf_t *this) { return this->b; } -/** - * Implementation of prf_t.set_key. - */ -static void set_key(private_fips_prf_t *this, chunk_t key) +METHOD(prf_t, set_key, void, + private_fips_prf_t *this, chunk_t key) { /* save key as "key mod 2^b" */ chunk_mod(this->b, key, this->key); @@ -198,10 +191,8 @@ void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[]) this->keyed_prf->get_bytes(this->keyed_prf, c, res); } -/** - * Implementation of prf_t.destroy. - */ -static void destroy(private_fips_prf_t *this) +METHOD(prf_t, destroy, void, + private_fips_prf_t *this) { this->keyed_prf->destroy(this->keyed_prf); free(this->key); @@ -213,14 +204,20 @@ static void destroy(private_fips_prf_t *this) */ fips_prf_t *fips_prf_create(pseudo_random_function_t algo) { - private_fips_prf_t *this = malloc_thing(private_fips_prf_t); - - this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes; - this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes; - this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size; - this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size; - this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key; - this->public.prf_interface.destroy = (void (*) (prf_t *))destroy; + private_fips_prf_t *this; + + INIT(this, + .public = { + .prf_interface = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .get_block_size = _get_block_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + ); switch (algo) { diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c index f41265637..3cce6ad91 100644 --- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c +++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c @@ -18,6 +18,8 @@ #include #include "fips_prf.h" +static const char *plugin_name = "fips-prf"; + typedef struct private_fips_prf_plugin_t private_fips_prf_plugin_t; /** @@ -31,10 +33,8 @@ struct private_fips_prf_plugin_t { fips_prf_plugin_t public; }; -/** - * Implementation of fips_prf_plugin_t.destroy - */ -static void destroy(private_fips_prf_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_fips_prf_plugin_t *this) { lib->crypto->remove_prf(lib->crypto, (prf_constructor_t)fips_prf_create); @@ -46,12 +46,24 @@ static void destroy(private_fips_prf_plugin_t *this) */ plugin_t *fips_prf_plugin_create() { - private_fips_prf_plugin_t *this = malloc_thing(private_fips_prf_plugin_t); + private_fips_prf_plugin_t *this; + prf_t *prf; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, - (prf_constructor_t)fips_prf_create); + prf = lib->crypto->create_prf(lib->crypto, PRF_KEYED_SHA1); + if (prf) + { + prf->destroy(prf); + lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, plugin_name, + (prf_constructor_t)fips_prf_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in index a4de9ea77..9e0b49776 100644 --- a/src/libstrongswan/plugins/gcm/Makefile.in +++ b/src/libstrongswan/plugins/gcm/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c index 061001b30..a438fb073 100644 --- a/src/libstrongswan/plugins/gcm/gcm_plugin.c +++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c @@ -19,6 +19,8 @@ #include "gcm_aead.h" +static const char *plugin_name = "gcm"; + typedef struct private_gcm_plugin_t private_gcm_plugin_t; /** @@ -47,17 +49,23 @@ METHOD(plugin_t, destroy, void, plugin_t *gcm_plugin_create() { private_gcm_plugin_t *this; + crypter_t *crypter; INIT(this, .public.plugin.destroy = _destroy, ); - lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, - (aead_constructor_t)gcm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, - (aead_constructor_t)gcm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, - (aead_constructor_t)gcm_aead_create); + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, plugin_name, + (aead_constructor_t)gcm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, plugin_name, + (aead_constructor_t)gcm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, plugin_name, + (aead_constructor_t)gcm_aead_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 00c49c487..1bcada7dc 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 590add5c8..a53fed448 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -29,6 +29,8 @@ #include #include +static const char *plugin_name = "gcrypt"; + typedef struct private_gcrypt_plugin_t private_gcrypt_plugin_t; /** @@ -148,79 +150,79 @@ plugin_t *gcrypt_plugin_create() ); /* hashers */ - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD4, + lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD5, + lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); /* crypters */ - lib->crypto->add_crypter(lib->crypto, ENCR_3DES, + lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAST, + lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, + lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES, + lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, + lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); #ifdef HAVE_GCRY_CIPHER_CAMELLIA - lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); #endif /* HAVE_GCRY_CIPHER_CAMELLIA */ - lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); /* random numbers */ - lib->crypto->add_rng(lib->crypto, RNG_WEAK, + lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name, (rng_constructor_t)gcrypt_rng_create); - lib->crypto->add_rng(lib->crypto, RNG_STRONG, + lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name, (rng_constructor_t)gcrypt_rng_create); - lib->crypto->add_rng(lib->crypto, RNG_TRUE, + lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name, (rng_constructor_t)gcrypt_rng_create); /* diffie hellman groups, using modp */ - lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, + lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_224, + lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_256, + lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, + lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, + lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, + lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, + lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_160, + lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_768_BIT, + lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name, (dh_constructor_t)gcrypt_dh_create_custom); /* RSA */ diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index b4ec1ed8d..f73bfb406 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c index 9b4fad3da..e9bfbcc28 100644 --- a/src/libstrongswan/plugins/gmp/gmp_plugin.c +++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c @@ -20,6 +20,8 @@ #include "gmp_rsa_private_key.h" #include "gmp_rsa_public_key.h" +static const char *plugin_name = "gmp"; + typedef struct private_gmp_plugin_t private_gmp_plugin_t; /** @@ -64,30 +66,30 @@ plugin_t *gmp_plugin_create() }, ); - lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, + lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_224, + lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_256, + lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, + lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, + lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, + lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, + lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_160, + lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_768_BIT, + lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create_custom); lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index 42a7d3747..72cc23b72 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c index 73df4dc6c..76d6157ae 100644 --- a/src/libstrongswan/plugins/hmac/hmac_plugin.c +++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c @@ -19,6 +19,8 @@ #include "hmac_signer.h" #include "hmac_prf.h" +static const char *plugin_name = "hmac"; + typedef struct private_hmac_plugin_t private_hmac_plugin_t; /** @@ -48,6 +50,7 @@ METHOD(plugin_t, destroy, void, plugin_t *hmac_plugin_create() { private_hmac_plugin_t *this; + hasher_t *hasher; INIT(this, .public = { @@ -57,37 +60,62 @@ plugin_t *hmac_plugin_create() }, ); - lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, - (prf_constructor_t)hmac_prf_create); - lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, - (prf_constructor_t)hmac_prf_create); - lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, - (prf_constructor_t)hmac_prf_create); - lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, - (prf_constructor_t)hmac_prf_create); - lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, - (prf_constructor_t)hmac_prf_create); + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (hasher) + { + hasher->destroy(hasher); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, plugin_name, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, plugin_name, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, plugin_name, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, plugin_name, + (signer_constructor_t)hmac_signer_create); + } + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA256); + if (hasher) + { + hasher->destroy(hasher); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, plugin_name, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, plugin_name, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256, plugin_name, + (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, - (signer_constructor_t)hmac_signer_create); + } + hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); + if (hasher) + { + hasher->destroy(hasher); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, plugin_name, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, plugin_name, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, plugin_name, + (signer_constructor_t)hmac_signer_create); + } + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA384); + if (hasher) + { + hasher->destroy(hasher); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, plugin_name, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, plugin_name, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384, plugin_name, + (signer_constructor_t)hmac_signer_create); + } + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512); + if (hasher) + { + hasher->destroy(hasher); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, plugin_name, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, plugin_name, + (signer_constructor_t)hmac_signer_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 65a135e76..7235784e2 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c index 59e655cd5..e6c592217 100644 --- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c +++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c @@ -100,8 +100,8 @@ static bool parse(LDAP *ldap, LDAPMessage *result, chunk_t *response) } -static status_t fetch(private_ldap_fetcher_t *this, char *url, - chunk_t *result, va_list args) +METHOD(fetcher_t, fetch, status_t, + private_ldap_fetcher_t *this, char *url, chunk_t *result) { LDAP *ldap; LDAPURLDesc *lurl; @@ -166,10 +166,8 @@ static status_t fetch(private_ldap_fetcher_t *this, char *url, } -/** - * Implementation of fetcher_t.set_option. - */ -static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, ...) +METHOD(fetcher_t, set_option, bool, + private_ldap_fetcher_t *this, fetcher_option_t option, ...) { va_list args; @@ -186,10 +184,8 @@ static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, .. } } -/** - * Implements ldap_fetcher_t.destroy - */ -static void destroy(private_ldap_fetcher_t *this) +METHOD(fetcher_t, destroy, void, + private_ldap_fetcher_t *this) { free(this); } @@ -199,13 +195,18 @@ static void destroy(private_ldap_fetcher_t *this) */ ldap_fetcher_t *ldap_fetcher_create() { - private_ldap_fetcher_t *this = malloc_thing(private_ldap_fetcher_t); - - this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch; - this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option; - this->public.interface.destroy = (void (*)(fetcher_t*))destroy; - - this->timeout = DEFAULT_TIMEOUT; + private_ldap_fetcher_t *this; + + INIT(this, + .public = { + .interface = { + .fetch = _fetch, + .set_option = _set_option, + .destroy = _destroy, + }, + }, + .timeout = DEFAULT_TIMEOUT, + ); return &this->public; } diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.c b/src/libstrongswan/plugins/ldap/ldap_plugin.c index 372ac9f93..3682ddd1f 100644 --- a/src/libstrongswan/plugins/ldap/ldap_plugin.c +++ b/src/libstrongswan/plugins/ldap/ldap_plugin.c @@ -31,10 +31,8 @@ struct private_ldap_plugin_t { ldap_plugin_t public; }; -/** - * Implementation of ldap_plugin_t.destroy - */ -static void destroy(private_ldap_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_ldap_plugin_t *this) { lib->fetcher->remove_fetcher(lib->fetcher, (fetcher_constructor_t)ldap_fetcher_create); @@ -46,9 +44,15 @@ static void destroy(private_ldap_plugin_t *this) */ plugin_t *ldap_plugin_create() { - private_ldap_plugin_t *this = malloc_thing(private_ldap_plugin_t); + private_ldap_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->fetcher->add_fetcher(lib->fetcher, (fetcher_constructor_t)ldap_fetcher_create, "ldap://"); diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index a78dad97c..ea1a7a69a 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/md4/md4_plugin.c b/src/libstrongswan/plugins/md4/md4_plugin.c index 38ae0d4bc..cea1a61f3 100644 --- a/src/libstrongswan/plugins/md4/md4_plugin.c +++ b/src/libstrongswan/plugins/md4/md4_plugin.c @@ -18,6 +18,8 @@ #include #include "md4_hasher.h" +static const char *plugin_name = "md4"; + typedef struct private_md4_plugin_t private_md4_plugin_t; /** @@ -31,10 +33,8 @@ struct private_md4_plugin_t { md4_plugin_t public; }; -/** - * Implementation of md4_plugin_t.destroy - */ -static void destroy(private_md4_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_md4_plugin_t *this) { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)md4_hasher_create); @@ -46,11 +46,17 @@ static void destroy(private_md4_plugin_t *this) */ plugin_t *md4_plugin_create() { - private_md4_plugin_t *this = malloc_thing(private_md4_plugin_t); + private_md4_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_hasher(lib->crypto, HASH_MD4, + lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name, (hasher_constructor_t)md4_hasher_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index 6de400e8e..05f101564 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c index cfbf6acea..d11173817 100644 --- a/src/libstrongswan/plugins/md5/md5_plugin.c +++ b/src/libstrongswan/plugins/md5/md5_plugin.c @@ -18,6 +18,8 @@ #include #include "md5_hasher.h" +static const char *plugin_name = "md5"; + typedef struct private_md5_plugin_t private_md5_plugin_t; /** @@ -31,10 +33,8 @@ struct private_md5_plugin_t { md5_plugin_t public; }; -/** - * Implementation of md5_plugin_t.destroy - */ -static void destroy(private_md5_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_md5_plugin_t *this) { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)md5_hasher_create); @@ -46,11 +46,17 @@ static void destroy(private_md5_plugin_t *this) */ plugin_t *md5_plugin_create() { - private_md5_plugin_t *this = malloc_thing(private_md5_plugin_t); + private_md5_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_hasher(lib->crypto, HASH_MD5, + lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, (hasher_constructor_t)md5_hasher_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index 7d4d42c14..4880415b3 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c index 8005b9149..5fbfa0f28 100644 --- a/src/libstrongswan/plugins/mysql/mysql_database.c +++ b/src/libstrongswan/plugins/mysql/mysql_database.c @@ -474,10 +474,8 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...) return TRUE; } -/** - * Implementation of database_t.query. - */ -static enumerator_t* query(private_mysql_database_t *this, char *sql, ...) +METHOD(database_t, query, enumerator_t*, + private_mysql_database_t *this, char *sql, ...) { MYSQL_STMT *stmt; va_list args; @@ -563,10 +561,8 @@ static enumerator_t* query(private_mysql_database_t *this, char *sql, ...) return (enumerator_t*)enumerator; } -/** - * Implementation of database_t.execute. - */ -static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...) +METHOD(database_t, execute, int, + private_mysql_database_t *this, int *rowid, char *sql, ...) { MYSQL_STMT *stmt; va_list args; @@ -594,18 +590,14 @@ static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...) return affected; } -/** - * Implementation of database_t.get_driver - */ -static db_driver_t get_driver(private_mysql_database_t *this) +METHOD(database_t, get_driver,db_driver_t, + private_mysql_database_t *this) { return DB_MYSQL; } -/** - * Implementation of database_t.destroy - */ -static void destroy(private_mysql_database_t *this) +METHOD(database_t, destroy, void, + private_mysql_database_t *this) { this->pool->destroy_function(this->pool, (void*)conn_destroy); this->mutex->destroy(this->mutex); @@ -677,12 +669,16 @@ mysql_database_t *mysql_database_create(char *uri) return NULL; } - this = malloc_thing(private_mysql_database_t); - - this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query; - this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute; - this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver; - this->public.db.destroy = (void(*)(database_t*))destroy; + INIT(this, + .public = { + .db = { + .query = _query, + .execute = _execute, + .get_driver = _get_driver, + .destroy = _destroy, + }, + }, + ); if (!parse_uri(this, uri)) { diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c index a13aa8091..65d8681cb 100644 --- a/src/libstrongswan/plugins/mysql/mysql_plugin.c +++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c @@ -32,10 +32,8 @@ struct private_mysql_plugin_t { mysql_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_mysql_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_mysql_plugin_t *this) { lib->db->remove_database(lib->db, (database_constructor_t)mysql_database_create); @@ -56,8 +54,13 @@ plugin_t *mysql_plugin_create() return NULL; } - this = malloc_thing(private_mysql_plugin_t); - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->db->add_database(lib->db, (database_constructor_t)mysql_database_create); diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index a32418b16..b43be29f1 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -226,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index b9d97a901..58401faa5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -382,6 +382,8 @@ static private_openssl_crl_t *create_empty() }, .get_serial = _get_serial, .get_authKeyIdentifier = _get_authKeyIdentifier, + .is_delta_crl = (void*)return_false, + .create_delta_crl_uri_enumerator = (void*)enumerator_create_empty, .create_enumerator = _create_enumerator, }, }, @@ -458,7 +460,14 @@ static bool parse_extensions(private_openssl_crl_t *this) ok = parse_crlNumber_ext(this, ext); break; default: - ok = TRUE; + ok = X509_EXTENSION_get_critical(ext) == 0 || + !lib->settings->get_bool(lib->settings, + "libstrongswan.x509.enforce_critical", TRUE); + if (!ok) + { + DBG1(DBG_LIB, "found unsupported critical X.509 " + "CRL extension"); + } break; } if (!ok) diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 0ab4eda9c..0050572ee 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -41,6 +41,8 @@ #include "openssl_x509.h" #include "openssl_crl.h" +static const char *plugin_name = "openssl"; + typedef struct private_openssl_plugin_t private_openssl_plugin_t; /** @@ -272,85 +274,85 @@ plugin_t *openssl_plugin_create() } /* crypter */ - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_3DES, + lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_RC5, + lib->crypto->add_crypter(lib->crypto, ENCR_RC5, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, + lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAST, + lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, + lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES, + lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, + lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_NULL, + lib->crypto->add_crypter(lib->crypto, ENCR_NULL, plugin_name, (crypter_constructor_t)openssl_crypter_create); /* hasher */ - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD2, + lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD4, + lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD5, + lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, (hasher_constructor_t)openssl_hasher_create); /* prf */ - lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, + lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name, (prf_constructor_t)openssl_sha1_prf_create); /* (ec) diffie hellman */ - lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, + lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_224, + lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_256, + lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); #ifndef OPENSSL_NO_EC - lib->crypto->add_dh(lib->crypto, ECP_256_BIT, + lib->crypto->add_dh(lib->crypto, ECP_256_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_384_BIT, + lib->crypto->add_dh(lib->crypto, ECP_384_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_521_BIT, + lib->crypto->add_dh(lib->crypto, ECP_521_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_224_BIT, + lib->crypto->add_dh(lib->crypto, ECP_224_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_192_BIT, + lib->crypto->add_dh(lib->crypto, ECP_192_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); #endif /* OPENSSL_NO_EC */ - lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, + lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, + lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, + lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, + lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_160, + lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_768_BIT, + lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); /* rsa */ diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index aa39bc93d..f7495b2ae 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -84,7 +84,7 @@ struct private_openssl_x509_t { /** * Pathlen constraint */ - int pathlen; + u_char pathlen; /** * certificate subject @@ -137,7 +137,7 @@ struct private_openssl_x509_t { linked_list_t *issuerAltNames; /** - * List of CRL URIs + * List of CRL URIs, as x509_cdp_t */ linked_list_t *crl_uris; @@ -152,6 +152,16 @@ struct private_openssl_x509_t { refcount_t ref; }; +/** + * Destroy a CRL URI struct + */ +static void crl_uri_destroy(x509_cdp_t *this) +{ + free(this->uri); + DESTROY_IF(this->issuer); + free(this); +} + /** * Convert a GeneralName to an identification_t. */ @@ -240,10 +250,16 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t, return chunk_empty; } -METHOD(x509_t, get_pathLenConstraint, int, - private_openssl_x509_t *this) +METHOD(x509_t, get_constraint, u_int, + private_openssl_x509_t *this, x509_constraint_t type) { - return this->pathlen; + switch (type) + { + case X509_PATH_LEN: + return this->pathlen; + default: + return X509_NO_CONSTRAINT; + } } METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, @@ -264,13 +280,6 @@ METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, return this->ocsp_uris->create_enumerator(this->ocsp_uris); } -METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, - private_openssl_x509_t *this) -{ - /* TODO */ - return enumerator_create_empty(); -} - METHOD(certificate_t, get_type, certificate_type_t, private_openssl_x509_t *this) { @@ -483,7 +492,7 @@ METHOD(certificate_t, destroy, void, offsetof(identification_t, destroy)); this->issuerAltNames->destroy_offset(this->issuerAltNames, offsetof(identification_t, destroy)); - this->crl_uris->destroy_function(this->crl_uris, free); + this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); free(this); } @@ -517,18 +526,21 @@ static private_openssl_x509_t *create_empty() .get_serial = _get_serial, .get_subjectKeyIdentifier = _get_subjectKeyIdentifier, .get_authKeyIdentifier = _get_authKeyIdentifier, - .get_pathLenConstraint = _get_pathLenConstraint, + .get_constraint = _get_constraint, .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, .create_crl_uri_enumerator = _create_crl_uri_enumerator, .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, - .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator, + .create_ipAddrBlock_enumerator = (void*)enumerator_create_empty, + .create_name_constraint_enumerator = (void*)enumerator_create_empty, + .create_cert_policy_enumerator = (void*)enumerator_create_empty, + .create_policy_mapping_enumerator = (void*)enumerator_create_empty, }, }, .subjectAltNames = linked_list_create(), .issuerAltNames = linked_list_create(), .crl_uris = linked_list_create(), .ocsp_uris = linked_list_create(), - .pathlen = X509_NO_PATH_LEN_CONSTRAINT, + .pathlen = X509_NO_CONSTRAINT, .ref = 1, ); @@ -574,6 +586,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this, X509_EXTENSION *ext) { BASIC_CONSTRAINTS *constraints; + long pathlen; constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext); if (constraints) @@ -584,7 +597,10 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this, } if (constraints->pathlen) { - this->pathlen = ASN1_INTEGER_get(constraints->pathlen); + + pathlen = ASN1_INTEGER_get(constraints->pathlen); + this->pathlen = (pathlen >= 0 && pathlen < 128) ? + pathlen : X509_NO_CONSTRAINT; } BASIC_CONSTRAINTS_free(constraints); return TRUE; @@ -600,9 +616,10 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, { CRL_DIST_POINTS *cdps; DIST_POINT *cdp; - identification_t *id; + identification_t *id, *issuer; + x509_cdp_t *entry; char *uri; - int i, j, point_num, name_num; + int i, j, k, point_num, name_num, issuer_num; cdps = X509V3_EXT_d2i(ext); if (!cdps) @@ -627,12 +644,38 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, { if (asprintf(&uri, "%Y", id) > 0) { - this->crl_uris->insert_first(this->crl_uris, uri); + if (cdp->CRLissuer) + { + issuer_num = sk_GENERAL_NAME_num(cdp->CRLissuer); + for (k = 0; k < issuer_num; k++) + { + issuer = general_name2id( + sk_GENERAL_NAME_value(cdp->CRLissuer, k)); + if (issuer) + { + INIT(entry, + .uri = strdup(uri), + .issuer = issuer, + ); + this->crl_uris->insert_last( + this->crl_uris, entry); + } + } + free(uri); + } + else + { + INIT(entry, + .uri = uri, + ); + this->crl_uris->insert_last(this->crl_uris, entry); + } } id->destroy(id); } } } + DIST_POINT_free(cdp); } } @@ -765,7 +808,13 @@ static bool parse_extensions(private_openssl_x509_t *this) ok = parse_crlDistributionPoints_ext(this, ext); break; default: - ok = TRUE; + ok = X509_EXTENSION_get_critical(ext) == 0 || + !lib->settings->get_bool(lib->settings, + "libstrongswan.x509.enforce_critical", TRUE); + if (!ok) + { + DBG1(DBG_LIB, "found unsupported critical X.509 extension"); + } break; } if (!ok) @@ -823,6 +872,13 @@ static bool parse_certificate(private_openssl_x509_t *this) { return FALSE; } + if (X509_get_version(this->x509) < 0 || X509_get_version(this->x509) > 2) + { + DBG1(DBG_LIB, "unsupported x509 version: %d", + X509_get_version(this->x509) + 1); + return FALSE; + } + this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509)); this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509)); @@ -866,7 +922,7 @@ static bool parse_certificate(private_openssl_x509_t *this) if (!parse_extensions(this)) { - return TRUE; + return FALSE; } parse_extKeyUsage(this); diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 46953f681..7c89d0abd 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c index 027c53c7b..695823acf 100644 --- a/src/libstrongswan/plugins/padlock/padlock_plugin.c +++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c @@ -23,6 +23,8 @@ #include #include +static const char *plugin_name = "padlock"; + typedef struct private_padlock_plugin_t private_padlock_plugin_t; typedef enum padlock_feature_t padlock_feature_t; @@ -161,21 +163,21 @@ plugin_t *padlock_plugin_create() if (this->features & PADLOCK_RNG_ENABLED) { - lib->crypto->add_rng(lib->crypto, RNG_TRUE, + lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name, (rng_constructor_t)padlock_rng_create); - lib->crypto->add_rng(lib->crypto, RNG_STRONG, + lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name, (rng_constructor_t)padlock_rng_create); - lib->crypto->add_rng(lib->crypto, RNG_WEAK, + lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name, (rng_constructor_t)padlock_rng_create); } if (this->features & PADLOCK_ACE2_ENABLED) { - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, (crypter_constructor_t)padlock_aes_crypter_create); } if (this->features & PADLOCK_PHE_ENABLED) { - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)padlock_sha1_hasher_create); } return &this->public.plugin; diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index cf5acdd1c..60740eb35 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c index e255d6fd0..9c8237e4d 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.c +++ b/src/libstrongswan/plugins/pem/pem_encoder.c @@ -111,7 +111,7 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, } /* compute and allocate maximum size of PEM object */ - pem_chars = 4*(asn1.len + 2)/3; + pem_chars = 4 * ((asn1.len + 2) / 3); pem_lines = (asn1.len + BYTES_PER_LINE - 1) / BYTES_PER_LINE; *encoding = chunk_alloc(5 + 2*(6 + strlen(label) + 6) + 3 + pem_chars + pem_lines); pos = encoding->ptr; diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c index 83efb155b..f2415a318 100644 --- a/src/libstrongswan/plugins/pem/pem_plugin.c +++ b/src/libstrongswan/plugins/pem/pem_plugin.c @@ -33,10 +33,8 @@ struct private_pem_plugin_t { pem_plugin_t public; }; -/** - * Implementation of pem_plugin_t.pemtroy - */ -static void destroy(private_pem_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_pem_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)pem_private_key_load); @@ -52,9 +50,15 @@ static void destroy(private_pem_plugin_t *this) */ plugin_t *pem_plugin_create() { - private_pem_plugin_t *this = malloc_thing(private_pem_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_pem_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); /* register private key PEM decoding builders */ lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE, diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index 0098147a9..ab14f8ced 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c index 41e0a5df6..eaf0a1088 100644 --- a/src/libstrongswan/plugins/pgp/pgp_plugin.c +++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c @@ -33,10 +33,8 @@ struct private_pgp_plugin_t { pgp_plugin_t public; }; -/** - * Implementation of pgp_plugin_t.pgptroy - */ -static void destroy(private_pgp_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_pgp_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)pgp_public_key_load); @@ -56,10 +54,15 @@ static void destroy(private_pgp_plugin_t *this) */ plugin_t *pgp_plugin_create() { - private_pgp_plugin_t *this = malloc_thing(private_pgp_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + private_pgp_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)pgp_public_key_load); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE, @@ -68,10 +71,8 @@ plugin_t *pgp_plugin_create() (builder_function_t)pgp_private_key_load); lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, (builder_function_t)pgp_private_key_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE, (builder_function_t)pgp_cert_load); - lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index 8b41499a7..8ed4a08e9 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c index d3afb5c67..33732f8a4 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c @@ -32,10 +32,8 @@ struct private_pkcs1_plugin_t { pkcs1_plugin_t public; }; -/** - * Implementation of pkcs1_plugin_t.pkcs1troy - */ -static void destroy(private_pkcs1_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_pkcs1_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)pkcs1_public_key_load); @@ -52,9 +50,15 @@ static void destroy(private_pkcs1_plugin_t *this) */ plugin_t *pkcs1_plugin_create() { - private_pkcs1_plugin_t *this = malloc_thing(private_pkcs1_plugin_t); + private_pkcs1_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)pkcs1_public_key_load); diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in index c27310910..6c03b0497 100644 --- a/src/libstrongswan/plugins/pkcs11/Makefile.in +++ b/src/libstrongswan/plugins/pkcs11/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c index 1b1448c6a..a81ec1147 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c @@ -55,19 +55,20 @@ struct private_pkcs11_creds_t { * Find certificates, optionally trusted */ static void find_certificates(private_pkcs11_creds_t *this, - CK_SESSION_HANDLE session, CK_BBOOL trusted) + CK_SESSION_HANDLE session) { CK_OBJECT_CLASS class = CKO_CERTIFICATE; CK_CERTIFICATE_TYPE type = CKC_X_509; + CK_BBOOL trusted = TRUE; CK_ATTRIBUTE tmpl[] = { {CKA_CLASS, &class, sizeof(class)}, {CKA_CERTIFICATE_TYPE, &type, sizeof(type)}, - {CKA_TRUSTED, &trusted, sizeof(trusted)}, }; CK_OBJECT_HANDLE object; CK_ATTRIBUTE attr[] = { {CKA_VALUE, NULL, 0}, {CKA_LABEL, NULL, 0}, + {CKA_TRUSTED, &trusted, sizeof(trusted)} }; enumerator_t *enumerator; linked_list_t *raw; @@ -75,11 +76,19 @@ static void find_certificates(private_pkcs11_creds_t *this, struct { chunk_t value; chunk_t label; + bool trusted; } *entry; + int count = countof(attr); + /* store result in a temporary list, avoid recursive operation */ raw = linked_list_create(); + /* do not use trusted argument if not supported */ + if (!(this->lib->get_features(this->lib) & PKCS11_TRUSTED_CERTS)) + { + count--; + } enumerator = this->lib->create_object_enumerator(this->lib, - session, tmpl, countof(tmpl), attr, countof(attr)); + session, tmpl, countof(tmpl), attr, count); while (enumerator->enumerate(enumerator, &object)) { entry = malloc(sizeof(*entry)); @@ -87,6 +96,7 @@ static void find_certificates(private_pkcs11_creds_t *this, chunk_create(attr[0].pValue, attr[0].ulValueLen)); entry->label = chunk_clone( chunk_create(attr[1].pValue, attr[1].ulValueLen)); + entry->trusted = trusted; raw->insert_last(raw, entry); } enumerator->destroy(enumerator); @@ -99,10 +109,10 @@ static void find_certificates(private_pkcs11_creds_t *this, if (cert) { DBG1(DBG_CFG, " loaded %strusted cert '%.*s'", - trusted ? "" : "un", entry->label.len, entry->label.ptr); + entry->trusted ? "" : "un", entry->label.len, entry->label.ptr); /* trusted certificates are also returned as untrusted */ this->untrusted->insert_last(this->untrusted, cert); - if (trusted) + if (entry->trusted) { this->trusted->insert_last(this->trusted, cert->get_ref(cert)); } @@ -135,8 +145,7 @@ static bool load_certificates(private_pkcs11_creds_t *this) return FALSE; } - find_certificates(this, session, CK_TRUE); - find_certificates(this, session, CK_FALSE); + find_certificates(this, session); this->lib->f->C_CloseSession(session); return TRUE; diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c index 9fb1b7769..6f7926808 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c @@ -466,6 +466,11 @@ struct private_pkcs11_library_t { * Name as passed to the constructor */ char *name; + + /** + * Supported feature set + */ + pkcs11_feature_t features; }; METHOD(pkcs11_library_t, get_name, char*, @@ -474,6 +479,12 @@ METHOD(pkcs11_library_t, get_name, char*, return this->name; } +METHOD(pkcs11_library_t, get_features, pkcs11_feature_t, + private_pkcs11_library_t *this) +{ + return this->features; +} + /** * Object enumerator */ @@ -765,20 +776,46 @@ static CK_RV UnlockMutex(CK_VOID_PTR data) return CKR_OK; } +/** + * Check if the library has at least a given cryptoki version + */ +static bool has_version(CK_INFO *info, int major, int minor) +{ + return info->cryptokiVersion.major > major || + (info->cryptokiVersion.major == major && + info->cryptokiVersion.minor >= minor); +} + +/** + * Check for optional PKCS#11 library functionality + */ +static void check_features(private_pkcs11_library_t *this, CK_INFO *info) +{ + if (has_version(info, 2, 20)) + { + this->features |= PKCS11_TRUSTED_CERTS; + this->features |= PKCS11_ALWAYS_AUTH_KEYS; + } +} + /** * Initialize a PKCS#11 library */ -static bool initialize(private_pkcs11_library_t *this, char *name, char *file) +static bool initialize(private_pkcs11_library_t *this, char *name, char *file, + bool os_locking) { CK_C_GetFunctionList pC_GetFunctionList; CK_INFO info; CK_RV rv; - CK_C_INITIALIZE_ARGS args = { + static CK_C_INITIALIZE_ARGS args = { .CreateMutex = CreateMutex, .DestroyMutex = DestroyMutex, .LockMutex = LockMutex, .UnlockMutex = UnlockMutex, }; + static CK_C_INITIALIZE_ARGS args_os = { + .flags = CKF_OS_LOCKING_OK, + }; pC_GetFunctionList = dlsym(this->handle, "C_GetFunctionList"); if (!pC_GetFunctionList) @@ -793,14 +830,19 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file) name, ck_rv_names, rv); return FALSE; } - - rv = this->public.f->C_Initialize(&args); - if (rv == CKR_CANT_LOCK) - { /* try OS locking */ - memset(&args, 0, sizeof(args)); - args.flags = CKF_OS_LOCKING_OK; + if (os_locking) + { + rv = CKR_CANT_LOCK; + } + else + { rv = this->public.f->C_Initialize(&args); } + if (rv == CKR_CANT_LOCK) + { /* fallback to OS locking */ + os_locking = TRUE; + rv = this->public.f->C_Initialize(&args_os); + } if (rv != CKR_OK) { DBG1(DBG_CFG, "C_Initialize() error for '%s': %N", @@ -826,23 +868,26 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file) DBG1(DBG_CFG, " %s: %s v%d.%d", info.manufacturerID, info.libraryDescription, info.libraryVersion.major, info.libraryVersion.minor); - if (args.flags & CKF_OS_LOCKING_OK) + if (os_locking) { DBG1(DBG_CFG, " uses OS locking functions"); } + + check_features(this, &info); return TRUE; } /** * See header */ -pkcs11_library_t *pkcs11_library_create(char *name, char *file) +pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking) { private_pkcs11_library_t *this; INIT(this, .public = { .get_name = _get_name, + .get_features = _get_features, .create_object_enumerator = _create_object_enumerator, .create_mechanism_enumerator = _create_mechanism_enumerator, .destroy = _destroy, @@ -858,7 +903,7 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file) return NULL; } - if (!initialize(this, name, file)) + if (!initialize(this, name, file, os_locking)) { dlclose(this->handle); free(this); diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h index 1457d24d4..abe023448 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h @@ -21,6 +21,7 @@ #ifndef PKCS11_LIBRARY_H_ #define PKCS11_LIBRARY_H_ +typedef enum pkcs11_feature_t pkcs11_feature_t; typedef struct pkcs11_library_t pkcs11_library_t; #include "pkcs11.h" @@ -28,6 +29,16 @@ typedef struct pkcs11_library_t pkcs11_library_t; #include #include +/** + * Optional PKCS#11 features some libraries support, some not + */ +enum pkcs11_feature_t { + /** CKA_TRUSTED attribute supported for certificate objects */ + PKCS11_TRUSTED_CERTS = (1<<0), + /** CKA_ALWAYS_AUTHENTICATE attribute supported for private keys */ + PKCS11_ALWAYS_AUTH_KEYS = (1<<1), +}; + /** * A loaded and initialized PKCS#11 library. */ @@ -45,6 +56,13 @@ struct pkcs11_library_t { */ char* (*get_name)(pkcs11_library_t *this); + /** + * Get the feature set supported by this library. + * + * @return ORed set of features supported + */ + pkcs11_feature_t (*get_features)(pkcs11_library_t *this); + /** * Create an enumerator over CK_OBJECT_HANDLE using a search template. * @@ -103,8 +121,9 @@ void pkcs11_library_trim(char *str, int len); * * @param name an arbitrary name, for debugging * @param file pkcs11 library file to dlopen() + * @param os_lock enforce OS Locking for this library * @return library abstraction */ -pkcs11_library_t *pkcs11_library_create(char *name, char *file); +pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_lock); #endif /** PKCS11_LIBRARY_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c index 0c27600a6..9308e9c25 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c @@ -373,7 +373,10 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb, free(entry); continue; } - entry->lib = pkcs11_library_create(module, entry->path); + entry->lib = pkcs11_library_create(module, entry->path, + lib->settings->get_bool(lib->settings, + "libstrongswan.plugins.pkcs11.modules.%s.os_locking", + FALSE, module)); if (!entry->lib) { free(entry); diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c index ace405c23..071d2f782 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c @@ -26,6 +26,8 @@ #include "pkcs11_public_key.h" #include "pkcs11_hasher.h" +static const char *plugin_name = "pkcs11"; + typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t; /** @@ -146,17 +148,17 @@ plugin_t *pkcs11_plugin_create() if (lib->settings->get_bool(lib->settings, "libstrongswan.plugins.pkcs11.use_hasher", FALSE)) { - lib->crypto->add_hasher(lib->crypto, HASH_MD2, + lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD5, + lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); } diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c index cabca3f54..b4cc7a805 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -401,30 +401,36 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid) }; CK_OBJECT_HANDLE object; CK_KEY_TYPE type; - CK_BBOOL reauth; + CK_BBOOL reauth = FALSE; CK_ATTRIBUTE attr[] = { {CKA_KEY_TYPE, &type, sizeof(type)}, - {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)}, {CKA_MODULUS, NULL, 0}, {CKA_PUBLIC_EXPONENT, NULL, 0}, + {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)}, }; enumerator_t *enumerator; chunk_t modulus, pubexp; + int count = countof(attr); + /* do not use CKA_ALWAYS_AUTHENTICATE if not supported */ + if (!(this->lib->get_features(this->lib) & PKCS11_ALWAYS_AUTH_KEYS)) + { + count--; + } enumerator = this->lib->create_object_enumerator(this->lib, - this->session, tmpl, countof(tmpl), attr, countof(attr)); + this->session, tmpl, countof(tmpl), attr, count); if (enumerator->enumerate(enumerator, &object)) { switch (type) { case CKK_RSA: - if (attr[2].ulValueLen == -1 || attr[3].ulValueLen == -1) + if (attr[1].ulValueLen == -1 || attr[2].ulValueLen == -1) { DBG1(DBG_CFG, "reading modulus/exponent from PKCS#1 failed"); break; } - modulus = chunk_create(attr[2].pValue, attr[2].ulValueLen); - pubexp = chunk_create(attr[3].pValue, attr[3].ulValueLen); + modulus = chunk_create(attr[1].pValue, attr[1].ulValueLen); + pubexp = chunk_create(attr[2].pValue, attr[2].ulValueLen); this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, BUILD_RSA_MODULUS, modulus, BUILD_RSA_PUB_EXP, pubexp, BUILD_END); diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index e1427bf15..473db5ccf 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -50,62 +50,77 @@ struct private_plugin_loader_t { linked_list_t *names; }; -#ifdef MONOLITHIC /** - * load a single plugin in monolithic mode + * create a plugin + * returns: NOT_FOUND, if the constructor was not found + * FAILED, if the plugin could not be constructed */ -static plugin_t* load_plugin(private_plugin_loader_t *this, - char *path, char *name) +static status_t create_plugin(private_plugin_loader_t *this, void *handle, + char *name, bool integrity, plugin_t **plugin) { char create[128]; - plugin_t *plugin; plugin_constructor_t constructor; if (snprintf(create, sizeof(create), "%s_plugin_create", name) >= sizeof(create)) { - return NULL; + return FAILED; } translate(create, "-", "_"); - constructor = dlsym(RTLD_DEFAULT, create); + constructor = dlsym(handle, create); if (constructor == NULL) { - DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name, + DBG2(DBG_LIB, "plugin '%s': failed to load - %s not found", name, create); - return NULL; + return NOT_FOUND; } - plugin = constructor(); - if (plugin == NULL) + if (integrity && lib->integrity) + { + if (!lib->integrity->check_segment(lib->integrity, name, constructor)) + { + DBG1(DBG_LIB, "plugin '%s': failed segment integrity test", name); + return FAILED; + } + DBG1(DBG_LIB, "plugin '%s': passed file and segment integrity tests", + name); + } + *plugin = constructor(); + if (*plugin == NULL) { DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name, create); - return NULL; + return FAILED; } DBG2(DBG_LIB, "plugin '%s': loaded successfully", name); - - return plugin; + return SUCCESS; } -#else + /** * load a single plugin */ static plugin_t* load_plugin(private_plugin_loader_t *this, char *path, char *name) { - char create[128]; char file[PATH_MAX]; void *handle; plugin_t *plugin; - plugin_constructor_t constructor; + + switch (create_plugin(this, RTLD_DEFAULT, name, FALSE, &plugin)) + { + case SUCCESS: + return plugin; + case NOT_FOUND: + /* try to load the plugin from a file */ + break; + default: + return NULL; + } if (snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, - name) >= sizeof(file) || - snprintf(create, sizeof(create), "%s_plugin_create", - name) >= sizeof(create)) + name) >= sizeof(file)) { return NULL; } - translate(create, "-", "_"); if (lib->integrity) { if (!lib->integrity->check_file(lib->integrity, name, file)) @@ -121,40 +136,37 @@ static plugin_t* load_plugin(private_plugin_loader_t *this, DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror()); return NULL; } - constructor = dlsym(handle, create); - if (constructor == NULL) + if (create_plugin(this, handle, name, TRUE, &plugin) != SUCCESS) { - DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name, - create); dlclose(handle); return NULL; } - if (lib->integrity) + /* we do not store or free dlopen() handles, leak_detective requires + * the modules to keep loaded until leak report */ + return plugin; +} + +/** + * Check if a plugin is already loaded + */ +static bool plugin_loaded(private_plugin_loader_t *this, char *name) +{ + enumerator_t *enumerator; + bool found = FALSE; + char *current; + + enumerator = this->names->create_enumerator(this->names); + while (enumerator->enumerate(enumerator, ¤t)) { - if (!lib->integrity->check_segment(lib->integrity, name, constructor)) + if (streq(name, current)) { - DBG1(DBG_LIB, "plugin '%s': failed segment integrity test", name); - dlclose(handle); - return NULL; + found = TRUE; + break; } - DBG1(DBG_LIB, "plugin '%s': passed file and segment integrity tests", - name); } - plugin = constructor(); - if (plugin == NULL) - { - DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name, - create); - dlclose(handle); - return NULL; - } - DBG2(DBG_LIB, "plugin '%s': loaded successfully", name); - - /* we do not store or free dlopen() handles, leak_detective requires - * the modules to keep loaded until leak report */ - return plugin; + enumerator->destroy(enumerator); + return found; } -#endif /** * Implementation of plugin_loader_t.load_plugins. @@ -165,12 +177,10 @@ static bool load(private_plugin_loader_t *this, char *path, char *list) char *token; bool critical_failed = FALSE; -#ifndef MONOLITHIC if (path == NULL) { path = PLUGINDIR; } -#endif enumerator = enumerator_create_token(list, " ", " "); while (!critical_failed && enumerator->enumerate(enumerator, &token)) @@ -186,6 +196,11 @@ static bool load(private_plugin_loader_t *this, char *path, char *list) critical = TRUE; token[len-1] = '\0'; } + if (plugin_loaded(this, token)) + { + free(token); + continue; + } plugin = load_plugin(this, path, token); if (plugin) { diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 495223855..46349f9ba 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c index 6f41ada2a..cc12217a4 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c @@ -31,10 +31,8 @@ struct private_pubkey_plugin_t { pubkey_plugin_t public; }; -/** - * Implementation of pubkey_plugin_t.pubkeytroy - */ -static void destroy(private_pubkey_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_pubkey_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)pubkey_cert_wrap); @@ -46,9 +44,15 @@ static void destroy(private_pubkey_plugin_t *this) */ plugin_t *pubkey_plugin_create() { - private_pubkey_plugin_t *this = malloc_thing(private_pubkey_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_pubkey_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE, (builder_function_t)pubkey_cert_wrap); diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index efd24c761..21f8aff11 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c index 39678ba71..cc5cb0a3c 100644 --- a/src/libstrongswan/plugins/random/random_plugin.c +++ b/src/libstrongswan/plugins/random/random_plugin.c @@ -18,6 +18,8 @@ #include #include "random_rng.h" +static const char *plugin_name = "random"; + typedef struct private_random_plugin_t private_random_plugin_t; /** @@ -31,10 +33,8 @@ struct private_random_plugin_t { random_plugin_t public; }; -/** - * Implementation of random_plugin_t.gmptroy - */ -static void destroy(private_random_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_random_plugin_t *this) { lib->crypto->remove_rng(lib->crypto, (rng_constructor_t)random_rng_create); @@ -46,13 +46,19 @@ static void destroy(private_random_plugin_t *this) */ plugin_t *random_plugin_create() { - private_random_plugin_t *this = malloc_thing(private_random_plugin_t); + private_random_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_rng(lib->crypto, RNG_STRONG, + lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name, (rng_constructor_t)random_rng_create); - lib->crypto->add_rng(lib->crypto, RNG_TRUE, + lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name, (rng_constructor_t)random_rng_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c index b09f3f57a..1d99a63d5 100644 --- a/src/libstrongswan/plugins/random/random_rng.c +++ b/src/libstrongswan/plugins/random/random_rng.c @@ -55,11 +55,8 @@ struct private_random_rng_t { char *file; }; -/** - * Implementation of random_rng_t.get_bytes. - */ -static void get_bytes(private_random_rng_t *this, size_t bytes, - u_int8_t *buffer) +METHOD(rng_t, get_bytes, void, + private_random_rng_t *this, size_t bytes, u_int8_t *buffer) { size_t done; ssize_t got; @@ -81,20 +78,15 @@ static void get_bytes(private_random_rng_t *this, size_t bytes, } } -/** - * Implementation of random_rng_t.allocate_bytes. - */ -static void allocate_bytes(private_random_rng_t *this, size_t bytes, - chunk_t *chunk) +METHOD(rng_t, allocate_bytes, void, + private_random_rng_t *this, size_t bytes, chunk_t *chunk) { *chunk = chunk_alloc(bytes); get_bytes(this, chunk->len, chunk->ptr); } -/** - * Implementation of random_rng_t.destroy. - */ -static void destroy(private_random_rng_t *this) +METHOD(rng_t, destroy, void, + private_random_rng_t *this) { close(this->dev); free(this); @@ -105,12 +97,17 @@ static void destroy(private_random_rng_t *this) */ random_rng_t *random_rng_create(rng_quality_t quality) { - private_random_rng_t *this = malloc_thing(private_random_rng_t); - - /* public functions */ - this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes; - this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes; - this->public.rng.destroy = (void (*) (rng_t *))destroy; + private_random_rng_t *this; + + INIT(this, + .public = { + .rng = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .destroy = _destroy, + }, + }, + ); if (quality == RNG_TRUE) { diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in index 16a9d21c5..4ed4b9694 100644 --- a/src/libstrongswan/plugins/revocation/Makefile.in +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 29d2bc128..def169275 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -93,12 +93,13 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, /** * check the signature of an OCSP response */ -static bool verify_ocsp(ocsp_response_t *response) +static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth) { certificate_t *issuer, *subject; identification_t *responder; ocsp_response_wrapper_t *wrapper; enumerator_t *enumerator; + auth_cfg_t *current; bool verified = FALSE; wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response); @@ -108,12 +109,16 @@ static bool verify_ocsp(ocsp_response_t *response) responder = subject->get_issuer(subject); enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, responder, FALSE); - while (enumerator->enumerate(enumerator, &issuer, NULL)) + while (enumerator->enumerate(enumerator, &issuer, ¤t)) { if (lib->credmgr->issued_by(lib->credmgr, subject, issuer)) { DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", issuer->get_subject(issuer)); + if (auth) + { + auth->merge(auth, current, FALSE); + } verified = TRUE; break; } @@ -129,7 +134,8 @@ static bool verify_ocsp(ocsp_response_t *response) * Get the better of two OCSP responses, and check for usable OCSP info */ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, - x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) + x509_t *subject, x509_t *issuer, cert_validation_t *valid, + auth_cfg_t *auth, bool cache) { ocsp_response_t *response; time_t revocation, this_update, next_update, valid_until; @@ -139,7 +145,7 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, response = (ocsp_response_t*)cand; /* check ocsp signature */ - if (!verify_ocsp(response)) + if (!verify_ocsp(response, auth)) { DBG1(DBG_CFG, "ocsp response verification failed"); cand->destroy(cand); @@ -220,7 +226,8 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, while (enumerator->enumerate(enumerator, ¤t)) { current->get_ref(current); - best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE); + best = get_better_ocsp(current, best, subject, issuer, + &valid, auth, FALSE); if (best && valid != VALIDATION_STALE) { DBG1(DBG_CFG, " using cached ocsp response"); @@ -247,7 +254,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, if (current) { best = get_better_ocsp(current, best, subject, issuer, - &valid, TRUE); + &valid, auth, TRUE); if (best && valid != VALIDATION_STALE) { break; @@ -269,7 +276,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, if (current) { best = get_better_ocsp(current, best, subject, issuer, - &valid, TRUE); + &valid, auth, TRUE); if (best && valid != VALIDATION_STALE) { break; @@ -323,20 +330,25 @@ static certificate_t* fetch_crl(char *url) /** * check the signature of an CRL */ -static bool verify_crl(certificate_t *crl) +static bool verify_crl(certificate_t *crl, auth_cfg_t *auth) { certificate_t *issuer; enumerator_t *enumerator; bool verified = FALSE; + auth_cfg_t *current; enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, crl->get_issuer(crl), FALSE); - while (enumerator->enumerate(enumerator, &issuer, NULL)) + while (enumerator->enumerate(enumerator, &issuer, ¤t)) { if (lib->credmgr->issued_by(lib->credmgr, crl, issuer)) { DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", issuer->get_subject(issuer)); + if (auth) + { + auth->merge(auth, current, FALSE); + } verified = TRUE; break; } @@ -350,23 +362,41 @@ static bool verify_crl(certificate_t *crl) * Get the better of two CRLs, and check for usable CRL info */ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, - x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) + x509_t *subject, cert_validation_t *valid, auth_cfg_t *auth, + bool cache, crl_t *base) { enumerator_t *enumerator; time_t revocation, valid_until; crl_reason_t reason; chunk_t serial; - crl_t *crl; + crl_t *crl = (crl_t*)cand; + + if (base) + { + if (!crl->is_delta_crl(crl, &serial) || + !chunk_equals(serial, base->get_serial(base))) + { + cand->destroy(cand); + return best; + } + } + else + { + if (crl->is_delta_crl(crl, NULL)) + { + cand->destroy(cand); + return best; + } + } /* check CRL signature */ - if (!verify_crl(cand)) + if (!verify_crl(cand, auth)) { DBG1(DBG_CFG, "crl response verification failed"); cand->destroy(cand); return best; } - crl = (crl_t*)cand; enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) { @@ -411,79 +441,191 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, } /** - * validate a x509 certificate using CRL + * Find or fetch a certificate for a given crlIssuer */ -static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, - auth_cfg_t *auth) +static cert_validation_t find_crl(x509_t *subject, identification_t *issuer, + auth_cfg_t *auth, crl_t *base, + certificate_t **best, bool *uri_found) { cert_validation_t valid = VALIDATION_SKIPPED; - identification_t *keyid = NULL; - certificate_t *best = NULL; + enumerator_t *enumerator; certificate_t *current; - public_key_t *public; + char *uri; + + /* find a cached (delta) crl */ + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509_CRL, KEY_ANY, issuer, FALSE); + while (enumerator->enumerate(enumerator, ¤t)) + { + current->get_ref(current); + *best = get_better_crl(current, *best, subject, &valid, + auth, FALSE, base); + if (*best && valid != VALIDATION_STALE) + { + DBG1(DBG_CFG, " using cached crl"); + break; + } + } + enumerator->destroy(enumerator); + + /* fallback to fetching crls from credential sets cdps */ + if (!base && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, + CERT_X509_CRL, issuer); + while (enumerator->enumerate(enumerator, &uri)) + { + *uri_found = TRUE; + current = fetch_crl(uri); + if (current) + { + if (!current->has_issuer(current, issuer)) + { + DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match CRL " + "issuer '%Y'", current->get_issuer(current), issuer); + current->destroy(current); + continue; + } + *best = get_better_crl(current, *best, subject, + &valid, auth, TRUE, base); + if (*best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + return valid; +} + +/** + * Look for a delta CRL for a given base CRL + */ +static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer, + crl_t *base, cert_validation_t base_valid, auth_cfg_t *auth) +{ + cert_validation_t valid = VALIDATION_SKIPPED; + certificate_t *best = NULL, *current; enumerator_t *enumerator; + identification_t *id; + x509_cdp_t *cdp; chunk_t chunk; - char *uri = NULL; + bool uri; - /* derive the authorityKeyIdentifier from the issuer's public key */ - current = &issuer->interface; - public = current->get_public_key(current); - if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) + /* find cached delta CRL via subjectKeyIdentifier */ + chunk = issuer->get_subjectKeyIdentifier(issuer); + if (chunk.len) { - keyid = identification_create_from_encoding(ID_KEY_ID, chunk); + id = identification_create_from_encoding(ID_KEY_ID, chunk); + valid = find_crl(subject, id, auth, base, &best, &uri); + id->destroy(id); + } - /* find a cached crl by authorityKeyIdentifier */ - enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, - CERT_X509_CRL, KEY_ANY, keyid, FALSE); - while (enumerator->enumerate(enumerator, ¤t)) + /* find delta CRL by CRLIssuer */ + enumerator = subject->create_crl_uri_enumerator(subject); + while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED && + enumerator->enumerate(enumerator, &cdp)) + { + if (cdp->issuer) { - current->get_ref(current); - best = get_better_crl(current, best, subject, issuer, - &valid, FALSE); + valid = find_crl(subject, cdp->issuer, auth, base, &best, &uri); + } + } + enumerator->destroy(enumerator); + + /* fetch from URIs found in Freshest CRL extension */ + enumerator = base->create_delta_crl_uri_enumerator(base); + while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED && + enumerator->enumerate(enumerator, &cdp)) + { + current = fetch_crl(cdp->uri); + if (current) + { + if (cdp->issuer && !current->has_issuer(current, cdp->issuer)) + { + DBG1(DBG_CFG, "issuer of fetched delta CRL '%Y' does not match " + "certificates CRL issuer '%Y'", + current->get_issuer(current), cdp->issuer); + current->destroy(current); + continue; + } + best = get_better_crl(current, best, subject, &valid, + auth, TRUE, base); if (best && valid != VALIDATION_STALE) { - DBG1(DBG_CFG, " using cached crl"); break; } } - enumerator->destroy(enumerator); + } + enumerator->destroy(enumerator); + + if (best) + { + best->destroy(best); + return valid; + } + return base_valid; +} + + +/** + * validate a x509 certificate using CRL + */ +static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, + auth_cfg_t *auth) +{ + cert_validation_t valid = VALIDATION_SKIPPED; + certificate_t *best = NULL; + identification_t *id; + x509_cdp_t *cdp; + bool uri_found = FALSE; + certificate_t *current; + enumerator_t *enumerator; + chunk_t chunk; + + /* use issuers subjectKeyIdentifier to find a cached CRL / fetch from CDP */ + chunk = issuer->get_subjectKeyIdentifier(issuer); + if (chunk.len) + { + id = identification_create_from_encoding(ID_KEY_ID, chunk); + valid = find_crl(subject, id, auth, NULL, &best, &uri_found); + id->destroy(id); + } - /* fallback to fetching crls from credential sets cdps */ - if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + /* find a cached CRL or fetch via configured CDP via CRLIssuer */ + enumerator = subject->create_crl_uri_enumerator(subject); + while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED && + enumerator->enumerate(enumerator, &cdp)) + { + if (cdp->issuer) { - enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, - CERT_X509_CRL, keyid); - while (enumerator->enumerate(enumerator, &uri)) - { - current = fetch_crl(uri); - if (current) - { - best = get_better_crl(current, best, subject, issuer, - &valid, TRUE); - if (best && valid != VALIDATION_STALE) - { - break; - } - } - } - enumerator->destroy(enumerator); + valid = find_crl(subject, cdp->issuer, auth, NULL, + &best, &uri_found); } - keyid->destroy(keyid); } - DESTROY_IF(public); + enumerator->destroy(enumerator); - /* fallback to fetching crls from cdps from subject's certificate */ + /* fallback to fetching CRLs from CDPs found in subjects certificate */ if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) { enumerator = subject->create_crl_uri_enumerator(subject); - - while (enumerator->enumerate(enumerator, &uri)) + while (enumerator->enumerate(enumerator, &cdp)) { - current = fetch_crl(uri); + uri_found = TRUE; + current = fetch_crl(cdp->uri); if (current) { - best = get_better_crl(current, best, subject, issuer, - &valid, TRUE); + if (cdp->issuer && !current->has_issuer(current, cdp->issuer)) + { + DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match " + "certificates CRL issuer '%Y'", + current->get_issuer(current), cdp->issuer); + current->destroy(current); + continue; + } + best = get_better_crl(current, best, subject, &valid, + auth, TRUE, NULL); if (best && valid != VALIDATION_STALE) { break; @@ -493,8 +635,14 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, enumerator->destroy(enumerator); } + /* look for delta CRLs */ + if (best && (valid == VALIDATION_GOOD || valid == VALIDATION_STALE)) + { + valid = check_delta_crl(subject, issuer, (crl_t*)best, valid, auth); + } + /* an uri was found, but no result. switch validation state to failed */ - if (valid == VALIDATION_SKIPPED && uri) + if (valid == VALIDATION_SKIPPED && uri_found) { valid = VALIDATION_FAILED; } @@ -517,7 +665,8 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, METHOD(cert_validator_t, validate, bool, private_revocation_validator_t *this, certificate_t *subject, - certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) + certificate_t *issuer, bool online, u_int pathlen, bool anchor, + auth_cfg_t *auth) { if (subject->get_type(subject) == CERT_X509 && issuer->get_type(issuer) == CERT_X509 && @@ -525,7 +674,8 @@ METHOD(cert_validator_t, validate, bool, { DBG1(DBG_CFG, "checking certificate status of \"%Y\"", subject->get_subject(subject)); - switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth)) + switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, + pathlen ? NULL : auth)) { case VALIDATION_GOOD: DBG1(DBG_CFG, "certificate status is good"); @@ -543,7 +693,8 @@ METHOD(cert_validator_t, validate, bool, DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); break; } - switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth)) + switch (check_crl((x509_t*)subject, (x509_t*)issuer, + pathlen ? NULL : auth)) { case VALIDATION_GOOD: DBG1(DBG_CFG, "certificate status is good"); diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index 1036bedfc..3d96f4339 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c index 7b9cf878f..dda2cbc1a 100644 --- a/src/libstrongswan/plugins/sha1/sha1_plugin.c +++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c @@ -19,6 +19,8 @@ #include "sha1_hasher.h" #include "sha1_prf.h" +static const char *plugin_name = "sha1"; + typedef struct private_sha1_plugin_t private_sha1_plugin_t; /** @@ -32,10 +34,8 @@ struct private_sha1_plugin_t { sha1_plugin_t public; }; -/** - * Implementation of sha1_plugin_t.destroy - */ -static void destroy(private_sha1_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_sha1_plugin_t *this) { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)sha1_hasher_create); @@ -49,13 +49,19 @@ static void destroy(private_sha1_plugin_t *this) */ plugin_t *sha1_plugin_create() { - private_sha1_plugin_t *this = malloc_thing(private_sha1_plugin_t); + private_sha1_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)sha1_hasher_create); - lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, + lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name, (prf_constructor_t)sha1_prf_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index 579e6f9b0..fcbfa0c44 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c index 810d9922a..a5937dbb2 100644 --- a/src/libstrongswan/plugins/sha2/sha2_plugin.c +++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c @@ -18,6 +18,8 @@ #include #include "sha2_hasher.h" +static const char *plugin_name = "sha2"; + typedef struct private_sha2_plugin_t private_sha2_plugin_t; /** @@ -31,10 +33,8 @@ struct private_sha2_plugin_t { sha2_plugin_t public; }; -/** - * Implementation of sha2_plugin_t.destroy - */ -static void destroy(private_sha2_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_sha2_plugin_t *this) { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)sha2_hasher_create); @@ -46,17 +46,23 @@ static void destroy(private_sha2_plugin_t *this) */ plugin_t *sha2_plugin_create() { - private_sha2_plugin_t *this = malloc_thing(private_sha2_plugin_t); + private_sha2_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name, (hasher_constructor_t)sha2_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name, (hasher_constructor_t)sha2_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)sha2_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, (hasher_constructor_t)sha2_hasher_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/soup/Makefile.am b/src/libstrongswan/plugins/soup/Makefile.am new file mode 100644 index 000000000..9006f1b7c --- /dev/null +++ b/src/libstrongswan/plugins/soup/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS} + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-soup.la +else +plugin_LTLIBRARIES = libstrongswan-soup.la +endif + +libstrongswan_soup_la_SOURCES = \ + soup_plugin.h soup_plugin.c soup_fetcher.c soup_fetcher.h + +libstrongswan_soup_la_LDFLAGS = -module -avoid-version +libstrongswan_soup_la_LIBADD = ${soup_LIBS} diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in new file mode 100644 index 000000000..35d175f95 --- /dev/null +++ b/src/libstrongswan/plugins/soup/Makefile.in @@ -0,0 +1,601 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/soup +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +am__DEPENDENCIES_1 = +libstrongswan_soup_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_libstrongswan_soup_la_OBJECTS = soup_plugin.lo soup_fetcher.lo +libstrongswan_soup_la_OBJECTS = $(am_libstrongswan_soup_la_OBJECTS) +libstrongswan_soup_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_soup_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_soup_la_rpath = -rpath $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_soup_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_soup_la_SOURCES) +DIST_SOURCES = $(libstrongswan_soup_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS} +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-soup.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-soup.la +libstrongswan_soup_la_SOURCES = \ + soup_plugin.h soup_plugin.c soup_fetcher.c soup_fetcher.h + +libstrongswan_soup_la_LDFLAGS = -module -avoid-version +libstrongswan_soup_la_LIBADD = ${soup_LIBS} +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/soup/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/soup/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES) + $(libstrongswan_soup_la_LINK) $(am_libstrongswan_soup_la_rpath) $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/soup_fetcher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/soup_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.c b/src/libstrongswan/plugins/soup/soup_fetcher.c new file mode 100644 index 000000000..fd97631bd --- /dev/null +++ b/src/libstrongswan/plugins/soup/soup_fetcher.c @@ -0,0 +1,159 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "soup_fetcher.h" + +#include + +#include +#include + +#define DEFAULT_TIMEOUT 10 + +typedef struct private_soup_fetcher_t private_soup_fetcher_t; + +/** + * private data of a soup_fetcher_t object. + */ +struct private_soup_fetcher_t { + + /** + * Public data + */ + soup_fetcher_t public; + + /** + * HTTP request method + */ + const char *method; + + /** + * Request content type + */ + char *type; + + /** + * Request data + */ + chunk_t data; + + /** + * Request timeout + */ + u_int timeout; + + /** + * HTTP request version + */ + SoupHTTPVersion version; +}; + +METHOD(fetcher_t, fetch, status_t, + private_soup_fetcher_t *this, char *uri, chunk_t *result) +{ + SoupSession *session; + SoupMessage *message; + status_t status = FAILED; + + message = soup_message_new(this->method, uri); + if (!message) + { + return NOT_SUPPORTED; + } + if (this->type) + { + soup_message_set_request(message, this->type, SOUP_MEMORY_STATIC, + this->data.ptr, this->data.len); + } + soup_message_set_http_version(message, this->version); + session = soup_session_sync_new(); + g_object_set(G_OBJECT(session), + SOUP_SESSION_TIMEOUT, (guint)this->timeout, NULL); + + DBG2(DBG_LIB, "sending http request to '%s'...", uri); + soup_session_send_message(session, message); + if (SOUP_STATUS_IS_SUCCESSFUL(message->status_code)) + { + *result = chunk_clone(chunk_create((u_char*)message->response_body->data, + message->response_body->length)); + status = SUCCESS; + } + else + { + DBG1(DBG_LIB, "HTTP request failed, code %d", message->status_code); + } + g_object_unref(G_OBJECT(message)); + g_object_unref(G_OBJECT(session)); + return status; +} + +METHOD(fetcher_t, set_option, bool, + private_soup_fetcher_t *this, fetcher_option_t option, ...) +{ + bool supported = TRUE; + va_list args; + + va_start(args, option); + switch (option) + { + case FETCH_REQUEST_DATA: + this->method = SOUP_METHOD_POST; + this->data = va_arg(args, chunk_t); + break; + case FETCH_REQUEST_TYPE: + this->type = va_arg(args, char*); + break; + case FETCH_HTTP_VERSION_1_0: + this->version = SOUP_HTTP_1_0; + break; + case FETCH_TIMEOUT: + this->timeout = va_arg(args, u_int); + break; + default: + supported = FALSE; + break; + } + va_end(args); + return supported; +} + +METHOD(fetcher_t, destroy, void, + private_soup_fetcher_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +soup_fetcher_t *soup_fetcher_create() +{ + private_soup_fetcher_t *this; + + INIT(this, + .public = { + .interface = { + .fetch = _fetch, + .set_option = _set_option, + .destroy = _destroy, + }, + }, + .method = SOUP_METHOD_GET, + .version = SOUP_HTTP_1_1, + .timeout = DEFAULT_TIMEOUT, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.h b/src/libstrongswan/plugins/soup/soup_fetcher.h new file mode 100644 index 000000000..9b2579515 --- /dev/null +++ b/src/libstrongswan/plugins/soup/soup_fetcher.h @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup soup_fetcher soup_fetcher + * @{ @ingroup soup_p + */ + +#ifndef SOUP_FETCHER_H_ +#define SOUP_FETCHER_H_ + +#include + +typedef struct soup_fetcher_t soup_fetcher_t; + +/** + * Fetcher implementation for HTTP using libsoup. + */ +struct soup_fetcher_t { + + /** + * Implements fetcher interface. + */ + fetcher_t interface; +}; + +/** + * Create a soup_fetcher instance. + */ +soup_fetcher_t *soup_fetcher_create(); + +#endif /** SOUP_FETCHER_H_ @}*/ diff --git a/src/libstrongswan/plugins/soup/soup_plugin.c b/src/libstrongswan/plugins/soup/soup_plugin.c new file mode 100644 index 000000000..970e32472 --- /dev/null +++ b/src/libstrongswan/plugins/soup/soup_plugin.c @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "soup_plugin.h" +#include "soup_fetcher.h" + +#include +#include + +#include + +typedef struct private_soup_plugin_t private_soup_plugin_t; + +/** + * private data of soup_plugin + */ +struct private_soup_plugin_t { + + /** + * public functions + */ + soup_plugin_t public; +}; + +METHOD(plugin_t, destroy, void, + private_soup_plugin_t *this) +{ + lib->fetcher->remove_fetcher(lib->fetcher, + (fetcher_constructor_t)soup_fetcher_create); + free(this); +} + +/* + * see header file + */ +plugin_t *soup_plugin_create() +{ + private_soup_plugin_t *this; + + g_type_init(); + if (!g_thread_get_initialized()) + { + g_thread_init(NULL); + } + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); + + lib->fetcher->add_fetcher(lib->fetcher, + (fetcher_constructor_t)soup_fetcher_create, "http://"); + lib->fetcher->add_fetcher(lib->fetcher, + (fetcher_constructor_t)soup_fetcher_create, "https://"); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/soup/soup_plugin.h b/src/libstrongswan/plugins/soup/soup_plugin.h new file mode 100644 index 000000000..2dfa1d243 --- /dev/null +++ b/src/libstrongswan/plugins/soup/soup_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup soup_p soup + * @ingroup plugins + * + * @defgroup soup_plugin soup_plugin + * @{ @ingroup soup_p + */ + +#ifndef SOUP_PLUGIN_H_ +#define SOUP_PLUGIN_H_ + +#include + +typedef struct soup_plugin_t soup_plugin_t; + +/** + * Plugin implementing fetcher interface for HTTP using libsoup. + */ +struct soup_plugin_t { + + /** + * Implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** SOUP_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index 9c9b57f98..ae015d1a8 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c index 3e20dbb51..f9e06199e 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_database.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c @@ -213,10 +213,8 @@ static bool sqlite_enumerator_enumerate(sqlite_enumerator_t *this, ...) return TRUE; } -/** - * Implementation of database_t.query. - */ -static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...) +METHOD(database_t, query, enumerator_t*, + private_sqlite_database_t *this, char *sql, ...) { sqlite3_stmt *stmt; va_list args; @@ -248,10 +246,8 @@ static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...) return (enumerator_t*)enumerator; } -/** - * Implementation of database_t.execute. - */ -static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...) +METHOD(database_t, execute, int, + private_sqlite_database_t *this, int *rowid, char *sql, ...) { sqlite3_stmt *stmt; int affected = -1; @@ -283,10 +279,8 @@ static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...) return affected; } -/** - * Implementation of database_t.get_driver - */ -static db_driver_t get_driver(private_sqlite_database_t *this) +METHOD(database_t, get_driver, db_driver_t, + private_sqlite_database_t *this) { return DB_SQLITE; } @@ -302,10 +296,8 @@ static int busy_handler(private_sqlite_database_t *this, int count) return 1; } -/** - * Implementation of database_t.destroy - */ -static void destroy(private_sqlite_database_t *this) +METHOD(database_t, destroy, void, + private_sqlite_database_t *this) { sqlite3_close(this->db); this->mutex->destroy(this->mutex); @@ -329,20 +321,23 @@ sqlite_database_t *sqlite_database_create(char *uri) } file = uri + 9; - this = malloc_thing(private_sqlite_database_t); - - this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query; - this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute; - this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver; - this->public.db.destroy = (void(*)(database_t*))destroy; - - this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); + INIT(this, + .public = { + .db = { + .query = _query, + .execute = _execute, + .get_driver = _get_driver, + .destroy = _destroy, + }, + }, + .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), + ); if (sqlite3_open(file, &this->db) != SQLITE_OK) { DBG1(DBG_LIB, "opening SQLite database '%s' failed: %s", file, sqlite3_errmsg(this->db)); - destroy(this); + _destroy(this); return NULL; } diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c index 332d82318..e0b8e6ce1 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c @@ -31,10 +31,8 @@ struct private_sqlite_plugin_t { sqlite_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_sqlite_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_sqlite_plugin_t *this) { lib->db->remove_database(lib->db, (database_constructor_t)sqlite_database_create); @@ -46,9 +44,15 @@ static void destroy(private_sqlite_plugin_t *this) */ plugin_t *sqlite_plugin_create() { - private_sqlite_plugin_t *this = malloc_thing(private_sqlite_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_sqlite_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->db->add_database(lib->db, (database_constructor_t)sqlite_database_create); diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index 9be3f825a..9dccb05e3 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -227,9 +227,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -268,6 +266,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c index f3a254d8d..176bc438d 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c @@ -104,10 +104,8 @@ struct private_test_vectors_plugin_t { test_vectors_plugin_t public; }; -/** - * Implementation of test_vectors_plugin_t.test_vectorstroy - */ -static void destroy(private_test_vectors_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_test_vectors_plugin_t *this) { free(this); } @@ -117,10 +115,16 @@ static void destroy(private_test_vectors_plugin_t *this) */ plugin_t *test_vectors_plugin_create() { - private_test_vectors_plugin_t *this = malloc_thing(private_test_vectors_plugin_t); + private_test_vectors_plugin_t *this; int i; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); for (i = 0; i < countof(crypter); i++) { diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index b1cc2f168..57deab98e 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 559090aa0..526dbe8c6 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -117,7 +117,7 @@ struct private_x509_cert_t { linked_list_t *subjectAltNames; /** - * List of crlDistributionPoints as allocated char* + * List of crlDistributionPoints as x509_cdp_t* */ linked_list_t *crl_uris; @@ -131,6 +131,26 @@ struct private_x509_cert_t { */ linked_list_t *ipAddrBlocks; + /** + * List of permitted name constraints + */ + linked_list_t *permitted_names; + + /** + * List of exluced name constraints + */ + linked_list_t *excluded_names; + + /** + * List of certificatePolicies, as x509_cert_policy_t + */ + linked_list_t *cert_policies; + + /** + * List of policyMappings, as x509_policy_mapping_t + */ + linked_list_t *policy_mappings; + /** * certificate's embedded public key */ @@ -154,7 +174,22 @@ struct private_x509_cert_t { /** * Path Length Constraint */ - int pathLenConstraint; + u_char pathLenConstraint; + + /** + * requireExplicitPolicy Constraint + */ + u_char require_explicit; + + /** + * inhibitPolicyMapping Constraint + */ + u_char inhibit_mapping; + + /** + * inhibitAnyPolicy Constraint + */ + u_char inhibit_any; /** * x509 constraints and other flags @@ -186,6 +221,53 @@ static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars( 0x06, 0x03, 0x55, 0x1D, 0x11 ); +/** + * Destroy a CertificateDistributionPoint + */ +static void crl_uri_destroy(x509_cdp_t *this) +{ + free(this->uri); + DESTROY_IF(this->issuer); + free(this); +} + +/** + * Destroy a CertificatePolicy + */ +static void cert_policy_destroy(x509_cert_policy_t *this) +{ + free(this->oid.ptr); + free(this->cps_uri); + free(this->unotice_text); + free(this); +} + +/** + * Free policy mapping + */ +static void policy_mapping_destroy(x509_policy_mapping_t *mapping) +{ + free(mapping->issuer.ptr); + free(mapping->subject.ptr); + free(mapping); +} + +/** + * Parse a length constraint from an unwrapped integer + */ +static u_int parse_constraint(chunk_t object) +{ + switch (object.len) + { + case 0: + return 0; + case 1: + return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0]; + default: + return X509_NO_CONSTRAINT; + } +} + /** * ASN.1 definition of a basicConstraints extension */ @@ -228,15 +310,7 @@ static void parse_basicConstraints(chunk_t blob, int level0, case BASIC_CONSTRAINTS_PATH_LEN: if (isCA) { - if (object.len == 0) - { - this->pathLenConstraint = 0; - } - else if (object.len == 1) - { - this->pathLenConstraint = *object.ptr; - } - /* we ignore path length constraints > 127 */ + this->pathLenConstraint = parse_constraint(object); } break; default: @@ -574,7 +648,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, } break; default: - /* unkown accessMethod, ignoring */ + /* unknown accessMethod, ignoring */ break; } break; @@ -588,6 +662,60 @@ end: parser->destroy(parser); } +/** + * Extract KeyUsage flags + */ +static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this) +{ + enum { + KU_DIGITAL_SIGNATURE = 0, + KU_NON_REPUDIATION = 1, + KU_KEY_ENCIPHERMENT = 2, + KU_DATA_ENCIPHERMENT = 3, + KU_KEY_AGREEMENT = 4, + KU_KEY_CERT_SIGN = 5, + KU_CRL_SIGN = 6, + KU_ENCIPHER_ONLY = 7, + KU_DECIPHER_ONLY = 8, + }; + + if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len) + { + int bit, byte, unused = blob.ptr[0]; + + blob = chunk_skip(blob, 1); + for (byte = 0; byte < blob.len; byte++) + { + for (bit = 0; bit < 8; bit++) + { + if (byte == blob.len - 1 && bit > (7 - unused)) + { + break; + } + if (blob.ptr[byte] & 1 << (7 - bit)) + { + switch (byte * 8 + bit) + { + case KU_CRL_SIGN: + this->flags |= X509_CRL_SIGN; + break; + case KU_KEY_CERT_SIGN: + /* we use the caBasicConstraint, MUST be set */ + case KU_DIGITAL_SIGNATURE: + case KU_NON_REPUDIATION: + case KU_KEY_ENCIPHERMENT: + case KU_DATA_ENCIPHERMENT: + case KU_KEY_AGREEMENT: + case KU_ENCIPHER_ONLY: + case KU_DECIPHER_ONLY: + break; + } + } + } + } + } +} + /** * ASN.1 definition of a extendedKeyUsage extension */ @@ -600,7 +728,7 @@ static const asn1Object_t extendedKeyUsageObjects[] = { #define EXT_KEY_USAGE_PURPOSE_ID 1 /** - * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned + * Extracts extendedKeyUsage OIDs */ static void parse_extendedKeyUsage(chunk_t blob, int level0, private_x509_cert_t *this) @@ -649,51 +777,328 @@ static const asn1Object_t crlDistributionPointsObjects[] = { { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ - { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */ + { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; +#define CRL_DIST_POINTS 1 #define CRL_DIST_POINTS_FULLNAME 3 +#define CRL_DIST_POINTS_ISSUER 10 + +/** + * Add entry to the list of each pairing of URI and Issuer + */ +static void add_cdps(linked_list_t *list, linked_list_t *uris, + linked_list_t *issuers) +{ + identification_t *issuer, *id; + enumerator_t *enumerator; + x509_cdp_t *cdp; + char *uri; + + while (uris->remove_last(uris, (void**)&id) == SUCCESS) + { + if (asprintf(&uri, "%Y", id) > 0) + { + if (issuers->get_count(issuers)) + { + enumerator = issuers->create_enumerator(issuers); + while (enumerator->enumerate(enumerator, &issuer)) + { + INIT(cdp, + .uri = strdup(uri), + .issuer = issuer->clone(issuer), + ); + list->insert_last(list, cdp); + } + enumerator->destroy(enumerator); + free(uri); + } + else + { + INIT(cdp, + .uri = uri, + ); + list->insert_last(list, cdp); + } + } + id->destroy(id); + } + while (issuers->remove_last(issuers, (void**)&id) == SUCCESS) + { + id->destroy(id); + } +} /** * Extracts one or several crlDistributionPoints into a list */ -static void parse_crlDistributionPoints(chunk_t blob, int level0, - private_x509_cert_t *this) +void x509_parse_crlDistributionPoints(chunk_t blob, int level0, + linked_list_t *list) { + linked_list_t *uris, *issuers; asn1_parser_t *parser; chunk_t object; int objectID; - linked_list_t *list = linked_list_create(); + uris = linked_list_create(); + issuers = linked_list_create(); parser = asn1_parser_create(crlDistributionPointsObjects, blob); parser->set_top_level(parser, level0); while (parser->iterate(parser, &objectID, &object)) { - if (objectID == CRL_DIST_POINTS_FULLNAME) + switch (objectID) { - identification_t *id; + case CRL_DIST_POINTS: + add_cdps(list, uris, issuers); + break; + case CRL_DIST_POINTS_FULLNAME: + x509_parse_generalNames(object, parser->get_level(parser) + 1, + TRUE, uris); + break; + case CRL_DIST_POINTS_ISSUER: + x509_parse_generalNames(object, parser->get_level(parser) + 1, + TRUE, issuers); + break; + default: + break; + } + } + parser->destroy(parser); - /* append extracted generalNames to existing chained list */ - x509_parse_generalNames(object, parser->get_level(parser)+1, - TRUE, list); + add_cdps(list, uris, issuers); - while (list->remove_last(list, (void**)&id) == SUCCESS) - { - char *uri; + uris->destroy(uris); + issuers->destroy(issuers); +} + +/** + * ASN.1 definition of nameConstraints + */ +static const asn1Object_t nameConstraintsObjects[] = { + { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ + { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */ + { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */ + { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */ + { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ + { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define NAME_CONSTRAINT_PERMITTED 2 +#define NAME_CONSTRAINT_EXCLUDED 5 + +/** + * Parse permitted/excluded nameConstraints + */ +static void parse_nameConstraints(chunk_t blob, int level0, + private_x509_cert_t *this) +{ + asn1_parser_t *parser; + identification_t *id; + chunk_t object; + int objectID; + + parser = asn1_parser_create(nameConstraintsObjects, blob); + parser->set_top_level(parser, level0); - if (asprintf(&uri, "%Y", id) > 0) + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case NAME_CONSTRAINT_PERMITTED: + id = parse_generalName(object, parser->get_level(parser) + 1); + if (id) { - this->crl_uris->insert_last(this->crl_uris, uri); + this->permitted_names->insert_last(this->permitted_names, id); } - id->destroy(id); - } + break; + case NAME_CONSTRAINT_EXCLUDED: + id = parse_generalName(object, parser->get_level(parser) + 1); + if (id) + { + this->excluded_names->insert_last(this->excluded_names, id); + } + break; + default: + break; + } + } + parser->destroy(parser); +} + +/** + * ASN.1 definition of a certificatePolicies extension + */ +static const asn1Object_t certificatePoliciesObject[] = { + { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ + { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ + { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */ + { 2, "qualifier", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 3 */ + { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */ + { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */ + { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */ + { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ + { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */ + { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */ + { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */ + { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */ + { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define CERT_POLICY_ID 2 +#define CERT_POLICY_QUALIFIER_ID 5 +#define CERT_POLICY_CPS_URI 6 +#define CERT_POLICY_EXPLICIT_TEXT 9 + +/** + * Parse certificatePolicies + */ +static void parse_certificatePolicies(chunk_t blob, int level0, + private_x509_cert_t *this) +{ + x509_cert_policy_t *policy = NULL; + asn1_parser_t *parser; + chunk_t object; + int objectID, qualifier = OID_UNKNOWN; + + parser = asn1_parser_create(certificatePoliciesObject, blob); + parser->set_top_level(parser, level0); + + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case CERT_POLICY_ID: + INIT(policy, + .oid = chunk_clone(object), + ); + this->cert_policies->insert_last(this->cert_policies, policy); + break; + case CERT_POLICY_QUALIFIER_ID: + qualifier = asn1_known_oid(object); + break; + case CERT_POLICY_CPS_URI: + if (policy && !policy->cps_uri && object.len && + qualifier == OID_POLICY_QUALIFIER_CPS && + chunk_printable(object, NULL, 0)) + { + policy->cps_uri = strndup(object.ptr, object.len); + } + break; + case CERT_POLICY_EXPLICIT_TEXT: + /* TODO */ + break; + default: + break; + } + } + parser->destroy(parser); +} + +/** + * ASN.1 definition of a policyMappings extension + */ +static const asn1Object_t policyMappingsObjects[] = { + { 0, "policyMappings", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ + { 1, "policyMapping", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ + { 2, "issuerPolicy", ASN1_OID, ASN1_BODY }, /* 2 */ + { 2, "subjectPolicy", ASN1_OID, ASN1_BODY }, /* 3 */ + { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define POLICY_MAPPING 1 +#define POLICY_MAPPING_ISSUER 2 +#define POLICY_MAPPING_SUBJECT 3 + +/** + * Parse policyMappings + */ +static void parse_policyMappings(chunk_t blob, int level0, + private_x509_cert_t *this) +{ + x509_policy_mapping_t *map = NULL; + asn1_parser_t *parser; + chunk_t object; + int objectID; + + parser = asn1_parser_create(policyMappingsObjects, blob); + parser->set_top_level(parser, level0); + + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case POLICY_MAPPING: + INIT(map); + this->policy_mappings->insert_last(this->policy_mappings, map); + break; + case POLICY_MAPPING_ISSUER: + if (map && !map->issuer.len) + { + map->issuer = chunk_clone(object); + } + break; + case POLICY_MAPPING_SUBJECT: + if (map && !map->subject.len) + { + map->subject = chunk_clone(object); + } + break; + default: + break; + } + } + parser->destroy(parser); +} + +/** + * ASN.1 definition of a policyConstraints extension + */ +static const asn1Object_t policyConstraintsObjects[] = { + { 0, "policyConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "requireExplicitPolicy", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_NONE }, /* 1 */ + { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 2 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */ + { 1, "inhibitPolicyMapping", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_NONE }, /* 4 */ + { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 5 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define POLICY_CONSTRAINT_EXPLICIT 2 +#define POLICY_CONSTRAINT_INHIBIT 5 + +/** + * Parse policyConstraints + */ +static void parse_policyConstraints(chunk_t blob, int level0, + private_x509_cert_t *this) +{ + asn1_parser_t *parser; + chunk_t object; + int objectID; + + parser = asn1_parser_create(policyConstraintsObjects, blob); + parser->set_top_level(parser, level0); + + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case POLICY_CONSTRAINT_EXPLICIT: + this->require_explicit = parse_constraint(object); + break; + case POLICY_CONSTRAINT_INHIBIT: + this->inhibit_mapping = parse_constraint(object); + break; + default: + break; } } parser->destroy(parser); - list->destroy(list); } /** @@ -887,11 +1292,6 @@ static const asn1Object_t certObjects[] = { #define X509_OBJ_ALGORITHM 24 #define X509_OBJ_SIGNATURE 25 -/** - * forward declaration - */ -static bool issued_by(private_x509_cert_t *this, certificate_t *issuer); - /** * Parses an X.509v3 certificate */ @@ -992,7 +1392,8 @@ static bool parse_certificate(private_x509_cert_t *this) parse_basicConstraints(object, level, this); break; case OID_CRL_DISTRIBUTION_POINTS: - parse_crlDistributionPoints(object, level, this); + x509_parse_crlDistributionPoints(object, level, + this->crl_uris); break; case OID_AUTHORITY_KEY_ID: this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, @@ -1002,7 +1403,7 @@ static bool parse_certificate(private_x509_cert_t *this) parse_authorityInfoAccess(object, level, this); break; case OID_KEY_USAGE: - /* TODO parse the flags */ + parse_keyUsage(object, this); break; case OID_EXTENDED_KEY_USAGE: parse_extendedKeyUsage(object, level, this); @@ -1010,6 +1411,26 @@ static bool parse_certificate(private_x509_cert_t *this) case OID_IP_ADDR_BLOCKS: parse_ipAddrBlocks(object, level, this); break; + case OID_NAME_CONSTRAINTS: + parse_nameConstraints(object, level, this); + break; + case OID_CERTIFICATE_POLICIES: + parse_certificatePolicies(object, level, this); + break; + case OID_POLICY_MAPPINGS: + parse_policyMappings(object, level, this); + break; + case OID_POLICY_CONSTRAINTS: + parse_policyConstraints(object, level, this); + break; + case OID_INHIBIT_ANY_POLICY: + if (!asn1_parse_simple_object(&object, ASN1_INTEGER, + level, "inhibitAnyPolicy")) + { + goto end; + } + this->inhibit_any = parse_constraint(object); + break; case OID_NS_REVOCATION_URL: case OID_NS_CA_REVOCATION_URL: case OID_NS_CA_POLICY_URL: @@ -1022,9 +1443,9 @@ static bool parse_certificate(private_x509_cert_t *this) break; default: if (critical && lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.x509.enforce_critical", FALSE)) + "libstrongswan.x509.enforce_critical", TRUE)) { - DBG1(DBG_LIB, "critical %s extension not supported", + DBG1(DBG_LIB, "critical '%s' extension not supported", (extn_oid == OID_UNKNOWN) ? "unknown" : (char*)oid_names[extn_oid].name); goto end; @@ -1057,7 +1478,9 @@ end: hasher_t *hasher; /* check if the certificate is self-signed */ - if (issued_by(this, &this->public.interface.interface)) + if (this->public.interface.interface.issued_by( + &this->public.interface.interface, + &this->public.interface.interface)) { this->flags |= X509_SELF_SIGNED; } @@ -1074,34 +1497,26 @@ end: return success; } -/** - * Implementation of certificate_t.get_type - */ -static certificate_type_t get_type(private_x509_cert_t *this) +METHOD(certificate_t, get_type, certificate_type_t, + private_x509_cert_t *this) { return CERT_X509; } -/** - * Implementation of certificate_t.get_subject - */ -static identification_t* get_subject(private_x509_cert_t *this) +METHOD(certificate_t, get_subject, identification_t*, + private_x509_cert_t *this) { return this->subject; } -/** - * Implementation of certificate_t.get_issuer - */ -static identification_t* get_issuer(private_x509_cert_t *this) +METHOD(certificate_t, get_issuer, identification_t*, + private_x509_cert_t *this) { return this->issuer; } -/** - * Implementation of certificate_t.has_subject. - */ -static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject) +METHOD(certificate_t, has_subject, id_match_t, + private_x509_cert_t *this, identification_t *subject) { identification_t *current; enumerator_t *enumerator; @@ -1142,19 +1557,15 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje return best; } -/** - * Implementation of certificate_t.has_issuer. - */ -static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer) +METHOD(certificate_t, has_issuer, id_match_t, + private_x509_cert_t *this, identification_t *issuer) { /* issuerAltNames currently not supported */ return this->issuer->matches(this->issuer, issuer); } -/** - * Implementation of certificate_t.issued_by. - */ -static bool issued_by(private_x509_cert_t *this, certificate_t *issuer) +METHOD(certificate_t, issued_by, bool, + private_x509_cert_t *this, certificate_t *issuer) { public_key_t *key; signature_scheme_t scheme; @@ -1201,37 +1612,23 @@ static bool issued_by(private_x509_cert_t *this, certificate_t *issuer) return valid; } -/** - * Implementation of certificate_t.get_public_key - */ -static public_key_t* get_public_key(private_x509_cert_t *this) +METHOD(certificate_t, get_public_key, public_key_t*, + private_x509_cert_t *this) { this->public_key->get_ref(this->public_key); return this->public_key; } -/** - * Implementation of certificate_t.get_ref - */ -static private_x509_cert_t* get_ref(private_x509_cert_t *this) +METHOD(certificate_t, get_ref, certificate_t*, + private_x509_cert_t *this) { ref_get(&this->ref); - return this; + return &this->public.interface.interface; } -/** - * Implementation of x509_cert_t.get_flags. - */ -static x509_flag_t get_flags(private_x509_cert_t *this) -{ - return this->flags; -} - -/** - * Implementation of x509_cert_t.get_validity. - */ -static bool get_validity(private_x509_cert_t *this, time_t *when, - time_t *not_before, time_t *not_after) +METHOD(certificate_t, get_validity, bool, + private_x509_cert_t *this, time_t *when, time_t *not_before, + time_t *not_after) { time_t t = when ? *when : time(NULL); @@ -1246,11 +1643,8 @@ static bool get_validity(private_x509_cert_t *this, time_t *when, return (t >= this->notBefore && t <= this->notAfter); } -/** - * Implementation of certificate_t.get_encoding. - */ -static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type, - chunk_t *encoding) +METHOD(certificate_t, get_encoding, bool, + private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding) { if (type == CERT_ASN1_DER) { @@ -1261,10 +1655,8 @@ static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type, CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END); } -/** - * Implementation of certificate_t.equals. - */ -static bool equals(private_x509_cert_t *this, certificate_t *other) +METHOD(certificate_t, equals, bool, + private_x509_cert_t *this, certificate_t *other) { chunk_t encoding; bool equal; @@ -1290,18 +1682,20 @@ static bool equals(private_x509_cert_t *this, certificate_t *other) return equal; } -/** - * Implementation of x509_t.get_serial. - */ -static chunk_t get_serial(private_x509_cert_t *this) +METHOD(x509_t, get_flags, x509_flag_t, + private_x509_cert_t *this) +{ + return this->flags; +} + +METHOD(x509_t, get_serial, chunk_t, + private_x509_cert_t *this) { return this->serialNumber; } -/** - * Implementation of x509_t.get_subjectKeyIdentifier. - */ -static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this) +METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, + private_x509_cert_t *this) { if (this->subjectKeyIdentifier.ptr) { @@ -1323,66 +1717,95 @@ static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this) } } -/** - * Implementation of x509_t.get_authKeyIdentifier. - */ -static chunk_t get_authKeyIdentifier(private_x509_cert_t *this) +METHOD(x509_t, get_authKeyIdentifier, chunk_t, + private_x509_cert_t *this) { return this->authKeyIdentifier; } -/** - * Implementation of x509_t.get_pathLenConstraint. - */ -static int get_pathLenConstraint(private_x509_cert_t *this) +METHOD(x509_t, get_constraint, u_int, + private_x509_cert_t *this, x509_constraint_t type) { - return this->pathLenConstraint; + switch (type) + { + case X509_PATH_LEN: + return this->pathLenConstraint; + case X509_REQUIRE_EXPLICIT_POLICY: + return this->require_explicit; + case X509_INHIBIT_POLICY_MAPPING: + return this->inhibit_mapping; + case X509_INHIBIT_ANY_POLICY: + return this->inhibit_any; + default: + return X509_NO_CONSTRAINT; + } } -/** - * Implementation of x509_cert_t.create_subjectAltName_enumerator. - */ -static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this) +METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, + private_x509_cert_t *this) { return this->subjectAltNames->create_enumerator(this->subjectAltNames); } -/** - * Implementation of x509_cert_t.create_ocsp_uri_enumerator. - */ -static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this) +METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, + private_x509_cert_t *this) { return this->ocsp_uris->create_enumerator(this->ocsp_uris); } -/** - * Implementation of x509_cert_t.create_crl_uri_enumerator. - */ -static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this) +METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*, + private_x509_cert_t *this) { return this->crl_uris->create_enumerator(this->crl_uris); } -/** - * Implementation of x509_cert_t.create_ipAddrBlock_enumerator. - */ -static enumerator_t* create_ipAddrBlock_enumerator(private_x509_cert_t *this) +METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, + private_x509_cert_t *this) { return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks); } -/** - * Implementation of certificate_t.destroy. - */ -static void destroy(private_x509_cert_t *this) +METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*, + private_x509_cert_t *this, bool perm) +{ + if (perm) + { + return this->permitted_names->create_enumerator(this->permitted_names); + } + return this->excluded_names->create_enumerator(this->excluded_names); +} + +METHOD(x509_t, create_cert_policy_enumerator, enumerator_t*, + private_x509_cert_t *this) +{ + return this->cert_policies->create_enumerator(this->cert_policies); +} + +METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*, + private_x509_cert_t *this) +{ + return this->policy_mappings->create_enumerator(this->policy_mappings); +} + +METHOD(certificate_t, destroy, void, + private_x509_cert_t *this) { if (ref_put(&this->ref)) { this->subjectAltNames->destroy_offset(this->subjectAltNames, offsetof(identification_t, destroy)); - this->crl_uris->destroy_function(this->crl_uris, free); + this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); - this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy)); + this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, + offsetof(traffic_selector_t, destroy)); + this->permitted_names->destroy_offset(this->permitted_names, + offsetof(identification_t, destroy)); + this->excluded_names->destroy_offset(this->excluded_names, + offsetof(identification_t, destroy)); + this->cert_policies->destroy_function(this->cert_policies, + (void*)cert_policy_destroy); + this->policy_mappings->destroy_function(this->policy_mappings, + (void*)policy_mapping_destroy); DESTROY_IF(this->issuer); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); @@ -1404,63 +1827,93 @@ static void destroy(private_x509_cert_t *this) */ static private_x509_cert_t* create_empty(void) { - private_x509_cert_t *this = malloc_thing(private_x509_cert_t); - - this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type; - this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject; - this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer; - this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject; - this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer; - this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; - this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; - this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; - this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; - this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; - this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; - this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; - this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags; - this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial; - this->public.interface.get_subjectKeyIdentifier = (chunk_t (*)(x509_t*))get_subjectKeyIdentifier; - this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier; - this->public.interface.get_pathLenConstraint = (int (*)(x509_t*))get_pathLenConstraint; - this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator; - this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator; - this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator; - this->public.interface.create_ipAddrBlock_enumerator = (enumerator_t* (*)(x509_t*))create_ipAddrBlock_enumerator; - - this->encoding = chunk_empty; - this->encoding_hash = chunk_empty; - this->tbsCertificate = chunk_empty; - this->version = 1; - this->serialNumber = chunk_empty; - this->notBefore = 0; - this->notAfter = 0; - this->public_key = NULL; - this->subject = NULL; - this->issuer = NULL; - this->subjectAltNames = linked_list_create(); - this->crl_uris = linked_list_create(); - this->ocsp_uris = linked_list_create(); - this->ipAddrBlocks = linked_list_create(); - this->subjectKeyIdentifier = chunk_empty; - this->authKeyIdentifier = chunk_empty; - this->authKeySerialNumber = chunk_empty; - this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; - this->algorithm = 0; - this->signature = chunk_empty; - this->flags = 0; - this->ref = 1; - this->parsed = FALSE; - + private_x509_cert_t *this; + + INIT(this, + .public = { + .interface = { + .interface = { + .get_type = _get_type, + .get_subject = _get_subject, + .get_issuer = _get_issuer, + .has_subject = _has_subject, + .has_issuer = _has_issuer, + .issued_by = _issued_by, + .get_public_key = _get_public_key, + .get_validity = _get_validity, + .get_encoding = _get_encoding, + .equals = _equals, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_flags = _get_flags, + .get_serial = _get_serial, + .get_subjectKeyIdentifier = _get_subjectKeyIdentifier, + .get_authKeyIdentifier = _get_authKeyIdentifier, + .get_constraint = _get_constraint, + .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, + .create_crl_uri_enumerator = _create_crl_uri_enumerator, + .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, + .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator, + .create_name_constraint_enumerator = _create_name_constraint_enumerator, + .create_cert_policy_enumerator = _create_cert_policy_enumerator, + .create_policy_mapping_enumerator = _create_policy_mapping_enumerator, + }, + }, + .version = 1, + .subjectAltNames = linked_list_create(), + .crl_uris = linked_list_create(), + .ocsp_uris = linked_list_create(), + .ipAddrBlocks = linked_list_create(), + .permitted_names = linked_list_create(), + .excluded_names = linked_list_create(), + .cert_policies = linked_list_create(), + .policy_mappings = linked_list_create(), + .pathLenConstraint = X509_NO_CONSTRAINT, + .require_explicit = X509_NO_CONSTRAINT, + .inhibit_mapping = X509_NO_CONSTRAINT, + .inhibit_any = X509_NO_CONSTRAINT, + .ref = 1, + ); return this; } +/** + * Build a generalName from an id + */ +chunk_t build_generalName(identification_t *id) +{ + int context; + + switch (id->get_type(id)) + { + case ID_RFC822_ADDR: + context = ASN1_CONTEXT_S_1; + break; + case ID_FQDN: + context = ASN1_CONTEXT_S_2; + break; + case ID_DER_ASN1_DN: + context = ASN1_CONTEXT_C_4; + break; + case ID_IPV4_ADDR: + case ID_IPV6_ADDR: + context = ASN1_CONTEXT_S_7; + break; + default: + DBG1(DBG_LIB, "encoding %N as generalName not supported", + id_type_names, id->get_type(id)); + return chunk_empty; + } + return asn1_wrap(context, "c", id->get_encoding(id)); +} + /** * Encode a linked list of subjectAltNames */ chunk_t x509_build_subjectAltNames(linked_list_t *list) { - chunk_t subjectAltNames = chunk_empty; + chunk_t subjectAltNames = chunk_empty, name; enumerator_t *enumerator; identification_t *id; @@ -1472,29 +1925,7 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &id)) { - int context; - chunk_t name; - - switch (id->get_type(id)) - { - case ID_RFC822_ADDR: - context = ASN1_CONTEXT_S_1; - break; - case ID_FQDN: - context = ASN1_CONTEXT_S_2; - break; - case ID_IPV4_ADDR: - case ID_IPV6_ADDR: - context = ASN1_CONTEXT_S_7; - break; - default: - DBG1(DBG_LIB, "encoding %N as subjectAltName not supported", - id_type_names, id->get_type(id)); - enumerator->destroy(enumerator); - free(subjectAltNames.ptr); - return chunk_empty; - } - name = asn1_wrap(context, "c", id->get_encoding(id)); + name = build_generalName(id); subjectAltNames = chunk_cat("mm", subjectAltNames, name); } enumerator->destroy(enumerator); @@ -1507,6 +1938,47 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) ); } +/** + * Encode CRL distribution points extension from a x509_cdp_t list + */ +chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn) +{ + chunk_t crlDistributionPoints = chunk_empty; + enumerator_t *enumerator; + x509_cdp_t *cdp; + + if (list->get_count(list) == 0) + { + return chunk_empty; + } + + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &cdp)) + { + chunk_t distributionPoint, crlIssuer = chunk_empty; + + if (cdp->issuer) + { + crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m", + build_generalName(cdp->issuer)); + } + distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_CONTEXT_S_6, "c", + chunk_create(cdp->uri, strlen(cdp->uri))))), + crlIssuer); + crlDistributionPoints = chunk_cat("mm", crlDistributionPoints, + distributionPoint); + } + enumerator->destroy(enumerator); + + return asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(extn), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints))); +} + /** * Generate and sign a new certificate */ @@ -1515,12 +1987,13 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty; chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty; - chunk_t ocspSigning = chunk_empty; - chunk_t basicConstraints = chunk_empty; - chunk_t keyUsage = chunk_empty; - chunk_t subjectAltNames = chunk_empty; + chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty; + chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty; + chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty; + chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty; chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; + chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty; identification_t *issuer, *subject; chunk_t key_info; signature_scheme_t scheme; @@ -1574,29 +2047,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, /* encode subjectAltNames */ subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames); - /* encode CRL distribution points extension */ - enumerator = cert->crl_uris->create_enumerator(cert->crl_uris); - while (enumerator->enumerate(enumerator, &uri)) - { - chunk_t distributionPoint; - - distributionPoint = asn1_wrap(ASN1_SEQUENCE, "m", - asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_CONTEXT_S_6, "c", - chunk_create(uri, strlen(uri)))))); - - crlDistributionPoints = chunk_cat("mm", crlDistributionPoints, - distributionPoint); - } - enumerator->destroy(enumerator); - if (crlDistributionPoints.ptr) - { - crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS), - asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints))); - } + crlDistributionPoints = x509_build_crlDistributionPoints(cert->crl_uris, + OID_CRL_DISTRIBUTION_POINTS); /* encode OCSP URIs in authorityInfoAccess extension */ enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris); @@ -1625,11 +2077,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t pathLenConstraint = chunk_empty; - if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT) + if (cert->pathLenConstraint != X509_NO_CONSTRAINT) { - char pathlen = (char)cert->pathLenConstraint; - - pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen)); + pathLenConstraint = asn1_integer("c", + chunk_from_thing(cert->pathLenConstraint)); } basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm", asn1_build_known_oid(OID_BASIC_CONSTRAINTS), @@ -1640,13 +2091,20 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), pathLenConstraint))); + /* set CertificateSign and implicitly CRLsign */ + keyUsageBits = chunk_from_chars(0x01, 0x06); + } + else if (cert->flags & X509_CRL_SIGN) + { + keyUsageBits = chunk_from_chars(0x01, 0x02); + } + if (keyUsageBits.len) + { keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm", - asn1_build_known_oid(OID_KEY_USAGE), - asn1_wrap(ASN1_BOOLEAN, "c", - chunk_from_chars(0xFF)), - asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_BIT_STRING, "c", - chunk_from_chars(0x01, 0x06)))); + asn1_build_known_oid(OID_KEY_USAGE), + asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits))); } /* add serverAuth extendedKeyUsage flag */ @@ -1675,7 +2133,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, } /* add subjectKeyIdentifier to CA and OCSP signer certificates */ - if (cert->flags & (X509_CA | X509_OCSP_SIGNER)) + if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN)) { chunk_t keyid; @@ -1703,15 +2161,153 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid)))); } } + + if (cert->permitted_names->get_count(cert->permitted_names) || + cert->excluded_names->get_count(cert->excluded_names)) + { + chunk_t permitted = chunk_empty, excluded = chunk_empty, subtree; + identification_t *id; + + enumerator = create_name_constraint_enumerator(cert, TRUE); + while (enumerator->enumerate(enumerator, &id)) + { + subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id)); + permitted = chunk_cat("mm", permitted, subtree); + } + enumerator->destroy(enumerator); + if (permitted.ptr) + { + permitted = asn1_wrap(ASN1_CONTEXT_C_0, "m", permitted); + } + + enumerator = create_name_constraint_enumerator(cert, FALSE); + while (enumerator->enumerate(enumerator, &id)) + { + subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id)); + excluded = chunk_cat("mm", excluded, subtree); + } + enumerator->destroy(enumerator); + if (excluded.ptr) + { + excluded = asn1_wrap(ASN1_CONTEXT_C_1, "m", excluded); + } + + nameConstraints = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_NAME_CONSTRAINTS), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", + permitted, excluded))); + } + + if (cert->cert_policies->get_count(cert->cert_policies)) + { + x509_cert_policy_t *policy; + + enumerator = create_cert_policy_enumerator(cert); + while (enumerator->enumerate(enumerator, &policy)) + { + chunk_t chunk = chunk_empty, cps = chunk_empty, notice = chunk_empty; + + if (policy->cps_uri) + { + cps = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_POLICY_QUALIFIER_CPS), + asn1_wrap(ASN1_IA5STRING, "c", + chunk_create(policy->cps_uri, + strlen(policy->cps_uri)))); + } + if (policy->unotice_text) + { + notice = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_POLICY_QUALIFIER_UNOTICE), + asn1_wrap(ASN1_SEQUENCE, "m", + asn1_wrap(ASN1_VISIBLESTRING, "c", + chunk_create(policy->unotice_text, + strlen(policy->unotice_text))))); + } + if (cps.len || notice.len) + { + chunk = asn1_wrap(ASN1_SEQUENCE, "mm", cps, notice); + } + chunk = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_OID, "c", policy->oid), chunk); + certPolicies = chunk_cat("mm", certPolicies, chunk); + } + enumerator->destroy(enumerator); + + certPolicies = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_CERTIFICATE_POLICIES), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "m", certPolicies))); + } + + if (cert->policy_mappings->get_count(cert->policy_mappings)) + { + x509_policy_mapping_t *mapping; + + enumerator = create_policy_mapping_enumerator(cert); + while (enumerator->enumerate(enumerator, &mapping)) + { + chunk_t chunk; + + chunk = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_OID, "c", mapping->issuer), + asn1_wrap(ASN1_OID, "c", mapping->subject)); + policyMappings = chunk_cat("mm", policyMappings, chunk); + } + enumerator->destroy(enumerator); + + policyMappings = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_POLICY_MAPPINGS), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "m", policyMappings))); + } + + if (cert->inhibit_mapping != X509_NO_CONSTRAINT || + cert->require_explicit != X509_NO_CONSTRAINT) + { + chunk_t inhibit = chunk_empty, explicit = chunk_empty; + + if (cert->require_explicit != X509_NO_CONSTRAINT) + { + explicit = asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_integer("c", + chunk_from_thing(cert->require_explicit))); + } + if (cert->inhibit_mapping != X509_NO_CONSTRAINT) + { + inhibit = asn1_wrap(ASN1_CONTEXT_C_1, "m", + asn1_integer("c", + chunk_from_thing(cert->inhibit_mapping))); + } + policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_build_known_oid(OID_POLICY_CONSTRAINTS), + asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", + explicit, inhibit))); + } + + if (cert->inhibit_any != X509_NO_CONSTRAINT) + { + inhibitAnyPolicy = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_build_known_oid(OID_INHIBIT_ANY_POLICY), + asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_integer("c", + chunk_from_thing(cert->inhibit_any)))); + } + if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr || - crlDistributionPoints.ptr) + crlDistributionPoints.ptr || nameConstraints.ptr) { extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m", - asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm", + asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmm", basicConstraints, keyUsage, subjectKeyIdentifier, authKeyIdentifier, subjectAltNames, extendedKeyUsage, crlDistributionPoints, - authorityInfoAccess)); + authorityInfoAccess, nameConstraints, certPolicies, + policyMappings, policyConstraints, inhibitAnyPolicy)); } cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", @@ -1794,6 +2390,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) certificate_t *sign_cert = NULL; private_key_t *sign_key = NULL; hash_algorithm_t digest_alg = HASH_SHA1; + u_int constraint; cert = create_empty(); while (TRUE) @@ -1837,13 +2434,17 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) { enumerator_t *enumerator; linked_list_t *list; - char *uri; + x509_cdp_t *in, *cdp; list = va_arg(args, linked_list_t*); enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, &uri)) + while (enumerator->enumerate(enumerator, &in)) { - cert->crl_uris->insert_last(cert->crl_uris, strdup(uri)); + INIT(cdp, + .uri = strdup(in->uri), + .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL, + ); + cert->crl_uris->insert_last(cert->crl_uris, cdp); } enumerator->destroy(enumerator); continue; @@ -1864,11 +2465,96 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) continue; } case BUILD_PATHLEN: - cert->pathLenConstraint = va_arg(args, int); - if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127) + constraint = va_arg(args, u_int); + cert->pathLenConstraint = (constraint < 128) ? + constraint : X509_NO_CONSTRAINT; + continue; + case BUILD_PERMITTED_NAME_CONSTRAINTS: + { + enumerator_t *enumerator; + linked_list_t *list; + identification_t *constraint; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &constraint)) + { + cert->permitted_names->insert_last(cert->permitted_names, + constraint->clone(constraint)); + } + enumerator->destroy(enumerator); + continue; + } + case BUILD_EXCLUDED_NAME_CONSTRAINTS: + { + enumerator_t *enumerator; + linked_list_t *list; + identification_t *constraint; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &constraint)) + { + cert->excluded_names->insert_last(cert->excluded_names, + constraint->clone(constraint)); + } + enumerator->destroy(enumerator); + continue; + } + case BUILD_CERTIFICATE_POLICIES: + { + enumerator_t *enumerator; + linked_list_t *list; + x509_cert_policy_t *policy, *in; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &in)) + { + INIT(policy, + .oid = chunk_clone(in->oid), + .cps_uri = strdupnull(in->cps_uri), + .unotice_text = strdupnull(in->unotice_text), + ); + cert->cert_policies->insert_last(cert->cert_policies, policy); + } + enumerator->destroy(enumerator); + continue; + } + case BUILD_POLICY_MAPPINGS: + { + enumerator_t *enumerator; + linked_list_t *list; + x509_policy_mapping_t* mapping, *in; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &in)) { - cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; + INIT(mapping, + .issuer = chunk_clone(in->issuer), + .subject = chunk_clone(in->subject), + ); + cert->policy_mappings->insert_last(cert->policy_mappings, + mapping); } + enumerator->destroy(enumerator); + continue; + } + case BUILD_POLICY_REQUIRE_EXPLICIT: + constraint = va_arg(args, u_int); + cert->require_explicit = (constraint < 128) ? + constraint : X509_NO_CONSTRAINT; + continue; + case BUILD_POLICY_INHIBIT_MAPPING: + constraint = va_arg(args, u_int); + cert->inhibit_mapping = (constraint < 128) ? + constraint : X509_NO_CONSTRAINT; + continue; + case BUILD_POLICY_INHIBIT_ANY: + constraint = va_arg(args, u_int); + cert->inhibit_any = (constraint < 128) ? + constraint : X509_NO_CONSTRAINT; continue; case BUILD_NOT_BEFORE_TIME: cert->notBefore = va_arg(args, time_t); diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 4bd0470d3..758505ab5 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -99,6 +99,11 @@ struct private_x509_crl_t { */ linked_list_t *revoked; + /** + * List of Freshest CRL distribution points + */ + linked_list_t *crl_uris; + /** * Authority Key Identifier */ @@ -109,6 +114,11 @@ struct private_x509_crl_t { */ chunk_t authKeySerialNumber; + /** + * Number of BaseCRL, if a delta CRL + */ + chunk_t baseCrlNumber; + /** * Signature algorithm */ @@ -133,9 +143,19 @@ struct private_x509_crl_t { /** * from x509_cert */ -extern chunk_t x509_parse_authorityKeyIdentifier( - chunk_t blob, int level0, - chunk_t *authKeySerialNumber); +extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, + chunk_t *authKeySerialNumber); + +/** + * from x509_cert + */ +extern void x509_parse_crlDistributionPoints(chunk_t blob, int level0, + linked_list_t *list); + +/** + * from x509_cert + */ +extern chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn); /** * ASN.1 definition of an X.509 certificate revocation list @@ -206,7 +226,7 @@ static bool parse(private_x509_crl_t *this) int objectID; int sig_alg = OID_UNKNOWN; bool success = FALSE; - bool critical; + bool critical = FALSE; revoked_t *revoked = NULL; parser = asn1_parser_create(crlObjects, this->encoding); @@ -258,35 +278,61 @@ static bool parse(private_x509_crl_t *this) break; case CRL_OBJ_CRL_ENTRY_EXTN_VALUE: case CRL_OBJ_EXTN_VALUE: - { - int extn_oid = asn1_known_oid(extnID); + { + int extn_oid = asn1_known_oid(extnID); - if (revoked && extn_oid == OID_CRL_REASON_CODE) - { - if (*object.ptr == ASN1_ENUMERATED && - asn1_length(&object) == 1) + switch (extn_oid) + { + case OID_CRL_REASON_CODE: + if (revoked) { - revoked->reason = *object.ptr; + if (object.len && *object.ptr == ASN1_ENUMERATED && + asn1_length(&object) == 1) + { + revoked->reason = *object.ptr; + } + DBG2(DBG_LIB, " '%N'", crl_reason_names, + revoked->reason); } - DBG2(DBG_LIB, " '%N'", crl_reason_names, - revoked->reason); - } - else if (extn_oid == OID_AUTHORITY_KEY_ID) - { - this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, - level, &this->authKeySerialNumber); - } - else if (extn_oid == OID_CRL_NUMBER) - { + break; + case OID_AUTHORITY_KEY_ID: + this->authKeyIdentifier = + x509_parse_authorityKeyIdentifier( + object, level, &this->authKeySerialNumber); + break; + case OID_CRL_NUMBER: if (!asn1_parse_simple_object(&object, ASN1_INTEGER, level, "crlNumber")) { goto end; } this->crlNumber = object; - } + break; + case OID_FRESHEST_CRL: + x509_parse_crlDistributionPoints(object, level, + this->crl_uris); + break; + case OID_DELTA_CRL_INDICATOR: + if (!asn1_parse_simple_object(&object, ASN1_INTEGER, + level, "deltaCrlIndicator")) + { + goto end; + } + this->baseCrlNumber = object; + break; + default: + if (critical && lib->settings->get_bool(lib->settings, + "libstrongswan.x509.enforce_critical", TRUE)) + { + DBG1(DBG_LIB, "critical '%s' extension not supported", + (extn_oid == OID_UNKNOWN) ? "unknown" : + (char*)oid_names[extn_oid].name); + goto end; + } + break; } break; + } case CRL_OBJ_ALGORITHM: { this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); @@ -344,6 +390,26 @@ METHOD(crl_t, get_authKeyIdentifier, chunk_t, return this->authKeyIdentifier; } +METHOD(crl_t, is_delta_crl, bool, + private_x509_crl_t *this, chunk_t *base_crl) +{ + if (this->baseCrlNumber.len) + { + if (base_crl) + { + *base_crl = this->baseCrlNumber; + } + return TRUE; + } + return FALSE; +} + +METHOD(crl_t, create_delta_crl_uri_enumerator, enumerator_t*, + private_x509_crl_t *this) +{ + return this->crl_uris->create_enumerator(this->crl_uris); +} + METHOD(crl_t, create_enumerator, enumerator_t*, private_x509_crl_t *this) { @@ -388,7 +454,7 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } - if (!(x509->get_flags(x509) & X509_CA)) + if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN))) { return FALSE; } @@ -501,18 +567,30 @@ static void revoked_destroy(revoked_t *revoked) free(revoked); } +/** + * Destroy a CDP entry + */ +static void cdp_destroy(x509_cdp_t *this) +{ + free(this->uri); + DESTROY_IF(this->issuer); + free(this); +} + METHOD(certificate_t, destroy, void, private_x509_crl_t *this) { if (ref_put(&this->ref)) { this->revoked->destroy_function(this->revoked, (void*)revoked_destroy); + this->crl_uris->destroy_function(this->crl_uris, (void*)cdp_destroy); DESTROY_IF(this->issuer); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); if (this->generated) { free(this->crlNumber.ptr); + free(this->baseCrlNumber.ptr); free(this->signature.ptr); free(this->tbsCertList.ptr); } @@ -546,10 +624,13 @@ static private_x509_crl_t* create_empty(void) }, .get_serial = _get_serial, .get_authKeyIdentifier = _get_authKeyIdentifier, + .is_delta_crl = _is_delta_crl, + .create_delta_crl_uri_enumerator = _create_delta_crl_uri_enumerator, .create_enumerator = _create_enumerator, }, }, .revoked = linked_list_create(), + .crl_uris = linked_list_create(), .ref = 1, ); return this; @@ -618,6 +699,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, private_key_t *key, hash_algorithm_t digest_alg) { chunk_t extensions = chunk_empty, certList = chunk_empty, serial; + chunk_t crlDistributionPoints = chunk_empty, baseCrlNumber = chunk_empty; enumerator_t *enumerator; crl_reason_t reason; time_t date; @@ -625,7 +707,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, x509 = (x509_t*)cert; - this->issuer = cert->get_issuer(cert); + this->issuer = cert->get_subject(cert); this->issuer = this->issuer->clone(this->issuer); this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509)); @@ -660,8 +742,21 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, } enumerator->destroy(enumerator); + crlDistributionPoints = x509_build_crlDistributionPoints(this->crl_uris, + OID_FRESHEST_CRL); + + if (this->baseCrlNumber.len) + { + baseCrlNumber = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_build_known_oid(OID_DELTA_CRL_INDICATOR), + asn1_wrap(ASN1_BOOLEAN, "c", + chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_integer("c", this->baseCrlNumber))); + } + extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_SEQUENCE, "mmmm", asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_AUTHORITY_KEY_ID), asn1_wrap(ASN1_OCTET_STRING, "m", @@ -671,9 +766,8 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_CRL_NUMBER), asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_integer("c", this->crlNumber)) - ) - )); + asn1_integer("c", this->crlNumber))), + crlDistributionPoints, baseCrlNumber)); this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm", ASN1_INTEGER_1, @@ -736,6 +830,29 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) case BUILD_REVOKED_ENUMERATOR: read_revoked(crl, va_arg(args, enumerator_t*)); continue; + case BUILD_BASE_CRL: + crl->baseCrlNumber = va_arg(args, chunk_t); + crl->baseCrlNumber = chunk_clone(crl->baseCrlNumber); + break; + case BUILD_CRL_DISTRIBUTION_POINTS: + { + enumerator_t *enumerator; + linked_list_t *list; + x509_cdp_t *in, *cdp; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &in)) + { + INIT(cdp, + .uri = strdup(in->uri), + .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL, + ); + crl->crl_uris->insert_last(crl->crl_uris, cdp); + } + enumerator->destroy(enumerator); + continue; + } case BUILD_END: break; default: diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c index 11a7f023c..d40cc3567 100644 --- a/src/libstrongswan/plugins/x509/x509_plugin.c +++ b/src/libstrongswan/plugins/x509/x509_plugin.c @@ -36,10 +36,8 @@ struct private_x509_plugin_t { x509_plugin_t public; }; -/** - * Implementation of x509_plugin_t.x509troy - */ -static void destroy(private_x509_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_x509_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)x509_cert_gen); @@ -69,9 +67,15 @@ static void destroy(private_x509_plugin_t *this) */ plugin_t *x509_plugin_create() { - private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t); + private_x509_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE, (builder_function_t)x509_cert_gen); diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index e82e5246f..06d7a2121 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c index 88156f383..65e88335c 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c +++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c @@ -19,6 +19,8 @@ #include "xcbc_signer.h" #include "xcbc_prf.h" +static const char *plugin_name = "xcbc"; + typedef struct private_xcbc_plugin_t private_xcbc_plugin_t; /** @@ -48,6 +50,7 @@ METHOD(plugin_t, destroy, void, plugin_t *xcbc_plugin_create() { private_xcbc_plugin_t *this; + crypter_t *crypter; INIT(this, .public = { @@ -57,15 +60,24 @@ plugin_t *xcbc_plugin_create() }, ); - lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, - (prf_constructor_t)xcbc_prf_create); - lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC, - (prf_constructor_t)xcbc_prf_create); - lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, - (signer_constructor_t)xcbc_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, - (signer_constructor_t)xcbc_signer_create); - + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, plugin_name, + (prf_constructor_t)xcbc_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, plugin_name, + (signer_constructor_t)xcbc_signer_create); + } + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 16); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC, plugin_name, + (prf_constructor_t)xcbc_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, plugin_name, + (signer_constructor_t)xcbc_signer_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c index 4d4cef829..7e7045d69 100644 --- a/src/libstrongswan/printf_hook.c +++ b/src/libstrongswan/printf_hook.c @@ -377,10 +377,8 @@ int vstr_wrapper_vasprintf(char **str, const char *format, va_list args) } #endif -/** - * Implementation of printf_hook_t.add_handler. - */ -static void add_handler(private_printf_hook_t *this, char spec, +METHOD(printf_hook_t, add_handler, void, + private_printf_hook_t *this, char spec, printf_hook_function_t hook, ...) { int i = -1; @@ -439,10 +437,8 @@ static void add_handler(private_printf_hook_t *this, char spec, } } -/** - * Implementation of printf_hook_t.destroy - */ -static void destroy(private_printf_hook_t *this) +METHOD(printf_hook_t, destroy, void, + private_printf_hook_t *this) { int i; #ifdef USE_VSTR @@ -477,10 +473,14 @@ static void destroy(private_printf_hook_t *this) */ printf_hook_t *printf_hook_create() { - private_printf_hook_t *this = malloc_thing(private_printf_hook_t); - - this->public.add_handler = (void(*)(printf_hook_t*, char, printf_hook_function_t, ...))add_handler; - this->public.destroy = (void(*)(printf_hook_t*))destroy; + private_printf_hook_t *this; + + INIT(this, + .public = { + .add_handler = _add_handler, + .destroy = _destroy, + }, + ); memset(printf_hooks, 0, sizeof(printf_hooks)); diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c index 2a44f61e8..723aec908 100644 --- a/src/libstrongswan/processing/processor.c +++ b/src/libstrongswan/processing/processor.c @@ -248,7 +248,7 @@ static void destroy(private_processor_t *this) /* * Described in header. */ -processor_t *processor_create(size_t pool_size) +processor_t *processor_create() { private_processor_t *this = malloc_thing(private_processor_t); diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c index 68bbbe2fd..32da194ef 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -393,13 +393,15 @@ static bool equals(private_traffic_selector_t *this, private_traffic_selector_t switch (this->type) { case TS_IPV4_ADDR_RANGE: - if (memeq(this->from4, other->from4, sizeof(this->from4))) + if (memeq(this->from4, other->from4, sizeof(this->from4)) && + memeq(this->to4, other->to4, sizeof(this->to4))) { return TRUE; } break; case TS_IPV6_ADDR_RANGE: - if (memeq(this->from6, other->from6, sizeof(this->from6))) + if (memeq(this->from6, other->from6, sizeof(this->from6)) && + memeq(this->to6, other->to6, sizeof(this->to6))) { return TRUE; } diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c index d85abb1df..bd279f51d 100644 --- a/src/libstrongswan/settings.c +++ b/src/libstrongswan/settings.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2010 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -18,12 +19,17 @@ #include #include #include +#include +#include +#include #include "settings.h" #include "debug.h" #include "utils/linked_list.h" +#include "threading/rwlock.h" +#define MAX_INCLUSION_LEVEL 10 typedef struct private_settings_t private_settings_t; typedef struct section_t section_t; @@ -45,9 +51,14 @@ struct private_settings_t { section_t *top; /** - * allocated file text + * contents of loaded files and in-memory settings (char*) */ - char *text; + linked_list_t *contents; + + /** + * lock to safely access the settings + */ + rwlock_t *lock; }; /** @@ -87,6 +98,69 @@ struct kv_t { char *value; }; +/** + * create a key/value pair + */ +static kv_t *kv_create(char *key, char *value) +{ + kv_t *this; + INIT(this, + .key = strdup(key), + .value = value, + ); + return this; +} + +/** + * destroy a key/value pair + */ +static void kv_destroy(kv_t *this) +{ + free(this->key); + free(this); +} + +/** + * create a section with the given name + */ +static section_t *section_create(char *name) +{ + section_t *this; + INIT(this, + .name = strdupnull(name), + .sections = linked_list_create(), + .kv = linked_list_create(), + ); + return this; +} + +/** + * destroy a section + */ +static void section_destroy(section_t *this) +{ + this->kv->destroy_function(this->kv, (void*)kv_destroy); + this->sections->destroy_function(this->sections, (void*)section_destroy); + free(this->name); + free(this); +} + +/** + * callback to find a section by name + */ +static bool section_find(section_t *this, char *name) +{ + return streq(this->name, name); +} + +/** + * callback to find a kv pair by key + */ +static bool kv_find(kv_t *this, char *key) +{ + return streq(this->key, key); +} + /** * Print a format key, but consume already processed arguments */ @@ -136,14 +210,15 @@ static bool print_key(char *buf, int len, char *start, char *key, va_list args) } /** - * find a section by a given key, using buffered key, reusable buffer + * Find a section by a given key, using buffered key, reusable buffer. + * If "ensure" is TRUE, the sections are created if they don't exist. */ static section_t *find_section_buffered(section_t *section, - char *start, char *key, va_list args, char *buf, int len) + char *start, char *key, va_list args, char *buf, int len, + bool ensure) { char *pos; - enumerator_t *enumerator; - section_t *current, *found = NULL; + section_t *found = NULL; if (section == NULL) { @@ -159,47 +234,75 @@ static section_t *find_section_buffered(section_t *section, { return NULL; } - enumerator = section->sections->create_enumerator(section->sections); - while (enumerator->enumerate(enumerator, ¤t)) + if (section->sections->find_first(section->sections, + (linked_list_match_t)section_find, + (void**)&found, buf) != SUCCESS) { - if (streq(current->name, buf)) + if (ensure) { - found = current; - break; + found = section_create(buf); + section->sections->insert_last(section->sections, found); } } - enumerator->destroy(enumerator); if (found && pos) { - return find_section_buffered(found, start, pos, args, buf, len); + return find_section_buffered(found, start, pos, args, buf, len, ensure); } return found; } /** - * find a section by a given key + * Find a section by a given key (thread-safe). */ -static section_t *find_section(section_t *section, char *key, va_list args) +static section_t *find_section(private_settings_t *this, section_t *section, + char *key, va_list args) { char buf[128], keybuf[512]; + section_t *found; if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) { return NULL; } - return find_section_buffered(section, keybuf, keybuf, args, buf, sizeof(buf)); + this->lock->read_lock(this->lock); + found = find_section_buffered(section, keybuf, keybuf, args, buf, + sizeof(buf), FALSE); + this->lock->unlock(this->lock); + return found; } /** - * Find the string value for a key, using buffered key, reusable buffer + * Ensure that the section with the given key exists (thread-safe). */ -static char *find_value_buffered(section_t *section, - char *start, char *key, va_list args, char *buf, int len) +static section_t *ensure_section(private_settings_t *this, section_t *section, + char *key, va_list args) { - char *pos, *value = NULL; - enumerator_t *enumerator; - kv_t *kv; - section_t *current, *found = NULL; + char buf[128], keybuf[512]; + section_t *found; + + if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) + { + return NULL; + } + /* we might have to change the tree */ + this->lock->write_lock(this->lock); + found = find_section_buffered(section, keybuf, keybuf, args, buf, + sizeof(buf), TRUE); + this->lock->unlock(this->lock); + return found; +} + +/** + * Find the key/value pair for a key, using buffered key, reusable buffer + * If "ensure" is TRUE, the sections (and key/value pair) are created if they + * don't exist. + */ +static kv_t *find_value_buffered(section_t *section, char *start, char *key, + va_list args, char *buf, int len, bool ensure) +{ + char *pos; + kv_t *kv = NULL; + section_t *found = NULL; if (section == NULL) { @@ -216,20 +319,19 @@ static char *find_value_buffered(section_t *section, { return NULL; } - enumerator = section->sections->create_enumerator(section->sections); - while (enumerator->enumerate(enumerator, ¤t)) + if (section->sections->find_first(section->sections, + (linked_list_match_t)section_find, + (void**)&found, buf) != SUCCESS) { - if (streq(current->name, buf)) + if (!ensure) { - found = current; - break; + return NULL; } + found = section_create(buf); + section->sections->insert_last(section->sections, found); } - enumerator->destroy(enumerator); - if (found) - { - return find_value_buffered(found, start, pos, args, buf, len); - } + return find_value_buffered(found, start, pos, args, buf, len, + ensure); } else { @@ -237,44 +339,86 @@ static char *find_value_buffered(section_t *section, { return NULL; } - enumerator = section->kv->create_enumerator(section->kv); - while (enumerator->enumerate(enumerator, &kv)) + if (section->kv->find_first(section->kv, (linked_list_match_t)kv_find, + (void**)&kv, buf) != SUCCESS) { - if (streq(kv->key, buf)) + if (ensure) { - value = kv->value; - break; + kv = kv_create(buf, NULL); + section->kv->insert_last(section->kv, kv); } } - enumerator->destroy(enumerator); } - return value; + return kv; } /** - * Find the string value for a key + * Find the string value for a key (thread-safe). */ -static char *find_value(section_t *section, char *key, va_list args) +static char *find_value(private_settings_t *this, section_t *section, + char *key, va_list args) { - char buf[128], keybuf[512]; + char buf[128], keybuf[512], *value = NULL; + kv_t *kv; if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) { return NULL; } - return find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf)); + this->lock->read_lock(this->lock); + kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf), + FALSE); + if (kv) + { + value = kv->value; + } + this->lock->unlock(this->lock); + return value; } /** - * Implementation of settings_t.get. + * Set a value to a copy of the given string (thread-safe). */ -static char* get_str(private_settings_t *this, char *key, char *def, ...) +static void set_value(private_settings_t *this, section_t *section, + char *key, va_list args, char *value) +{ + char buf[128], keybuf[512]; + kv_t *kv; + + if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) + { + return; + } + this->lock->write_lock(this->lock); + kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf), + TRUE); + if (kv) + { + if (!value) + { + kv->value = NULL; + } + else if (kv->value && (strlen(value) <= strlen(kv->value))) + { /* overwrite in-place, if possible */ + strcpy(kv->value, value); + } + else + { /* otherwise clone the string and store it in the cache */ + kv->value = strdup(value); + this->contents->insert_last(this->contents, kv->value); + } + } + this->lock->unlock(this->lock); +} + +METHOD(settings_t, get_str, char*, + private_settings_t *this, char *key, char *def, ...) { char *value; va_list args; va_start(args, def); - value = find_value(this->top, key, args); + value = find_value(this, this->top, key, args); va_end(args); if (value) { @@ -284,29 +428,23 @@ static char* get_str(private_settings_t *this, char *key, char *def, ...) } /** - * Implementation of settings_t.get_bool. + * Described in header */ -static bool get_bool(private_settings_t *this, char *key, bool def, ...) +inline bool settings_value_as_bool(char *value, bool def) { - char *value; - va_list args; - - va_start(args, def); - value = find_value(this->top, key, args); - va_end(args); if (value) { - if (strcaseeq(value, "true") || - strcaseeq(value, "enabled") || + if (strcaseeq(value, "1") || strcaseeq(value, "yes") || - strcaseeq(value, "1")) + strcaseeq(value, "true") || + strcaseeq(value, "enabled")) { return TRUE; } - else if (strcaseeq(value, "false") || - strcaseeq(value, "disabled") || + else if (strcaseeq(value, "0") || strcaseeq(value, "no") || - strcaseeq(value, "0")) + strcaseeq(value, "false") || + strcaseeq(value, "disabled")) { return FALSE; } @@ -314,18 +452,24 @@ static bool get_bool(private_settings_t *this, char *key, bool def, ...) return def; } -/** - * Implementation of settings_t.get_int. - */ -static int get_int(private_settings_t *this, char *key, int def, ...) +METHOD(settings_t, get_bool, bool, + private_settings_t *this, char *key, bool def, ...) { char *value; - int intval; va_list args; va_start(args, def); - value = find_value(this->top, key, args); + value = find_value(this, this->top, key, args); va_end(args); + return settings_value_as_bool(value, def); +} + +/** + * Described in header + */ +inline int settings_value_as_int(char *value, int def) +{ + int intval; if (value) { errno = 0; @@ -338,18 +482,24 @@ static int get_int(private_settings_t *this, char *key, int def, ...) return def; } -/** - * Implementation of settings_t.get_double. - */ -static double get_double(private_settings_t *this, char *key, double def, ...) +METHOD(settings_t, get_int, int, + private_settings_t *this, char *key, int def, ...) { char *value; - double dval; va_list args; va_start(args, def); - value = find_value(this->top, key, args); + value = find_value(this, this->top, key, args); va_end(args); + return settings_value_as_int(value, def); +} + +/** + * Described in header + */ +inline double settings_value_as_double(char *value, double def) +{ + double dval; if (value) { errno = 0; @@ -362,18 +512,25 @@ static double get_double(private_settings_t *this, char *key, double def, ...) return def; } -/** - * Implementation of settings_t.get_time. - */ -static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, ...) +METHOD(settings_t, get_double, double, + private_settings_t *this, char *key, double def, ...) { - char *value, *endptr; - u_int32_t timeval; + char *value; va_list args; va_start(args, def); - value = find_value(this->top, key, args); + value = find_value(this, this->top, key, args); va_end(args); + return settings_value_as_double(value, def); +} + +/** + * Described in header + */ +inline u_int32_t settings_value_as_time(char *value, u_int32_t def) +{ + char *endptr; + u_int32_t timeval; if (value) { errno = 0; @@ -392,7 +549,7 @@ static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, .. timeval *= 60; break; case 's': /* time in seconds */ - default: + default: break; } return timeval; @@ -401,6 +558,75 @@ static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, .. return def; } +METHOD(settings_t, get_time, u_int32_t, + private_settings_t *this, char *key, u_int32_t def, ...) +{ + char *value; + va_list args; + + va_start(args, def); + value = find_value(this, this->top, key, args); + va_end(args); + return settings_value_as_time(value, def); +} + +METHOD(settings_t, set_str, void, + private_settings_t *this, char *key, char *value, ...) +{ + va_list args; + va_start(args, value); + set_value(this, this->top, key, args, value); + va_end(args); +} + +METHOD(settings_t, set_bool, void, + private_settings_t *this, char *key, bool value, ...) +{ + va_list args; + va_start(args, value); + set_value(this, this->top, key, args, value ? "1" : "0"); + va_end(args); +} + +METHOD(settings_t, set_int, void, + private_settings_t *this, char *key, int value, ...) +{ + char val[16]; + va_list args; + va_start(args, value); + if (snprintf(val, sizeof(val), "%d", value) < sizeof(val)) + { + set_value(this, this->top, key, args, val); + } + va_end(args); +} + +METHOD(settings_t, set_double, void, + private_settings_t *this, char *key, double value, ...) +{ + char val[64]; + va_list args; + va_start(args, value); + if (snprintf(val, sizeof(val), "%f", value) < sizeof(val)) + { + set_value(this, this->top, key, args, val); + } + va_end(args); +} + +METHOD(settings_t, set_time, void, + private_settings_t *this, char *key, u_int32_t value, ...) +{ + char val[16]; + va_list args; + va_start(args, value); + if (snprintf(val, sizeof(val), "%u", value) < sizeof(val)) + { + set_value(this, this->top, key, args, val); + } + va_end(args); +} + /** * Enumerate section names, not sections */ @@ -410,26 +636,24 @@ static bool section_filter(void *null, section_t **in, char **out) return TRUE; } -/** - * Implementation of settings_t.create_section_enumerator - */ -static enumerator_t* create_section_enumerator(private_settings_t *this, - char *key, ...) +METHOD(settings_t, create_section_enumerator, enumerator_t*, + private_settings_t *this, char *key, ...) { section_t *section; va_list args; va_start(args, key); - section = find_section(this->top, key, args); + section = find_section(this, this->top, key, args); va_end(args); if (!section) { return enumerator_create_empty(); } + this->lock->read_lock(this->lock); return enumerator_create_filter( - section->sections->create_enumerator(section->sections), - (void*)section_filter, NULL, NULL); + section->sections->create_enumerator(section->sections), + (void*)section_filter, this->lock, (void*)this->lock->unlock); } /** @@ -443,37 +667,24 @@ static bool kv_filter(void *null, kv_t **in, char **key, return TRUE; } -/** - * Implementation of settings_t.create_key_value_enumerator - */ -static enumerator_t* create_key_value_enumerator(private_settings_t *this, - char *key, ...) +METHOD(settings_t, create_key_value_enumerator, enumerator_t*, + private_settings_t *this, char *key, ...) { section_t *section; va_list args; va_start(args, key); - section = find_section(this->top, key, args); + section = find_section(this, this->top, key, args); va_end(args); if (!section) { return enumerator_create_empty(); } + this->lock->read_lock(this->lock); return enumerator_create_filter( section->kv->create_enumerator(section->kv), - (void*)kv_filter, NULL, NULL); -} - -/** - * destroy a section - */ -static void section_destroy(section_t *this) -{ - this->kv->destroy_function(this->kv, free); - this->sections->destroy_function(this->sections, (void*)section_destroy); - - free(this); + (void*)kv_filter, this->lock, (void*)this->lock->unlock); } /** @@ -550,46 +761,135 @@ static char parse(char **text, char *skip, char *term, char *br, char **token) return 0; } +/** + * Check if "text" starts with "pattern". + * Characters in "skip" are skipped first. If found, TRUE is returned and "text" + * is modified to point to the character right after "pattern". + */ +static bool starts_with(char **text, char *skip, char *pattern) +{ + char *pos = *text; + int len = strlen(pattern); + while (strchr(skip, *pos)) + { + pos++; + if (!*pos) + { + return FALSE; + } + } + if (strlen(pos) < len || !strneq(pos, pattern, len)) + { + return FALSE; + } + *text = pos + len; + return TRUE; +} + +/** + * Check if what follows in "text" is an include statement. + * If this function returns TRUE, "text" will point to the character right after + * the include pattern, which is returned in "pattern". + */ +static bool parse_include(char **text, char **pattern) +{ + char *pos = *text; + if (!starts_with(&pos, "\n\t ", "include")) + { + return FALSE; + } + if (starts_with(&pos, "\t ", "=")) + { /* ignore "include = value" */ + return FALSE; + } + *text = pos; + return parse(text, "\t ", "\n", NULL, pattern) != 0; +} + +/** + * Forward declaration. + */ +static bool parse_files(linked_list_t *contents, char *file, int level, + char *pattern, section_t *section); + /** * Parse a section */ -static section_t* parse_section(char **text, char *name) +static bool parse_section(linked_list_t *contents, char *file, int level, + char **text, section_t *section) { - section_t *sub, *section; bool finished = FALSE; char *key, *value, *inner; - static int lev = 0; - lev++; - - section = malloc_thing(section_t); - section->name = name; - section->sections = linked_list_create(); - section->kv = linked_list_create(); - while (!finished) { + if (parse_include(text, &value)) + { + if (!parse_files(contents, file, level, value, section)) + { + DBG1(DBG_LIB, "failed to include '%s'", value); + return FALSE; + } + continue; + } switch (parse(text, "\t\n ", "{=#", NULL, &key)) { case '{': if (parse(text, "\t ", "}", "{", &inner)) { - sub = parse_section(&inner, key); - if (sub) + section_t *sub; + if (!strlen(key)) { - section->sections->insert_last(section->sections, sub); + DBG1(DBG_LIB, "skipping section without name in '%s'", + section->name); continue; } + if (section->sections->find_first(section->sections, + (linked_list_match_t)section_find, + (void**)&sub, key) != SUCCESS) + { + sub = section_create(key); + if (parse_section(contents, file, level, &inner, sub)) + { + section->sections->insert_last(section->sections, + sub); + continue; + } + section_destroy(sub); + } + else + { /* extend the existing section */ + if (parse_section(contents, file, level, &inner, sub)) + { + continue; + } + } + DBG1(DBG_LIB, "parsing subsection '%s' failed", key); + break; } DBG1(DBG_LIB, "matching '}' not found near %s", *text); break; case '=': if (parse(text, "\t ", "\n", NULL, &value)) { - kv_t *kv = malloc_thing(kv_t); - kv->key = key; - kv->value = value; - section->kv->insert_last(section->kv, kv); + kv_t *kv; + if (!strlen(key)) + { + DBG1(DBG_LIB, "skipping value without key in '%s'", + section->name); + continue; + } + if (section->kv->find_first(section->kv, + (linked_list_match_t)kv_find, + (void**)&kv, key) != SUCCESS) + { + kv = kv_create(key, value); + section->kv->insert_last(section->kv, kv); + } + else + { /* replace with the most recently read value */ + kv->value = value; + } continue; } DBG1(DBG_LIB, "parsing value failed near %s", *text); @@ -601,78 +901,272 @@ static section_t* parse_section(char **text, char *name) finished = TRUE; continue; } - section_destroy(section); - return NULL; + return FALSE; } - return section; + return TRUE; } /** - * Implementation of settings_t.destroy + * Parse a file and add the settings to the given section. */ -static void destroy(private_settings_t *this) +static bool parse_file(linked_list_t *contents, char *file, int level, + section_t *section) { - if (this->top) + bool success; + char *text, *pos; + FILE *fd; + int len; + + DBG2(DBG_LIB, "loading config file '%s'", file); + fd = fopen(file, "r"); + if (fd == NULL) { - section_destroy(this->top); + DBG1(DBG_LIB, "'%s' does not exist or is not readable", file); + return FALSE; } - free(this->text); - free(this); + fseek(fd, 0, SEEK_END); + len = ftell(fd); + rewind(fd); + text = malloc(len + 1); + text[len] = '\0'; + if (fread(text, 1, len, fd) != len) + { + free(text); + return FALSE; + } + fclose(fd); + + pos = text; + success = parse_section(contents, file, level, &pos, section); + if (!success) + { + free(text); + } + else + { + contents->insert_last(contents, text); + } + return success; } -/* - * see header file +/** + * Load the files matching "pattern", which is resolved with glob(3). + * If the pattern is relative, the directory of "file" is used as base. */ -settings_t *settings_create(char *file) +static bool parse_files(linked_list_t *contents, char *file, int level, + char *pattern, section_t *section) { - private_settings_t *this; - char *pos; - FILE *fd; - int len; + bool success = TRUE; + int status; + glob_t buf; + char **expanded, pat[PATH_MAX]; - this = malloc_thing(private_settings_t); - this->public.get_str = (char*(*)(settings_t*, char *key, char* def, ...))get_str; - this->public.get_int = (int(*)(settings_t*, char *key, int def, ...))get_int; - this->public.get_double = (double(*)(settings_t*, char *key, double def, ...))get_double; - this->public.get_time = (u_int32_t(*)(settings_t*, char *key, u_int32_t def, ...))get_time; - this->public.get_bool = (bool(*)(settings_t*, char *key, bool def, ...))get_bool; - this->public.create_section_enumerator = (enumerator_t*(*)(settings_t*,char *section, ...))create_section_enumerator; - this->public.create_key_value_enumerator = (enumerator_t*(*)(settings_t*, char *key, ...))create_key_value_enumerator; - this->public.destroy = (void(*)(settings_t*))destroy; + if (level > MAX_INCLUSION_LEVEL) + { + DBG1(DBG_LIB, "maximum level of %d includes reached, ignored", + MAX_INCLUSION_LEVEL); + return TRUE; + } - this->top = NULL; - this->text = NULL; + if (!strlen(pattern)) + { + DBG2(DBG_LIB, "empty include pattern, ignored"); + return TRUE; + } - if (file == NULL) + if (!file || pattern[0] == '/') + { /* absolute path */ + if (snprintf(pat, sizeof(pat), "%s", pattern) >= sizeof(pat)) + { + DBG1(DBG_LIB, "include pattern too long, ignored"); + return TRUE; + } + } + else + { /* base relative paths to the directory of the current file */ + char *dir = strdup(file); + dir = dirname(dir); + if (snprintf(pat, sizeof(pat), "%s/%s", dir, pattern) >= sizeof(pat)) + { + DBG1(DBG_LIB, "include pattern too long, ignored"); + free(dir); + return TRUE; + } + free(dir); + } + status = glob(pat, GLOB_ERR, NULL, &buf); + if (status == GLOB_NOMATCH) { - file = STRONGSWAN_CONF; + DBG2(DBG_LIB, "no files found matching '%s', ignored", pat); } - fd = fopen(file, "r"); - if (fd == NULL) + else if (status != 0) { - DBG1(DBG_LIB, "'%s' does not exist or is not readable", file); - return &this->public; + DBG1(DBG_LIB, "expanding file pattern '%s' failed", pat); + success = FALSE; } - fseek(fd, 0, SEEK_END); - len = ftell(fd); - rewind(fd); - this->text = malloc(len + 1); - this->text[len] = '\0'; - if (fread(this->text, 1, len, fd) != len) + else { - free(this->text); - this->text = NULL; - return &this->public; + for (expanded = buf.gl_pathv; *expanded != NULL; expanded++) + { + success &= parse_file(contents, *expanded, level + 1, section); + if (!success) + { + break; + } + } } - fclose(fd); + globfree(&buf); + return success; +} + +/** + * Recursivly extends "base" with "extension". + */ +static void section_extend(section_t *base, section_t *extension) +{ + enumerator_t *enumerator; + section_t *sec; + kv_t *kv; + + enumerator = extension->sections->create_enumerator(extension->sections); + while (enumerator->enumerate(enumerator, (void**)&sec)) + { + section_t *found; + if (base->sections->find_first(base->sections, + (linked_list_match_t)section_find, (void**)&found, + sec->name) == SUCCESS) + { + section_extend(found, sec); + } + else + { + extension->sections->remove_at(extension->sections, enumerator); + base->sections->insert_last(base->sections, sec); + } + } + enumerator->destroy(enumerator); + + enumerator = extension->kv->create_enumerator(extension->kv); + while (enumerator->enumerate(enumerator, (void**)&kv)) + { + kv_t *found; + if (base->kv->find_first(base->kv, (linked_list_match_t)kv_find, + (void**)&found, kv->key) == SUCCESS) + { + found->value = kv->value; + } + else + { + extension->kv->remove_at(extension->kv, enumerator); + base->kv->insert_last(base->kv, kv); + } + } + enumerator->destroy(enumerator); +} + +/** + * Load settings from files matching the given file pattern. + * All sections and values are added relative to "parent". + * All files (even included ones) have to be loaded successfully. + */ +static bool load_files_internal(private_settings_t *this, section_t *parent, + char *pattern) +{ + char *text; + linked_list_t *contents = linked_list_create(); + section_t *section = section_create(NULL); + + if (!parse_files(contents, NULL, 0, pattern, section)) + { + contents->destroy_function(contents, (void*)free); + section_destroy(section); + return FALSE; + } + + this->lock->write_lock(this->lock); + /* extend parent section */ + section_extend(parent, section); + /* move contents of loaded files to main store */ + while (contents->remove_first(contents, (void**)&text) == SUCCESS) + { + this->contents->insert_last(this->contents, text); + } + this->lock->unlock(this->lock); + + section_destroy(section); + contents->destroy(contents); + return TRUE; +} + +METHOD(settings_t, load_files, bool, + private_settings_t *this, char *pattern) +{ + return load_files_internal(this, this->top, pattern); +} + +METHOD(settings_t, load_files_section, bool, + private_settings_t *this, char *pattern, char *key, ...) +{ + section_t *section; + va_list args; + + va_start(args, key); + section = ensure_section(this, this->top, key, args); + va_end(args); - pos = this->text; - this->top = parse_section(&pos, NULL); - if (this->top == NULL) + if (!section) { - free(this->text); - this->text = NULL; + return FALSE; } + return load_files_internal(this, section, pattern); +} + +METHOD(settings_t, destroy, void, + private_settings_t *this) +{ + section_destroy(this->top); + this->contents->destroy_function(this->contents, (void*)free); + this->lock->destroy(this->lock); + free(this); +} + +/* + * see header file + */ +settings_t *settings_create(char *file) +{ + private_settings_t *this; + + INIT(this, + .public = { + .get_str = _get_str, + .get_int = _get_int, + .get_double = _get_double, + .get_time = _get_time, + .get_bool = _get_bool, + .set_str = _set_str, + .set_int = _set_int, + .set_double = _set_double, + .set_time = _set_time, + .set_bool = _set_bool, + .create_section_enumerator = _create_section_enumerator, + .create_key_value_enumerator = _create_key_value_enumerator, + .load_files = _load_files, + .load_files_section = _load_files_section, + .destroy = _destroy, + }, + .top = section_create(NULL), + .contents = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + if (file == NULL) + { + file = STRONGSWAN_CONF; + } + + load_files(this, file); + return &this->public; } diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h index 486de8def..bc3df3706 100644 --- a/src/libstrongswan/settings.h +++ b/src/libstrongswan/settings.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2010 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -26,15 +27,55 @@ typedef struct settings_t settings_t; #include "utils.h" #include "utils/enumerator.h" +/** + * Convert a string value returned by a key/value enumerator to a boolean. + * + * @see settings_t.create_key_value_enumerator() + * @see settings_t.get_bool() + * @param value the string value + * @param def the default value, if value is NULL or invalid + */ +bool settings_value_as_bool(char *value, bool def); + +/** + * Convert a string value returned by a key/value enumerator to an integer. + * + * @see settings_t.create_key_value_enumerator() + * @see settings_t.get_int() + * @param value the string value + * @param def the default value, if value is NULL or invalid + */ +int settings_value_as_int(char *value, int def); + +/** + * Convert a string value returned by a key/value enumerator to a double. + * + * @see settings_t.create_key_value_enumerator() + * @see settings_t.get_double() + * @param value the string value + * @param def the default value, if value is NULL or invalid + */ +double settings_value_as_double(char *value, double def); + +/** + * Convert a string value returned by a key/value enumerator to a time value. + * + * @see settings_t.create_key_value_enumerator() + * @see settings_t.get_time() + * @param value the string value + * @param def the default value, if value is NULL or invalid + */ +u_int32_t settings_value_as_time(char *value, u_int32_t def); + /** * Generic configuration options read from a config file. * * The syntax is quite simple: - * + * @code * settings := (section|keyvalue)* * section := name { settings } * keyvalue := key = value\n - * + * @endcode * E.g.: * @code a = b @@ -54,6 +95,51 @@ typedef struct settings_t settings_t; * * Currently only a limited set of printf format specifiers are supported * (namely %s, %d and %N, see implementation for details). + * + * \section includes Including other files + * Other files can be included, using the include statement e.g. + * @code + * include /somepath/subconfig.conf + * @endcode + * Shell patterns like *.conf are possible. + * + * If the path is relative, the directory of the file containing the include + * statement is used as base. + * + * Sections loaded from included files extend previously loaded sections, + * already existing values are replaced. + * + * All settings included from files are added relative to the section the + * include statment is in. + * + * The following files result in the same final config as above: + * + * @code + a = b + section-one { + somevalue = before include + include include.conf + } + include two.conf + @endcode + * include.conf + * @code + somevalue = asdf + subsection { + othervalue = yyy + } + yetanother = zz + @endcode + * two.conf + * @code + section-one { + subsection { + othervalue = xxx + } + } + section-two { + } + @endcode */ struct settings_t { @@ -107,6 +193,51 @@ struct settings_t { */ u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def, ...); + /** + * Set a string value. + * + * @param key key including sections, printf style format + * @param value value to set (gets cloned) + * @param ... argument list for key + */ + void (*set_str)(settings_t *this, char *key, char *value, ...); + + /** + * Set a boolean value. + * + * @param key key including sections, printf style format + * @param value value to set + * @param ... argument list for key + */ + void (*set_bool)(settings_t *this, char *key, bool value, ...); + + /** + * Set an integer value. + * + * @param key key including sections, printf style format + * @param value value to set + * @param ... argument list for key + */ + void (*set_int)(settings_t *this, char *key, int value, ...); + + /** + * Set an double value. + * + * @param key key including sections, printf style format + * @param value value to set + * @param ... argument list for key + */ + void (*set_double)(settings_t *this, char *key, double value, ...); + + /** + * Set a time value. + * + * @param key key including sections, printf style format + * @param def value to set + * @param ... argument list for key + */ + void (*set_time)(settings_t *this, char *key, u_int32_t value, ...); + /** * Create an enumerator over subsection names of a section. * @@ -121,12 +252,46 @@ struct settings_t { * Create an enumerator over key/value pairs in a section. * * @param section section name to list key/value pairs of, printf style - * @param ... argmuent list for section + * @param ... argument list for section * @return enumerator over (char *key, char *value) */ enumerator_t* (*create_key_value_enumerator)(settings_t *this, char *section, ...); + /** + * Load settings from the files matching the given pattern. + * + * Existing sections are extended, existing values replaced, by those found + * in the loaded files. + * + * @note If any of the files matching the pattern fails to load, no settings + * are added at all. So, it's all or nothing. + * + * @param pattern file pattern + * @return TRUE, if settings were loaded successfully + */ + bool (*load_files)(settings_t *this, char *pattern); + + /** + * Load settings from the files matching the given pattern. + * + * Existing sections are extended, existing values replaced, by those found + * in the loaded files. + * + * All settings are loaded relative to the given section. The section is + * created, if it does not yet exist. + * + * @note If any of the files matching the pattern fails to load, no settings + * are added at all. So, it's all or nothing. + * + * @param pattern file pattern + * @param section section name of parent section, printf style + * @param ... argument list for section + * @return TRUE, if settings were loaded successfully + */ + bool (*load_files_section)(settings_t *this, char *pattern, + char *section, ...); + /** * Destroy a settings instance. */ diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c index b868d538d..2ab061a74 100644 --- a/src/libstrongswan/utils.c +++ b/src/libstrongswan/utils.c @@ -246,6 +246,14 @@ bool return_false() return FALSE; } +/** + * returns FAILED + */ +status_t return_failed() +{ + return FAILED; +} + /** * nop operation */ diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h index 35d3bebd1..ed61895ee 100644 --- a/src/libstrongswan/utils.h +++ b/src/libstrongswan/utils.h @@ -57,7 +57,7 @@ #define streq(x,y) (strcmp(x, y) == 0) /** - * Macro compares two strings for equality + * Macro compares two strings for equality, length limited */ #define strneq(x,y,len) (strncmp(x, y, len) == 0) @@ -66,6 +66,16 @@ */ #define strcaseeq(x,y) (strcasecmp(x, y) == 0) +/** + * Macro compares two strings for equality ignoring case, length limited + */ +#define strncaseeq(x,y,len) (strncasecmp(x, y, len) == 0) + +/** + * NULL-safe strdup variant + */ +#define strdupnull(x) ({ char *_x = x; _x ? strdup(_x) : NULL; }) + /** * Macro compares two binary blobs for equality */ @@ -381,6 +391,11 @@ bool return_true(); */ bool return_false(); +/** + * returns FAILED + */ +status_t return_failed(); + /** * Write a 16-bit host order value in network order to an unaligned address. * diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c index a67245194..41224e8c2 100644 --- a/src/libstrongswan/utils/backtrace.c +++ b/src/libstrongswan/utils/backtrace.c @@ -132,10 +132,11 @@ static void log_(private_backtrace_t *this, FILE *file, bool detailed) /** * Implementation of backtrace_t.contains_function */ -static bool contains_function(private_backtrace_t *this, char *function) +static bool contains_function(private_backtrace_t *this, + char *function[], int count) { #ifdef HAVE_DLADDR - int i; + int i, j; for (i = 0; i< this->frame_count; i++) { @@ -143,9 +144,12 @@ static bool contains_function(private_backtrace_t *this, char *function) if (dladdr(this->frames[i], &info) && info.dli_sname) { - if (streq(info.dli_sname, function)) + for (j = 0; j < count; j++) { - return TRUE; + if (streq(info.dli_sname, function[j])) + { + return TRUE; + } } } } @@ -179,7 +183,7 @@ backtrace_t *backtrace_create(int skip) this->frame_count = frame_count; this->public.log = (void(*)(backtrace_t*,FILE*,bool))log_; - this->public.contains_function = (bool(*)(backtrace_t*, char *function))contains_function; + this->public.contains_function = (bool(*)(backtrace_t*, char *function[], int count))contains_function; this->public.destroy = (void(*)(backtrace_t*))destroy; return &this->public; diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h index c6b0ec78f..e8ccfc1bd 100644 --- a/src/libstrongswan/utils/backtrace.h +++ b/src/libstrongswan/utils/backtrace.h @@ -41,12 +41,13 @@ struct backtrace_t { void (*log)(backtrace_t *this, FILE *file, bool detailed); /** - * Check if the backtrace contains a frame in a specific function. + * Check if the backtrace contains a frame having a function in a list. * - * @param function name - * @return TRUE if function is in the stack + * @param function name array + * @param number of elements in function array + * @return TRUE if one of the functions is in the stack */ - bool (*contains_function)(backtrace_t *this, char *function); + bool (*contains_function)(backtrace_t *this, char *function[], int count); /** * Destroy a backtrace instance. diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c index dde57dc65..49b0bb68c 100644 --- a/src/libstrongswan/utils/hashtable.c +++ b/src/libstrongswan/utils/hashtable.c @@ -186,7 +186,7 @@ static void rehash(private_hashtable_t *this) linked_list_t **old_table; u_int row, old_capacity; - if (this->capacity < MAX_CAPACITY) + if (this->capacity >= MAX_CAPACITY) { return; } @@ -249,6 +249,7 @@ METHOD(hashtable_t, put, void*, { old_value = pair->value; pair->value = value; + pair->key = key; break; } } diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c index 112d07e5c..ffeebd05c 100644 --- a/src/libstrongswan/utils/host.c +++ b/src/libstrongswan/utils/host.c @@ -476,6 +476,10 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port) { return host_create_any_port(af ? af : AF_INET6, port); } + if (af == AF_INET && strchr(string, ':')) + { /* do not try to convert v6 addresses for v4 family */ + return NULL; + } memset(&hints, 0, sizeof(hints)); hints.ai_family = af; @@ -561,6 +565,41 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port) return &this->public; } +/* + * Described in header. + */ +host_t *host_create_from_subnet(char *string, int *bits) +{ + char *pos, buf[64]; + host_t *net; + + pos = strchr(string, '/'); + if (pos) + { + if (pos - string >= sizeof(buf)) + { + return NULL; + } + strncpy(buf, string, pos - string); + buf[pos - string] = '\0'; + *bits = atoi(pos + 1); + return host_create_from_string(buf, 0); + } + net = host_create_from_string(buf, 0); + if (net) + { + if (net->get_family(net) == AF_INET) + { + *bits = 32; + } + else + { + *bits = 128; + } + } + return net; +} + /* * Described in header. */ diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h index f5796154c..0a1be6e47 100644 --- a/src/libstrongswan/utils/host.h +++ b/src/libstrongswan/utils/host.h @@ -189,6 +189,15 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port); */ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr); +/** + * Create a host from a CIDR subnet definition (1.2.3.0/24), return bits. + * + * @param string string to parse + * @param bits gets the number of network bits in CIDR notation + * @return network start address, NULL on error + */ +host_t *host_create_from_subnet(char *string, int *bits); + /** * Create a host without an address, a "any" host. * diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 0696c1030..fd2716deb 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -281,11 +281,13 @@ static void dntoa(chunk_t dn, char *buf, size_t len) chunk_t oid_data, data, printable; u_char type; int oid, written; - bool finished = FALSE; + bool finished = FALSE, empty = TRUE; e = create_rdn_enumerator(dn); while (e->enumerate(e, &oid_data, &type, &data)) { + empty = FALSE; + oid = asn1_known_oid(oid_data); if (oid == OID_UNKNOWN) @@ -329,7 +331,11 @@ static void dntoa(chunk_t dn, char *buf, size_t len) break; } } - if (!finished) + if (empty) + { + snprintf(buf, len, ""); + } + else if (!finished) { snprintf(buf, len, "(invalid ID_DER_ASN1_DN)"); } diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index 5673fc32d..52e92951b 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -218,24 +218,22 @@ char *whitelist[] = { "gcry_create_nonce", /* NSPR */ "PR_CallOnce", + /* libapr */ + "apr_pool_create_ex", + /* glib */ + "g_type_init_with_debug_flags", + "g_type_register_static", + "g_type_class_ref", + "g_type_create_instance", + "g_type_add_interface_static", + "g_type_interface_add_prerequisite", + "g_socket_connection_factory_lookup_type", + /* libgpg */ + "gpg_err_init", + /* gnutls */ + "gnutls_global_init", }; -/** - * check if a stack frame contains functions listed above - */ -static bool is_whitelisted(backtrace_t *backtrace) -{ - int i; - for (i = 0; i < sizeof(whitelist)/sizeof(char*); i++) - { - if (backtrace->contains_function(backtrace, whitelist[i])) - { - return TRUE; - } - } - return FALSE; -} - /** * Report leaks at library destruction */ @@ -248,7 +246,8 @@ static void report(private_leak_detective_t *this, bool detailed) for (hdr = first_header.next; hdr != NULL; hdr = hdr->next) { - if (is_whitelisted(hdr->backtrace)) + if (hdr->backtrace->contains_function(hdr->backtrace, + whitelist, countof(whitelist))) { whitelisted++; } diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c index d8f635c62..e51780290 100644 --- a/src/libstrongswan/utils/optionsfrom.c +++ b/src/libstrongswan/utils/optionsfrom.c @@ -61,11 +61,8 @@ struct private_options_t { char *buffers[MAX_USES]; }; -/** - * Defined in header - */ -bool from(private_options_t *this, char *filename, int *argcp, char **argvp[], - int optind) +METHOD(options_t, from, bool, + private_options_t *this, char *filename, int *argcp, char **argvp[], int optind) { int newargc; int next; /* place for next argument */ @@ -182,10 +179,8 @@ bool from(private_options_t *this, char *filename, int *argcp, char **argvp[], return good; } -/** - * Defined in header - */ -void destroy(private_options_t *this) +METHOD(options_t, destroy, void, + private_options_t *this) { while (this->nuses >= 0) { @@ -200,17 +195,16 @@ void destroy(private_options_t *this) */ options_t *options_create(void) { - private_options_t *this = malloc_thing(private_options_t); + private_options_t *this; - /* initialize */ - this->newargv = NULL; - this->room = 0; - this->nuses = -1; - memset(this->buffers, '\0', MAX_USES); + INIT(this, + .public = { + .from = _from, + .destroy = _destroy, - /* public functions */ - this->public.from = (bool (*) (options_t*,char*,int*,char***,int))from; - this->public.destroy = (void (*) (options_t*))destroy; + }, + .nuses = -1, + ); return &this->public; } diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in index 9f0a817f5..93e8b4a9b 100644 --- a/src/libtls/Makefile.in +++ b/src/libtls/Makefile.in @@ -195,9 +195,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -236,6 +234,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libtls/tls.h b/src/libtls/tls.h index 1908f5dd4..e2c377ad3 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -202,7 +202,7 @@ struct tls_t { /** * Check if TLS negotiation completed successfully. * - * @return TRUE if TLS negotation and authentication complete + * @return TRUE if TLS negotiation and authentication complete */ bool (*is_complete)(tls_t *this); diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 78f2a796d..b4eaf4d79 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -626,15 +626,18 @@ static void filter_suite(private_tls_crypto_t *this, suite_algs_t suites[], int *count, int offset, enumerator_t*(*create_enumerator)(crypto_factory_t*)) { + const char *plugin_name; suite_algs_t current; - int i, remaining = 0; + int *current_alg, i, remaining = 0; enumerator_t *enumerator; memset(¤t, 0, sizeof(current)); + current_alg = (int*)((char*)¤t + offset); + for (i = 0; i < *count; i++) { enumerator = create_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, ((char*)¤t) + offset)) + while (enumerator->enumerate(enumerator, current_alg, &plugin_name)) { if ((suites[i].encr == ENCR_NULL || !current.encr || current.encr == suites[i].encr) && @@ -1060,10 +1063,11 @@ METHOD(tls_crypto_t, get_signature_algorithms, void, enumerator_t *enumerator; hash_algorithm_t alg; tls_hash_algorithm_t hash; + const char *plugin_name; supported = tls_writer_create(32); enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &alg)) + while (enumerator->enumerate(enumerator, &alg, &plugin_name)) { switch (alg) { diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c index a8c3a5053..8204a3441 100644 --- a/src/libtls/tls_eap.c +++ b/src/libtls/tls_eap.c @@ -303,17 +303,21 @@ METHOD(tls_eap_t, process, status_t, DBG2(DBG_TLS, "received %N acknowledgement packet", eap_type_names, this->type); status = build_pkt(this, pkt->identifier, out); - if (status == INVALID_STATE && - this->tls->is_complete(this->tls)) + if (status == INVALID_STATE && this->tls->is_complete(this->tls)) { return SUCCESS; } return status; } status = process_pkt(this, pkt); - if (status != NEED_MORE) + switch (status) { - return status; + case NEED_MORE: + break; + case SUCCESS: + return this->tls->is_complete(this->tls) ? SUCCESS : FAILED; + default: + return status; } } status = build_pkt(this, pkt->identifier, out); diff --git a/src/libtls/tls_reader.c b/src/libtls/tls_reader.c index 17ec68fd5..2b3cd8cac 100644 --- a/src/libtls/tls_reader.c +++ b/src/libtls/tls_reader.c @@ -52,8 +52,8 @@ METHOD(tls_reader_t, read_uint8, bool, { if (this->buf.len < 1) { - DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", - this->buf.len, 8); + DBG1(DBG_TLS, "%d bytes insufficient to parse u_int8 data", + this->buf.len); return FALSE; } *res = this->buf.ptr[0]; @@ -66,8 +66,8 @@ METHOD(tls_reader_t, read_uint16, bool, { if (this->buf.len < 2) { - DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", - this->buf.len, 16); + DBG1(DBG_TLS, "%d bytes insufficient to parse u_int16 data", + this->buf.len); return FALSE; } *res = untoh16(this->buf.ptr); @@ -80,8 +80,8 @@ METHOD(tls_reader_t, read_uint24, bool, { if (this->buf.len < 3) { - DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", - this->buf.len, 24); + DBG1(DBG_TLS, "%d bytes insufficient to parse u_int24 data", + this->buf.len); return FALSE; } *res = untoh32(this->buf.ptr) >> 8; @@ -94,8 +94,8 @@ METHOD(tls_reader_t, read_uint32, bool, { if (this->buf.len < 4) { - DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", - this->buf.len, 32); + DBG1(DBG_TLS, "%d bytes insufficient to parse u_int32 data", + this->buf.len); return FALSE; } *res = untoh32(this->buf.ptr); @@ -108,7 +108,7 @@ METHOD(tls_reader_t, read_data, bool, { if (this->buf.len < len) { - DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes TLS data", + DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes of data", this->buf.len, len); return FALSE; } diff --git a/src/libtls/tls_writer.c b/src/libtls/tls_writer.c index 235dc2cdf..e87c2efea 100644 --- a/src/libtls/tls_writer.c +++ b/src/libtls/tls_writer.c @@ -226,7 +226,7 @@ tls_writer_t *tls_writer_create(u_int32_t bufsize) .get_buf = _get_buf, .destroy = _destroy, }, - .increase = bufsize ?: 32, + .increase = bufsize ? max(bufsize, 4) : 32, ); if (bufsize) { diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 5073d9686..2e139f839 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -236,9 +236,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -277,6 +275,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 07315cfd2..9c9662f7f 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -226,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index fcac66226..ec4657e55 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 0ec6f9c0b..c6651fdf5 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -197,9 +197,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -238,6 +236,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pki/command.c b/src/pki/command.c index b9c35d99b..0142b4ab7 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -201,7 +201,7 @@ int command_usage(char *error) } for (i = 0; cmds[active].options[i].name; i++) { - fprintf(out, " --%-8s (-%c) %s\n", + fprintf(out, " --%-15s (-%c) %s\n", cmds[active].options[i].name, cmds[active].options[i].op, cmds[active].options[i].desc); } diff --git a/src/pki/command.h b/src/pki/command.h index fad598c0b..a6f8bc758 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -29,7 +29,7 @@ /** * Maximum number of options in a command (+1) */ -#define MAX_OPTIONS 20 +#define MAX_OPTIONS 32 /** * Maximum number of usage summary lines (+1) diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 8ea852e31..6a5686d92 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -18,11 +18,40 @@ #include "pki.h" #include +#include #include #include #include #include +/** + * Free cert policy with OID + */ +static void destroy_cert_policy(x509_cert_policy_t *policy) +{ + free(policy->oid.ptr); + free(policy); +} + +/** + * Free policy mapping + */ +static void destroy_policy_mapping(x509_policy_mapping_t *mapping) +{ + free(mapping->issuer.ptr); + free(mapping->subject.ptr); + free(mapping); +} + +/** + * Free a CRL DistributionPoint + */ +static void destroy_cdp(x509_cdp_t *this) +{ + DESTROY_IF(this->issuer); + free(this); +} + /** * Issue a certificate using a CA certificate and key */ @@ -37,19 +66,26 @@ static int issue() char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL; char *error = NULL, *keyid = NULL; identification_t *id = NULL; - linked_list_t *san, *cdps, *ocsp; + linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings; int lifetime = 1095; - int pathlen = X509_NO_PATH_LEN_CONSTRAINT; + int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT; + int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; time_t not_before, not_after; x509_flag_t flags = 0; x509_t *x509; + x509_cdp_t *cdp = NULL; + x509_cert_policy_t *policy = NULL; char *arg; san = linked_list_create(); cdps = linked_list_create(); ocsp = linked_list_create(); + permitted = linked_list_create(); + excluded = linked_list_create(); + policies = linked_list_create(); + mappings = linked_list_create(); while (TRUE) { @@ -111,6 +147,79 @@ static int issue() case 'p': pathlen = atoi(arg); continue; + case 'n': + permitted->insert_last(permitted, + identification_create_from_string(arg)); + continue; + case 'N': + excluded->insert_last(excluded, + identification_create_from_string(arg)); + continue; + case 'P': + { + chunk_t oid; + + oid = asn1_oid_from_string(arg); + if (!oid.len) + { + error = "--cert-policy OID invalid"; + goto usage; + } + INIT(policy, + .oid = oid, + ); + policies->insert_last(policies, policy); + continue; + } + case 'C': + if (!policy) + { + error = "--cps-uri must follow a --cert-policy"; + goto usage; + } + policy->cps_uri = arg; + continue; + case 'U': + if (!policy) + { + error = "--user-notice must follow a --cert-policy"; + goto usage; + } + policy->unotice_text = arg; + continue; + case 'M': + { + char *pos = strchr(arg, ':'); + x509_policy_mapping_t *mapping; + chunk_t subject_oid, issuer_oid; + + if (pos) + { + *pos++ = '\0'; + issuer_oid = asn1_oid_from_string(arg); + subject_oid = asn1_oid_from_string(pos); + } + if (!pos || !issuer_oid.len || !subject_oid.len) + { + error = "--policy-map OIDs invalid"; + goto usage; + } + INIT(mapping, + .issuer = issuer_oid, + .subject = subject_oid, + ); + mappings->insert_last(mappings, mapping); + continue; + } + case 'E': + require_explicit = atoi(arg); + continue; + case 'H': + inhibit_mapping = atoi(arg); + continue; + case 'A': + inhibit_any = atoi(arg); + continue; case 'e': if (streq(arg, "serverAuth")) { @@ -120,6 +229,10 @@ static int issue() { flags |= X509_CLIENT_AUTH; } + else if (streq(arg, "crlSign")) + { + flags |= X509_CRL_SIGN; + } else if (streq(arg, "ocspSigning")) { flags |= X509_OCSP_SIGNER; @@ -128,11 +241,23 @@ static int issue() case 'f': if (!get_form(arg, &form, CRED_CERTIFICATE)) { - return command_usage("invalid output format"); + error = "invalid output format"; + goto usage; } continue; case 'u': - cdps->insert_last(cdps, arg); + INIT(cdp, + .uri = arg, + ); + cdps->insert_last(cdps, cdp); + continue; + case 'I': + if (!cdp || cdp->issuer) + { + error = "--crlissuer must follow a --crl"; + goto usage; + } + cdp->issuer = identification_create_from_string(arg); continue; case 'o': ocsp->insert_last(ocsp, arg); @@ -145,12 +270,6 @@ static int issue() } break; } - - if (!pkcs10 && !dn) - { - error = "--dn is required"; - goto usage; - } if (!cacert) { error = "--cacert is required"; @@ -161,7 +280,7 @@ static int issue() error = "--cakey or --keyid is required"; goto usage; } - if (dn) + if (dn && *dn) { id = identification_create_from_string(dn); if (id->get_type(id) != ID_DER_ASN1_DN) @@ -306,6 +425,12 @@ static int issue() goto end; } + if (!id) + { + id = identification_create_from_encoding(ID_DER_ASN1_DN, + chunk_from_chars(ASN1_SEQUENCE, 0)); + } + not_before = time(NULL); not_after = not_before + lifetime * 24 * 60 * 60; @@ -317,7 +442,15 @@ static int issue() BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, BUILD_CRL_DISTRIBUTION_POINTS, cdps, - BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END); + BUILD_OCSP_ACCESS_LOCATIONS, ocsp, + BUILD_PERMITTED_NAME_CONSTRAINTS, permitted, + BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded, + BUILD_CERTIFICATE_POLICIES, policies, + BUILD_POLICY_MAPPINGS, mappings, + BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit, + BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping, + BUILD_POLICY_INHIBIT_ANY, inhibit_any, + BUILD_END); if (!cert) { error = "generating certificate failed"; @@ -342,7 +475,11 @@ end: DESTROY_IF(public); DESTROY_IF(private); san->destroy_offset(san, offsetof(identification_t, destroy)); - cdps->destroy(cdps); + permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); + excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); + policies->destroy_function(policies, (void*)destroy_cert_policy); + mappings->destroy_function(mappings, (void*)destroy_policy_mapping); + cdps->destroy_function(cdps, (void*)destroy_cdp); ocsp->destroy(ocsp); free(encoding.ptr); free(serial.ptr); @@ -356,7 +493,11 @@ end: usage: san->destroy_offset(san, offsetof(identification_t, destroy)); - cdps->destroy(cdps); + permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); + excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); + policies->destroy_function(policies, (void*)destroy_cert_policy); + mappings->destroy_function(mappings, (void*)destroy_policy_mapping); + cdps->destroy_function(cdps, (void*)destroy_cdp); ocsp->destroy(ocsp); return command_usage(error); } @@ -370,28 +511,42 @@ static void __attribute__ ((constructor))reg() issue, 'i', "issue", "issue a certificate using a CA certificate and key", {"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex", - " --cacert file --dn subject-dn [--san subjectAltName]+", - "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+", - "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+", + " --cacert file [--dn subject-dn] [--san subjectAltName]+", + "[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+", + "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+", + "[--nc-permitted name] [--nc-excluded name]", + "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+", + "[--policy-map issuer-oid:subject-oid]", + "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { - {"help", 'h', 0, "show usage information"}, - {"in", 'i', 1, "public key/request file to issue, default: stdin"}, - {"type", 't', 1, "type of input, default: pub"}, - {"cacert", 'c', 1, "CA certificate file"}, - {"cakey", 'k', 1, "CA private key file"}, - {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, - {"dn", 'd', 1, "distinguished name to include as subject"}, - {"san", 'a', 1, "subjectAltName to include in certificate"}, - {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, - {"serial", 's', 1, "serial number in hex, default: random"}, - {"ca", 'b', 0, "include CA basicConstraint, default: no"}, - {"pathlen", 'p', 1, "set path length constraint"}, - {"flag", 'e', 1, "include extendedKeyUsage flag"}, - {"crl", 'u', 1, "CRL distribution point URI to include"}, - {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, - {"outform", 'f', 1, "encoding of generated cert, default: der"}, + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "public key/request file to issue, default: stdin"}, + {"type", 't', 1, "type of input, default: pub"}, + {"cacert", 'c', 1, "CA certificate file"}, + {"cakey", 'k', 1, "CA private key file"}, + {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, + {"dn", 'd', 1, "distinguished name to include as subject"}, + {"san", 'a', 1, "subjectAltName to include in certificate"}, + {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"}, + {"serial", 's', 1, "serial number in hex, default: random"}, + {"ca", 'b', 0, "include CA basicConstraint, default: no"}, + {"pathlen", 'p', 1, "set path length constraint"}, + {"nc-permitted", 'n', 1, "add permitted NameConstraint"}, + {"nc-excluded", 'N', 1, "add excluded NameConstraint"}, + {"cert-policy", 'P', 1, "certificatePolicy OID to include"}, + {"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"}, + {"user-notice", 'U', 1, "user notice for certificatePolicy"}, + {"policy-mapping", 'M', 1, "policyMapping from issuer to subject OID"}, + {"policy-explicit", 'E', 1, "requireExplicitPolicy constraint"}, + {"policy-inhibit", 'H', 1, "inhibitPolicyMapping constraint"}, + {"policy-any", 'A', 1, "inhibitAnyPolicy constraint"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, + {"crl", 'u', 1, "CRL distribution point URI to include"}, + {"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"}, + {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index 870dca920..ee6f30c98 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -15,6 +15,7 @@ #include "pki.h" +#include #include #include #include @@ -72,8 +73,11 @@ static void print_x509(x509_t *x509) chunk_t chunk; bool first; char *uri; - int len; + int len, explicit, inhibit; x509_flag_t flags; + x509_cdp_t *cdp; + x509_cert_policy_t *policy; + x509_policy_mapping_t *mapping; chunk = x509->get_serial(x509); printf("serial: %#B\n", &chunk); @@ -105,6 +109,10 @@ static void print_x509(x509_t *x509) { printf("CA "); } + if (flags & X509_CRL_SIGN) + { + printf("CRLSign "); + } if (flags & X509_AA) { printf("AA "); @@ -133,17 +141,22 @@ static void print_x509(x509_t *x509) first = TRUE; enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &uri)) + while (enumerator->enumerate(enumerator, &cdp)) { if (first) { - printf("CRL URIs: %s\n", uri); + printf("CRL URIs: %s", cdp->uri); first = FALSE; } else { - printf(" %s\n", uri); + printf(" %s", cdp->uri); + } + if (cdp->issuer) + { + printf(" (CRL issuer: %Y)", cdp->issuer); } + printf("\n"); } enumerator->destroy(enumerator); @@ -163,12 +176,111 @@ static void print_x509(x509_t *x509) } enumerator->destroy(enumerator); - len = x509->get_pathLenConstraint(x509); - if (len != X509_NO_PATH_LEN_CONSTRAINT) + len = x509->get_constraint(x509, X509_PATH_LEN); + if (len != X509_NO_CONSTRAINT) { printf("pathlen: %d\n", len); } + first = TRUE; + enumerator = x509->create_name_constraint_enumerator(x509, TRUE); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + printf("Permitted NameConstraints:\n"); + first = FALSE; + } + printf(" %Y\n", id); + } + enumerator->destroy(enumerator); + first = TRUE; + enumerator = x509->create_name_constraint_enumerator(x509, FALSE); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + printf("Excluded NameConstraints:\n"); + first = FALSE; + } + printf(" %Y\n", id); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_cert_policy_enumerator(x509); + while (enumerator->enumerate(enumerator, &policy)) + { + char *oid; + + if (first) + { + printf("CertificatePolicies:\n"); + first = FALSE; + } + oid = asn1_oid_to_string(policy->oid); + if (oid) + { + printf(" %s\n", oid); + free(oid); + } + else + { + printf(" %#B\n", &policy->oid); + } + if (policy->cps_uri) + { + printf(" CPS: %s\n", policy->cps_uri); + } + if (policy->unotice_text) + { + printf(" Notice: %s\n", policy->unotice_text); + + } + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_policy_mapping_enumerator(x509); + while (enumerator->enumerate(enumerator, &mapping)) + { + char *issuer_oid, *subject_oid; + + if (first) + { + printf("PolicyMappings:\n"); + first = FALSE; + } + issuer_oid = asn1_oid_to_string(mapping->issuer); + subject_oid = asn1_oid_to_string(mapping->subject); + printf(" %s => %s\n", issuer_oid, subject_oid); + free(issuer_oid); + free(subject_oid); + } + enumerator->destroy(enumerator); + + explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); + inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); + len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY); + + if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT || + len != X509_NO_CONSTRAINT) + { + printf("PolicyConstraints:\n"); + if (explicit != X509_NO_CONSTRAINT) + { + printf(" requireExplicitPolicy: %d\n", explicit); + } + if (inhibit != X509_NO_CONSTRAINT) + { + printf(" inhibitPolicyMapping: %d\n", inhibit); + } + if (len != X509_NO_CONSTRAINT) + { + printf(" inhibitAnyPolicy: %d\n", len); + } + } + chunk = x509->get_authKeyIdentifier(x509); if (chunk.ptr) { @@ -212,14 +324,41 @@ static void print_crl(crl_t *crl) crl_reason_t reason; chunk_t chunk; int count = 0; + bool first; char buf[64]; struct tm tm; + x509_cdp_t *cdp; chunk = crl->get_serial(crl); printf("serial: %#B\n", &chunk); + if (crl->is_delta_crl(crl, &chunk)) + { + printf("delta CRL: for serial %#B\n", &chunk); + } chunk = crl->get_authKeyIdentifier(crl); printf("authKeyId: %#B\n", &chunk); + first = TRUE; + enumerator = crl->create_delta_crl_uri_enumerator(crl); + while (enumerator->enumerate(enumerator, &cdp)) + { + if (first) + { + printf("freshest: %s", cdp->uri); + first = FALSE; + } + else + { + printf(" %s", cdp->uri); + } + if (cdp->issuer) + { + printf(" (CRL issuer: %Y)", cdp->issuer); + } + printf("\n"); + } + enumerator->destroy(enumerator); + enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) { diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index 5e6f0bd14..c7788ff62 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -20,6 +20,26 @@ #include #include #include +#include + +/** + * Free cert policy with OID + */ +static void destroy_cert_policy(x509_cert_policy_t *policy) +{ + free(policy->oid.ptr); + free(policy); +} + +/** + * Free policy mapping + */ +static void destroy_policy_mapping(x509_policy_mapping_t *mapping) +{ + free(mapping->issuer.ptr); + free(mapping->subject.ptr); + free(mapping); +} /** * Create a self signed certificate. @@ -34,17 +54,23 @@ static int self() public_key_t *public = NULL; char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL; identification_t *id = NULL; - linked_list_t *san, *ocsp; + linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings; int lifetime = 1095; - int pathlen = X509_NO_PATH_LEN_CONSTRAINT; + int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT; + int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; time_t not_before, not_after; x509_flag_t flags = 0; + x509_cert_policy_t *policy = NULL; char *arg; san = linked_list_create(); ocsp = linked_list_create(); + permitted = linked_list_create(); + excluded = linked_list_create(); + policies = linked_list_create(); + mappings = linked_list_create(); while (TRUE) { @@ -104,6 +130,79 @@ static int self() case 'p': pathlen = atoi(arg); continue; + case 'n': + permitted->insert_last(permitted, + identification_create_from_string(arg)); + continue; + case 'N': + excluded->insert_last(excluded, + identification_create_from_string(arg)); + continue; + case 'P': + { + chunk_t oid; + + oid = asn1_oid_from_string(arg); + if (!oid.len) + { + error = "--cert-policy OID invalid"; + goto usage; + } + INIT(policy, + .oid = oid, + ); + policies->insert_last(policies, policy); + continue; + } + case 'C': + if (!policy) + { + error = "--cps-uri must follow a --cert-policy"; + goto usage; + } + policy->cps_uri = arg; + continue; + case 'U': + if (!policy) + { + error = "--user-notice must follow a --cert-policy"; + goto usage; + } + policy->unotice_text = arg; + continue; + case 'M': + { + char *pos = strchr(arg, ':'); + x509_policy_mapping_t *mapping; + chunk_t subject_oid, issuer_oid; + + if (pos) + { + *pos++ = '\0'; + issuer_oid = asn1_oid_from_string(arg); + subject_oid = asn1_oid_from_string(pos); + } + if (!pos || !issuer_oid.len || !subject_oid.len) + { + error = "--policy-map OIDs invalid"; + goto usage; + } + INIT(mapping, + .issuer = issuer_oid, + .subject = subject_oid, + ); + mappings->insert_last(mappings, mapping); + continue; + } + case 'E': + require_explicit = atoi(arg); + continue; + case 'H': + inhibit_mapping = atoi(arg); + continue; + case 'A': + inhibit_any = atoi(arg); + continue; case 'e': if (streq(arg, "serverAuth")) { @@ -113,6 +212,10 @@ static int self() { flags |= X509_CLIENT_AUTH; } + else if (streq(arg, "crlSign")) + { + flags |= X509_CRL_SIGN; + } else if (streq(arg, "ocspSigning")) { flags |= X509_OCSP_SIGNER; @@ -121,7 +224,8 @@ static int self() case 'f': if (!get_form(arg, &form, CRED_CERTIFICATE)) { - return command_usage("invalid output format"); + error = "invalid output format"; + goto usage; } continue; case 'o': @@ -206,7 +310,15 @@ static int self() BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial, BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san, - BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END); + BUILD_OCSP_ACCESS_LOCATIONS, ocsp, + BUILD_PERMITTED_NAME_CONSTRAINTS, permitted, + BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded, + BUILD_CERTIFICATE_POLICIES, policies, + BUILD_POLICY_MAPPINGS, mappings, + BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit, + BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping, + BUILD_POLICY_INHIBIT_ANY, inhibit_any, + BUILD_END); if (!cert) { error = "generating certificate failed"; @@ -229,6 +341,10 @@ end: DESTROY_IF(public); DESTROY_IF(private); san->destroy_offset(san, offsetof(identification_t, destroy)); + permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); + excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); + policies->destroy_function(policies, (void*)destroy_cert_policy); + mappings->destroy_function(mappings, (void*)destroy_policy_mapping); ocsp->destroy(ocsp); free(encoding.ptr); free(serial.ptr); @@ -242,6 +358,10 @@ end: usage: san->destroy_offset(san, offsetof(identification_t, destroy)); + permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); + excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); + policies->destroy_function(policies, (void*)destroy_cert_policy); + mappings->destroy_function(mappings, (void*)destroy_policy_mapping); ocsp->destroy(ocsp); return command_usage(error); } @@ -257,23 +377,36 @@ static void __attribute__ ((constructor))reg() {"[--in file | --keyid hex] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", - "[--flag serverAuth|clientAuth|ocspSigning]+", + "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+", + "[--nc-permitted name] [--nc-excluded name]", + "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+", + "[--policy-map issuer-oid:subject-oid]", + "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { - {"help", 'h', 0, "show usage information"}, - {"in", 'i', 1, "private key input file, default: stdin"}, - {"keyid", 'x', 1, "keyid on smartcard of private key"}, - {"type", 't', 1, "type of input key, default: rsa"}, - {"dn", 'd', 1, "subject and issuer distinguished name"}, - {"san", 'a', 1, "subjectAltName to include in certificate"}, - {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, - {"serial", 's', 1, "serial number in hex, default: random"}, - {"ca", 'b', 0, "include CA basicConstraint, default: no"}, - {"pathlen", 'p', 1, "set path length constraint"}, - {"flag", 'e', 1, "include extendedKeyUsage flag"}, - {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, - {"outform", 'f', 1, "encoding of generated cert, default: der"}, + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "private key input file, default: stdin"}, + {"keyid", 'x', 1, "keyid on smartcard of private key"}, + {"type", 't', 1, "type of input key, default: rsa"}, + {"dn", 'd', 1, "subject and issuer distinguished name"}, + {"san", 'a', 1, "subjectAltName to include in certificate"}, + {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"}, + {"serial", 's', 1, "serial number in hex, default: random"}, + {"ca", 'b', 0, "include CA basicConstraint, default: no"}, + {"pathlen", 'p', 1, "set path length constraint"}, + {"nc-permitted", 'n', 1, "add permitted NameConstraint"}, + {"nc-excluded", 'N', 1, "add excluded NameConstraint"}, + {"cert-policy", 'P', 1, "certificatePolicy OID to include"}, + {"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"}, + {"user-notice", 'U', 1, "user notice for certificatePolicy"}, + {"policy-mapping", 'M', 1, "policyMapping from issuer to subject OID"}, + {"policy-explicit", 'E', 1, "requireExplicitPolicy constraint"}, + {"policy-inhibit", 'H', 1, "inhibitPolicyMapping constraint"}, + {"policy-any", 'A', 1, "inhibitAnyPolicy constraint"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, + {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 24bf9123f..4b1c12e5c 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -97,6 +97,15 @@ static int read_serial(char *file, char *buf, int buflen) return serial.len; } +/** + * Destroy a CDP + */ +static void cdp_destroy(x509_cdp_t *this) +{ + free(this->uri); + free(this); +} + /** * Sign a CRL */ @@ -110,16 +119,19 @@ static int sign_crl() x509_t *x509; hash_algorithm_t digest = HASH_SHA1; char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; + char *basecrl = NULL; char serial[512], crl_serial[8], *keyid = NULL; int serial_len = 0; crl_reason_t reason = CRL_REASON_UNSPECIFIED; time_t thisUpdate, nextUpdate, date = time(NULL); int lifetime = 15; - linked_list_t *list; + linked_list_t *list, *cdps; enumerator_t *enumerator, *lastenum = NULL; - chunk_t encoding = chunk_empty; + x509_cdp_t *cdp; + chunk_t encoding = chunk_empty, baseCrlNumber = chunk_empty; list = linked_list_create(); + cdps = linked_list_create(); memset(crl_serial, 0, sizeof(crl_serial)); @@ -190,6 +202,15 @@ static int sign_crl() reason = CRL_REASON_UNSPECIFIED; continue; } + case 'b': + basecrl = arg; + continue; + case 'u': + INIT(cdp, + .uri = strdup(arg), + ); + cdps->insert_last(cdps, cdp); + continue; case 'r': if (streq(arg, "key-compromise")) { @@ -262,9 +283,9 @@ static int sign_crl() goto error; } x509 = (x509_t*)ca; - if (!(x509->get_flags(x509) & X509_CA)) + if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN))) { - error = "CA certificate misses CA basicConstraint"; + error = "CA certificate misses CA basicConstraint / CRLSign keyUsage"; goto error; } public = ca->get_public_key(ca); @@ -302,6 +323,22 @@ static int sign_crl() thisUpdate = time(NULL); nextUpdate = thisUpdate + lifetime * 24 * 60 * 60; + if (basecrl) + { + lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_FROM_FILE, basecrl, BUILD_END); + if (!lastcrl) + { + error = "loading base CRL failed"; + goto error; + } + memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr, + min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial))); + baseCrlNumber = chunk_clone(lastcrl->get_serial(lastcrl)); + DESTROY_IF((certificate_t*)lastcrl); + lastcrl = NULL; + } + if (lastupdate) { lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, @@ -315,6 +352,10 @@ static int sign_crl() min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial))); lastenum = lastcrl->create_enumerator(lastcrl); } + else + { + lastenum = enumerator_create_empty(); + } chunk_increment(chunk_create(crl_serial, sizeof(crl_serial))); @@ -324,11 +365,12 @@ static int sign_crl() BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)), BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate, - BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_DIGEST_ALG, digest, - lastenum ? BUILD_REVOKED_ENUMERATOR : BUILD_END, lastenum, + BUILD_REVOKED_ENUMERATOR, enumerator, + BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest, + BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber, BUILD_END); enumerator->destroy(enumerator); - DESTROY_IF(lastenum); + lastenum->destroy(lastenum); DESTROY_IF((certificate_t*)lastcrl); if (!crl) @@ -353,7 +395,9 @@ error: DESTROY_IF(ca); DESTROY_IF(crl); free(encoding.ptr); + free(baseCrlNumber.ptr); list->destroy_function(list, (void*)revoked_destroy); + cdps->destroy_function(cdps, (void*)cdp_destroy); if (error) { fprintf(stderr, "%s\n", error); @@ -363,6 +407,7 @@ error: usage: list->destroy_function(list, (void*)revoked_destroy); + cdps->destroy_function(cdps, (void*)cdp_destroy); return command_usage(error); } @@ -375,24 +420,27 @@ static void __attribute__ ((constructor))reg() sign_crl, 'c', "signcrl", "issue a CRL using a CA certificate and key", {"--cacert file --cakey file | --cakeyid hex --lifetime days", + "[--lastcrl crl] [--basecrl crl] [--crluri uri ]+", "[ [--reason key-compromise|ca-compromise|affiliation-changed|", " superseded|cessation-of-operation|certificate-hold]", " [--date timestamp]", " --cert file | --serial hex ]*", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { - {"help", 'h', 0, "show usage information"}, - {"cacert", 'c', 1, "CA certificate file"}, - {"cakey", 'k', 1, "CA private key file"}, - {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, - {"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"}, - {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"}, - {"cert", 'z', 1, "certificate file to revoke"}, - {"serial", 's', 1, "hex encoded certificate serial number to revoke"}, - {"reason", 'r', 1, "reason for certificate revocation"}, - {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, - {"outform", 'f', 1, "encoding of generated crl, default: der"}, + {"help", 'h', 0, "show usage information"}, + {"cacert", 'c', 1, "CA certificate file"}, + {"cakey", 'k', 1, "CA private key file"}, + {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, + {"lifetime", 'l', 1, "days the CRL gets a nextUpdate, default: 15"}, + {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"}, + {"basecrl", 'b', 1, "base CRL to create a delta CRL for"}, + {"crluri", 'u', 1, "freshest delta CRL URI to include"}, + {"cert", 'z', 1, "certificate file to revoke"}, + {"serial", 's', 1, "hex encoded certificate serial number to revoke"}, + {"reason", 'r', 1, "reason for certificate revocation"}, + {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated crl, default: der"}, } }); } diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 080530f86..1428854ee 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -304,9 +304,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -345,6 +343,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pluto/ca.c b/src/pluto/ca.c index 2654774fa..add85def8 100644 --- a/src/pluto/ca.c +++ b/src/pluto/ca.c @@ -629,7 +629,7 @@ void add_ca_info(const whack_message_t *msg) if (strncasecmp(msg->ocspuri, "http", 4) == 0) ca->ocspuri = clone_str(msg->ocspuri); else - plog(" ignoring ocspuri with unkown protocol"); + plog(" ignoring ocspuri with unknown protocol"); } /* add crl uris */ diff --git a/src/pluto/crl.c b/src/pluto/crl.c index c8fb107d5..1c9c9a8cc 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -352,7 +352,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, x509crl_t *x509crl; ca_info_t *ca; enumerator_t *enumerator; - char *point; + x509_cdp_t *cdp; ca = get_ca_info(issuer, authKeyID); @@ -376,9 +376,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, } enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &point)) + while (enumerator->enumerate(enumerator, &cdp)) { - add_distribution_point(crluris, point); + add_distribution_point(crluris, cdp->uri); } enumerator->destroy(enumerator); @@ -416,9 +416,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, } enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &point)) + while (enumerator->enumerate(enumerator, &cdp)) { - add_distribution_point(x509crl->distributionPoints, point); + add_distribution_point(x509crl->distributionPoints, cdp->uri); } enumerator->destroy(enumerator); diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c index 0684de618..f01966c72 100644 --- a/src/pluto/crypto.c +++ b/src/pluto/crypto.c @@ -26,14 +26,15 @@ static struct encrypt_desc encrypt_desc_3des = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_3DES_CBC, - algo_next: NULL, - - enc_blocksize: DES_BLOCK_SIZE, - keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, - keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, - keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_3DES_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: DES_BLOCK_SIZE, + keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, }; #define AES_KEY_MIN_LEN 128 @@ -42,14 +43,15 @@ static struct encrypt_desc encrypt_desc_3des = static struct encrypt_desc encrypt_desc_aes = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_AES_CBC, - algo_next: NULL, - - enc_blocksize: AES_BLOCK_SIZE, - keyminlen: AES_KEY_MIN_LEN, - keydeflen: AES_KEY_DEF_LEN, - keymaxlen: AES_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_AES_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: AES_BLOCK_SIZE, + keyminlen: AES_KEY_MIN_LEN, + keydeflen: AES_KEY_DEF_LEN, + keymaxlen: AES_KEY_MAX_LEN, }; #define CAMELLIA_KEY_MIN_LEN 128 @@ -58,14 +60,15 @@ static struct encrypt_desc encrypt_desc_aes = static struct encrypt_desc encrypt_desc_camellia = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_CAMELLIA_CBC, - algo_next: NULL, - - enc_blocksize: CAMELLIA_BLOCK_SIZE, - keyminlen: CAMELLIA_KEY_MIN_LEN, - keydeflen: CAMELLIA_KEY_DEF_LEN, - keymaxlen: CAMELLIA_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_CAMELLIA_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: CAMELLIA_BLOCK_SIZE, + keyminlen: CAMELLIA_KEY_MIN_LEN, + keydeflen: CAMELLIA_KEY_DEF_LEN, + keymaxlen: CAMELLIA_KEY_MAX_LEN, }; #define BLOWFISH_KEY_MIN_LEN 128 @@ -73,14 +76,15 @@ static struct encrypt_desc encrypt_desc_camellia = static struct encrypt_desc encrypt_desc_blowfish = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_BLOWFISH_CBC, - algo_next: NULL, - - enc_blocksize: BLOWFISH_BLOCK_SIZE, - keyminlen: BLOWFISH_KEY_MIN_LEN, - keydeflen: BLOWFISH_KEY_MIN_LEN, - keymaxlen: BLOWFISH_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_BLOWFISH_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: BLOWFISH_BLOCK_SIZE, + keyminlen: BLOWFISH_KEY_MIN_LEN, + keydeflen: BLOWFISH_KEY_MIN_LEN, + keymaxlen: BLOWFISH_KEY_MAX_LEN, }; #define SERPENT_KEY_MIN_LEN 128 @@ -89,14 +93,15 @@ static struct encrypt_desc encrypt_desc_blowfish = static struct encrypt_desc encrypt_desc_serpent = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_SERPENT_CBC, - algo_next: NULL, - - enc_blocksize: SERPENT_BLOCK_SIZE, - keyminlen: SERPENT_KEY_MIN_LEN, - keydeflen: SERPENT_KEY_DEF_LEN, - keymaxlen: SERPENT_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_SERPENT_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: SERPENT_BLOCK_SIZE, + keyminlen: SERPENT_KEY_MIN_LEN, + keydeflen: SERPENT_KEY_DEF_LEN, + keymaxlen: SERPENT_KEY_MAX_LEN, }; #define TWOFISH_KEY_MIN_LEN 128 @@ -105,32 +110,35 @@ static struct encrypt_desc encrypt_desc_serpent = static struct encrypt_desc encrypt_desc_twofish = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_TWOFISH_CBC, - algo_next: NULL, - - enc_blocksize: TWOFISH_BLOCK_SIZE, - keydeflen: TWOFISH_KEY_MIN_LEN, - keyminlen: TWOFISH_KEY_DEF_LEN, - keymaxlen: TWOFISH_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_TWOFISH_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: TWOFISH_BLOCK_SIZE, + keydeflen: TWOFISH_KEY_MIN_LEN, + keyminlen: TWOFISH_KEY_DEF_LEN, + keymaxlen: TWOFISH_KEY_MAX_LEN, }; static struct encrypt_desc encrypt_desc_twofish_ssh = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_TWOFISH_CBC_SSH, - algo_next: NULL, - - enc_blocksize: TWOFISH_BLOCK_SIZE, - keydeflen: TWOFISH_KEY_MIN_LEN, - keyminlen: TWOFISH_KEY_DEF_LEN, - keymaxlen: TWOFISH_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_TWOFISH_CBC_SSH, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: TWOFISH_BLOCK_SIZE, + keydeflen: TWOFISH_KEY_MIN_LEN, + keyminlen: TWOFISH_KEY_DEF_LEN, + keymaxlen: TWOFISH_KEY_MAX_LEN, }; static struct hash_desc hash_desc_md5 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_MD5, + plugin_name: NULL, algo_next: NULL, hash_digest_size: HASH_SIZE_MD5, }; @@ -139,6 +147,7 @@ static struct hash_desc hash_desc_sha1 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA, + plugin_name: NULL, algo_next: NULL, hash_digest_size: HASH_SIZE_SHA1, }; @@ -146,6 +155,7 @@ static struct hash_desc hash_desc_sha1 = static struct hash_desc hash_desc_sha2_256 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_256, + plugin_name: NULL, algo_next: NULL, hash_digest_size: HASH_SIZE_SHA256, }; @@ -153,6 +163,7 @@ static struct hash_desc hash_desc_sha2_256 = { static struct hash_desc hash_desc_sha2_384 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_384, + plugin_name: NULL, algo_next: NULL, hash_digest_size: HASH_SIZE_SHA384, }; @@ -160,120 +171,136 @@ static struct hash_desc hash_desc_sha2_384 = { static struct hash_desc hash_desc_sha2_512 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_512, + plugin_name: NULL, algo_next: NULL, hash_digest_size: HASH_SIZE_SHA512, }; const struct dh_desc unset_group = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_NONE, - algo_next: NULL, - ke_size: 0 + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_NONE, + plugin_name: NULL, + algo_next: NULL, + ke_size: 0 }; static struct dh_desc dh_desc_modp_1024 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_1024_BIT, - algo_next: NULL, - ke_size: 1024 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_1024_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 1024 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_1536 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_1536_BIT, - algo_next: NULL, - ke_size: 1536 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_1536_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 1536 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_2048 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_2048_BIT, - algo_next: NULL, - ke_size: 2048 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_2048_BIT, + algo_next: NULL, + ke_size: 2048 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_3072 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_3072_BIT, - algo_next: NULL, - ke_size: 3072 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_3072_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 3072 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_4096 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_4096_BIT, - algo_next: NULL, - ke_size: 4096 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_4096_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 4096 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_6144 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_6144_BIT, - algo_next: NULL, - ke_size: 6144 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_6144_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 6144 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_8192 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_8192_BIT, - algo_next: NULL, - ke_size: 8192 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_8192_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 8192 / BITS_PER_BYTE }; static struct dh_desc dh_desc_ecp_256 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_256_BIT, - algo_next: NULL, - ke_size: 2*256 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_256_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2*256 / BITS_PER_BYTE }; static struct dh_desc dh_desc_ecp_384 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_384_BIT, - algo_next: NULL, - ke_size: 2*384 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_384_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2*384 / BITS_PER_BYTE }; static struct dh_desc dh_desc_ecp_521 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_521_BIT, - algo_next: NULL, - ke_size: 2*528 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_521_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2*528 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_1024_160 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_1024_160, - algo_next: NULL, - ke_size: 1024 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_1024_160, + plugin_name: NULL, + algo_next: NULL, + ke_size: 1024 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_2048_224 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_2048_224, - algo_next: NULL, - ke_size: 2048 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_2048_224, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2048 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_2048_256 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_2048_256, - algo_next: NULL, - ke_size: 2048 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_2048_256, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2048 / BITS_PER_BYTE }; static struct dh_desc dh_desc_ecp_192 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_192_BIT, - algo_next: NULL, - ke_size: 2*192 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_192_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2*192 / BITS_PER_BYTE }; static struct dh_desc dh_desc_ecp_224 = { algo_type: IKE_ALG_DH_GROUP, algo_id: ECP_224_BIT, - algo_next: NULL, - ke_size: 2*224 / BITS_PER_BYTE + plugin_name: NULL, + algo_next: NULL, + ke_size: 2*224 / BITS_PER_BYTE }; bool init_crypto(void) @@ -282,11 +309,12 @@ bool init_crypto(void) encryption_algorithm_t encryption_alg; hash_algorithm_t hash_alg; diffie_hellman_group_t dh_group; + const char *plugin_name; bool no_md5 = TRUE; bool no_sha1 = TRUE; enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &hash_alg)) + while (enumerator->enumerate(enumerator, &hash_alg, &plugin_name)) { const struct hash_desc *desc; @@ -312,7 +340,7 @@ bool init_crypto(void) default: continue; } - ike_alg_add((struct ike_alg *)desc); + ike_alg_add((struct ike_alg *)desc, plugin_name); } enumerator->destroy(enumerator); @@ -326,7 +354,7 @@ bool init_crypto(void) } enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption_alg)) + while (enumerator->enumerate(enumerator, &encryption_alg, &plugin_name)) { const struct encrypt_desc *desc; @@ -346,7 +374,8 @@ bool init_crypto(void) break; case ENCR_TWOFISH_CBC: desc = &encrypt_desc_twofish; - ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh); + ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh, + plugin_name); break; case ENCR_SERPENT_CBC: desc = &encrypt_desc_serpent; @@ -354,12 +383,12 @@ bool init_crypto(void) default: continue; } - ike_alg_add((struct ike_alg *)desc); + ike_alg_add((struct ike_alg *)desc, plugin_name); } enumerator->destroy(enumerator); enumerator = lib->crypto->create_dh_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &dh_group)) + while (enumerator->enumerate(enumerator, &dh_group, &plugin_name)) { const struct dh_desc *desc; @@ -413,7 +442,7 @@ bool init_crypto(void) default: continue; } - ike_alg_add((struct ike_alg *)desc); + ike_alg_add((struct ike_alg *)desc, plugin_name); } enumerator->destroy(enumerator); return TRUE; diff --git a/src/pluto/demux.c b/src/pluto/demux.c index 0590a3585..249e645ed 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -1147,7 +1147,7 @@ read_packet(struct msg_digest *md) } else if (from_ugh != NULL) { - plog("recvfrom on %s returned misformed source sockaddr: %s" + plog("recvfrom on %s returned malformed source sockaddr: %s" , ifp->rname, from_ugh); return FALSE; } diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c index 08353907e..a36b5ce4e 100644 --- a/src/pluto/ike_alg.c +++ b/src/pluto/ike_alg.c @@ -72,7 +72,7 @@ static struct ike_alg *ike_alg_find(u_int algo_type, u_int algo_id, /** * "raw" ike_alg list adding function */ -int ike_alg_add(struct ike_alg* a) +int ike_alg_add(struct ike_alg* a, const char *plugin_name) { if (a->algo_type > IKE_ALG_MAX) { @@ -96,6 +96,7 @@ int ike_alg_add(struct ike_alg* a) e = *ep; } *ep = a; + a->plugin_name = plugin_name; a->algo_next = e; return 0; } @@ -303,64 +304,72 @@ fail: return db_ctx; } +/** + * Print the name of an algorithm plus the name of the plugin that registered it + */ +static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type, + const char *plugin_name) +{ + char alg_name[BUF_LEN]; + int alg_name_len; + + alg_name_len = sprintf(alg_name, " %s[%s]", enum_name(alg_names, alg_type), + plugin_name); + if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) + { + whack_log(RC_COMMENT, "%s", buf); + *len = sprintf(buf, " "); + } + sprintf(buf + *len, "%s", alg_name); + *len += alg_name_len; +} + /** * Show registered IKE algorithms */ void ike_alg_list(void) { + rng_quality_t quality; + enumerator_t *enumerator; + const char *plugin_name; char buf[BUF_LEN]; - char *pos; - int n, len; + int len; struct ike_alg *a; whack_log(RC_COMMENT, " "); whack_log(RC_COMMENT, "List of registered IKEv1 Algorithms:"); whack_log(RC_COMMENT, " "); - pos = buf; - *pos = '\0'; - len = BUF_LEN; + len = sprintf(buf, " encryption:"); for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next) { - n = snprintf(pos, len, " %s", enum_name(&oakley_enc_names, a->algo_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } + print_alg(buf, &len, &oakley_enc_names, a->algo_id, a->plugin_name); } - whack_log(RC_COMMENT, " encryption:%s", buf); + whack_log(RC_COMMENT, "%s", buf); - pos = buf; - *pos = '\0'; - len = BUF_LEN; + len = sprintf(buf, " integrity: "); for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next) { - n = snprintf(pos, len, " %s", enum_name(&oakley_hash_names, a->algo_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } + print_alg(buf, &len, &oakley_hash_names, a->algo_id, a->plugin_name); } - whack_log(RC_COMMENT, " integrity: %s", buf); + whack_log(RC_COMMENT, "%s", buf); - pos = buf; - *pos = '\0'; - len = BUF_LEN; + len = sprintf(buf, " dh-group: "); for (a = ike_alg_base[IKE_ALG_DH_GROUP]; a != NULL; a = a->algo_next) { - n = snprintf(pos, len, " %s", enum_name(&oakley_group_names, a->algo_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } + print_alg(buf, &len, &oakley_group_names, a->algo_id, a->plugin_name); + } + whack_log(RC_COMMENT, "%s", buf); + + len = sprintf(buf, " random-gen:"); + enumerator = lib->crypto->create_rng_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &quality, &plugin_name)) + { + len += sprintf(buf + len, " %N[%s]", rng_quality_names, quality, + plugin_name); } - whack_log(RC_COMMENT, " dh-group: %s", buf); + enumerator->destroy(enumerator); + whack_log(RC_COMMENT, "%s", buf); } /** diff --git a/src/pluto/ike_alg.h b/src/pluto/ike_alg.h index 458d14c3a..c3ce8bb38 100644 --- a/src/pluto/ike_alg.h +++ b/src/pluto/ike_alg.h @@ -22,12 +22,14 @@ struct ike_alg { u_int16_t algo_type; u_int16_t algo_id; + const char *plugin_name; struct ike_alg *algo_next; }; struct encrypt_desc { u_int16_t algo_type; u_int16_t algo_id; + const char *plugin_name; struct ike_alg *algo_next; size_t enc_blocksize; @@ -39,6 +41,7 @@ struct encrypt_desc { struct hash_desc { u_int16_t algo_type; u_int16_t algo_id; + const char *plugin_name; struct ike_alg *algo_next; size_t hash_digest_size; @@ -47,6 +50,7 @@ struct hash_desc { struct dh_desc { u_int16_t algo_type; u_int16_t algo_id; + const char *plugin_name; struct ike_alg *algo_next; size_t ke_size; @@ -57,7 +61,7 @@ struct dh_desc { #define IKE_ALG_DH_GROUP 2 #define IKE_ALG_MAX IKE_ALG_DH_GROUP -extern int ike_alg_add(struct ike_alg *a); +extern int ike_alg_add(struct ike_alg *a, const char *plugin_name); extern struct hash_desc *ike_alg_get_hasher(u_int alg); extern struct encrypt_desc *ike_alg_get_crypter(u_int alg); extern struct dh_desc *ike_alg_get_dh_group(u_int alg); diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index e57822ffb..104b6c2d4 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -1183,7 +1183,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, ipcomp_spi, said_next->proto, c->spd.reqid, - mark, <_none, ENCR_UNDEFINED, chunk_empty, + mark, 0, <_none, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, inbound, NULL, NULL) != SUCCESS) @@ -1292,7 +1292,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, esp_spi, said_next->proto, c->spd.reqid, - mark, <_none, enc_alg, enc_key, + mark, 0, <_none, enc_alg, enc_key, auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, encap, inbound, NULL, NULL) != SUCCESS) { @@ -1325,7 +1325,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, ah_spi, said_next->proto, c->spd.reqid, - mark, <_none, ENCR_UNDEFINED, chunk_empty, + mark, 0, <_none, ENCR_UNDEFINED, chunk_empty, auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, FALSE, inbound, NULL, NULL) != SUCCESS) { diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c index 2a195cffc..c82c376f8 100644 --- a/src/pluto/kernel_alg.c +++ b/src/pluto/kernel_alg.c @@ -397,55 +397,55 @@ struct sadb_alg* kernel_alg_esp_sadb_alg(u_int alg_id) return sadb_alg; } +/** + * Print the name of a kernel algorithm + */ +static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type) +{ + char alg_name[BUF_LEN]; + int alg_name_len; + + alg_name_len = sprintf(alg_name, " %s", enum_name(alg_names, alg_type)); + if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) + { + whack_log(RC_COMMENT, "%s", buf); + *len = sprintf(buf, " "); + } + sprintf(buf + *len, "%s", alg_name); + *len += alg_name_len; +} + void kernel_alg_list(void) { char buf[BUF_LEN]; - char *pos; - int n, len; + int len; u_int sadb_id; whack_log(RC_COMMENT, " "); whack_log(RC_COMMENT, "List of registered ESP Algorithms:"); whack_log(RC_COMMENT, " "); - pos = buf; - *pos = '\0'; - len = BUF_LEN; + len = sprintf(buf, " encryption:"); for (sadb_id = 1; sadb_id <= SADB_EALG_MAX; sadb_id++) { if (ESP_EALG_PRESENT(sadb_id)) { - n = snprintf(pos, len, " %s", - enum_name(&esp_transform_names, sadb_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } + print_alg(buf, &len, &esp_transform_names, sadb_id); } } - whack_log(RC_COMMENT, " encryption:%s", buf); + whack_log(RC_COMMENT, "%s", buf); - pos = buf; - *pos = '\0'; - len = BUF_LEN; + len = sprintf(buf, " integrity: "); for (sadb_id = 1; sadb_id <= SADB_AALG_MAX; sadb_id++) { if (ESP_AALG_PRESENT(sadb_id)) { u_int aaid = alg_info_esp_sadb2aa(sadb_id); - n = snprintf(pos, len, " %s", enum_name(&auth_alg_names, aaid)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } + print_alg(buf, &len, &auth_alg_names, aaid); } } - whack_log(RC_COMMENT, " integrity: %s", buf); + whack_log(RC_COMMENT, "%s", buf); } void kernel_alg_show_connection(connection_t *c, const char *instance) diff --git a/src/pluto/keys.c b/src/pluto/keys.c index a79c2c0d2..86b46c6c1 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -902,6 +902,7 @@ static void process_secret(secret_t *s, int whackfd) { loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s" , flp->filename, flp->lino, ugh); + s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy)); free(s); } else if (flushline("expected record boundary in key")) @@ -1010,8 +1011,11 @@ static void process_secret_records(int whackfd) if (!shift()) { /* unexpected Record Boundary or EOF */ - loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of id list" - , flp->filename, flp->lino); + loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end" + " of id list", flp->filename, flp->lino); + s->ids->destroy_offset(s->ids, + offsetof(identification_t, destroy)); + free(s); break; } } diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index 8a351be6d..a3694b7b5 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -1045,8 +1045,8 @@ static bool valid_ocsp_response(response_t *res) ) /* check path length constraint */ - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN); + if (pathlen_constraint != X509_NO_CONSTRAINT && pathlen > pathlen_constraint) { plog("path length of %d violates constraint of %d", diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in index b2ffb11db..358805cc4 100644 --- a/src/pluto/plugins/xauth/Makefile.in +++ b/src/pluto/plugins/xauth/Makefile.in @@ -218,9 +218,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,6 +257,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8 index 58cb15091..9ac537bd9 100644 --- a/src/pluto/pluto.8 +++ b/src/pluto/pluto.8 @@ -1,8 +1,8 @@ .TH IPSEC_PLUTO 8 "28 March 1999" .SH NAME -ipsec pluto \- IPsec IKE keying daemon -.br -ipsec whack \- control interface for IPSEC keying daemon +pluto \- IPsec IKE keying daemon and control interface +.PP +whack \- control interface for IKE keying daemon .SH SYNOPSIS .na .nh @@ -1009,7 +1009,7 @@ specifies the name of the operation to be performed \fBup-host\fP, \fBup-client\fP, \fBdown-host\fP, or \fBdown-client\fP). If the address family for security gateway to security gateway communications is IPv6, then -a suffix of -v6 is added to the verb. +a suffix of \-v6 is added to the verb. .TP \fBPLUTO_CONNECTION\fP is the name of the connection for which we are routing. @@ -1571,7 +1571,7 @@ rejected with ECONNREFUSED (kernel supplied no details)''. John Denker suggests that this command is useful for tracking down the source of these problems: .br - tcpdump -i eth0 icmp[0] != 8 and icmp[0] != 0 + tcpdump \-i eth0 icmp[0] != 8 and icmp[0] != 0 .br Substitute your public interface for eth0 if it is different. .LP diff --git a/src/pluto/x509.c b/src/pluto/x509.c index d717beb15..7e2aca862 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -255,8 +255,8 @@ bool verify_x509cert(cert_t *cert, bool strict, time_t *until) unlock_authcert_list("verify_x509cert"); /* check path length constraint */ - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN); + if (pathlen_constraint != X509_NO_CONSTRAINT && pathlen > pathlen_constraint) { plog("path length of %d violates constraint of %d", @@ -450,8 +450,8 @@ void list_x509cert_chain(const char *caption, cert_t* cert, } /* list optional pathLenConstraint */ - pathlen = x509->get_pathLenConstraint(x509); - if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) + pathlen = x509->get_constraint(x509, X509_PATH_LEN); + if (pathlen != X509_NO_CONSTRAINT) { whack_log(RC_COMMENT, " pathlen: %d", pathlen); } diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index a20fa2eb9..623585f65 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -228,9 +228,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -269,6 +267,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 index 4b5234da2..72750e155 100644 --- a/src/scepclient/scepclient.8 +++ b/src/scepclient/scepclient.8 @@ -239,12 +239,12 @@ Log raw hex dumps. .PP .B \-C, \-\-debug\-control .RS 4 -Log informations about control flow. +Log information about control flow. .RE .PP .B \-M, \-\-debug\-controlmore .RS 4 -Log more detailed informations about control flow. +Log more detailed information about control flow. .RE .PP .B \-X, \-\-debug\-private diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 75297f767..f05aeca22 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -25,7 +25,6 @@ AM_CFLAGS = \ starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf -dist_man_MANS = starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR=$(top_srcdir)/src/pluto @@ -59,14 +58,14 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : - test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true - test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 446f183f1..f1c370ad9 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -39,8 +39,7 @@ ipsec_PROGRAMS = starter$(EXEEXT) @USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON @USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING subdir = src/starter -DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -56,7 +55,7 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" +am__installdirs = "$(DESTDIR)$(ipsecdir)" PROGRAMS = $(ipsec_PROGRAMS) am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \ @@ -85,30 +84,6 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(starter_SOURCES) DIST_SOURCES = $(starter_SOURCES) -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -man8dir = $(mandir)/man8 -NROFF = nroff -MANS = $(dist_man_MANS) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -231,9 +206,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -272,6 +245,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -304,7 +279,6 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ $(am__append_2) $(am__append_3) starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf -dist_man_MANS = starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR = $(top_srcdir)/src/pluto SCEPCLIENTDIR = $(top_srcdir)/src/scepclient @@ -438,44 +412,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(dist_man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list=''; test -n "$(man8dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.8[a-z]*$$/p'; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ - done; } - -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list=''; test -n "$(man8dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.8[a-z]*$$/p'; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -530,19 +466,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) - @list='$(MANS)'; if test -n "$$list"; then \ - list=`for p in $$list; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ - if test -n "$$list" && \ - grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ - echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ - grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ - echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ - echo " typically \`make maintainer-clean' will remove them" >&2; \ - exit 1; \ - else :; fi; \ - else :; fi @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -574,9 +497,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) +all-am: Makefile $(PROGRAMS) installdirs: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(ipsecdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -628,7 +551,7 @@ info: info-am info-am: -install-data-am: install-ipsecPROGRAMS install-man +install-data-am: install-ipsecPROGRAMS install-dvi: install-dvi-am @@ -644,7 +567,7 @@ install-info: install-info-am install-info-am: -install-man: install-man8 +install-man: install-pdf: install-pdf-am @@ -674,9 +597,7 @@ ps: ps-am ps-am: -uninstall-am: uninstall-ipsecPROGRAMS uninstall-man - -uninstall-man: uninstall-man8 +uninstall-am: uninstall-ipsecPROGRAMS .MAKE: install-am install-strip @@ -687,13 +608,12 @@ uninstall-man: uninstall-man8 install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-exec-local \ install-html install-html-am install-info install-info-am \ - install-ipsecPROGRAMS install-man install-man8 install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ + install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-ipsecPROGRAMS \ - uninstall-man uninstall-man8 + tags uninstall uninstall-am uninstall-ipsecPROGRAMS lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h @@ -712,16 +632,16 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : - test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true - test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/starter/args.c b/src/starter/args.c index 37d600283..87307f1aa 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -239,6 +239,7 @@ static const token_info_t token_info[] = { ARG_MISC, 0, NULL /* KW_MARK */ }, { ARG_MISC, 0, NULL /* KW_MARK_IN */ }, { ARG_MISC, 0, NULL /* KW_MARK_OUT */ }, + { ARG_MISC, 0, NULL /* KW_TFC */ }, /* ca section keywords */ { ARG_STR, offsetof(starter_ca_t, name), NULL }, @@ -272,6 +273,7 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_end_t, rsakey), NULL }, { ARG_STR, offsetof(starter_end_t, cert), NULL }, { ARG_STR, offsetof(starter_end_t, cert2), NULL }, + { ARG_STR, offsetof(starter_end_t, cert_policy), NULL }, { ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert }, { ARG_STR, offsetof(starter_end_t, ca), NULL }, { ARG_STR, offsetof(starter_end_t, ca2), NULL }, diff --git a/src/starter/confread.c b/src/starter/confread.c index 3367616ca..1e7daa6a9 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -705,6 +705,23 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg cfg->err++; } break; + case KW_TFC: + if (streq(kw->value, "%mtu")) + { + conn->tfc = -1; + } + else + { + char *endptr; + + conn->tfc = strtoul(kw->value, &endptr, 10); + if (*endptr != '\0') + { + plog("# bad integer value: %s=%s", kw->entry->name, kw->value); + cfg->err++; + } + } + break; case KW_KEYINGTRIES: if (streq(kw->value, "%forever")) { diff --git a/src/starter/confread.h b/src/starter/confread.h index 982d1d206..4f9c5f7d0 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -64,6 +64,7 @@ struct starter_end { char *ca; char *ca2; char *groups; + char *cert_policy; char *iface; ip_address addr; u_int ikeport; @@ -125,6 +126,7 @@ struct starter_conn { u_int32_t reqid; mark_t mark_in; mark_t mark_out; + u_int32_t tfc; sa_family_t addr_family; sa_family_t tunnel_addr_family; bool install_policy; diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 0c24c7dcf..340b7131d 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -54,12 +54,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 127 +#define TOTAL_KEYWORDS 130 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 12 -#define MAX_HASH_VALUE 238 -/* maximum key range = 227, duplicates = 0 */ +#define MIN_HASH_VALUE 18 +#define MAX_HASH_VALUE 249 +/* maximum key range = 232, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 2, - 104, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 15, 239, 20, 14, 58, - 51, 1, 7, 1, 81, 1, 239, 132, 47, 4, - 1, 49, 10, 9, 23, 1, 20, 48, 4, 239, - 239, 35, 1, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239 + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 11, + 125, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 20, 250, 18, 6, 55, + 59, 3, 9, 3, 92, 3, 250, 147, 71, 12, + 29, 83, 38, 4, 13, 3, 8, 80, 3, 250, + 250, 12, 9, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250 }; register int hval = len; @@ -124,160 +124,164 @@ hash (str, len) static const struct kw_entry wordlist[] = { {"pfs", KW_PFS}, - {"uniqueids", KW_UNIQUEIDS}, - {"rightgroups", KW_RIGHTGROUPS}, - {"lifetime", KW_KEYLIFE}, - {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, - {"rightnatip", KW_RIGHTNATIP}, - {"esp", KW_ESP}, - {"rightnexthop", KW_RIGHTNEXTHOP}, - {"rightsourceip", KW_RIGHTSOURCEIP}, {"right", KW_RIGHT}, - {"leftupdown", KW_LEFTUPDOWN}, - {"leftnexthop", KW_LEFTNEXTHOP}, + {"rightgroups", KW_RIGHTGROUPS}, {"left", KW_LEFT}, - {"keep_alive", KW_KEEP_ALIVE}, + {"lifetime", KW_KEYLIFE}, {"rightsubnet", KW_RIGHTSUBNET}, {"rightikeport", KW_RIGHTIKEPORT}, {"rightsendcert", KW_RIGHTSENDCERT}, - {"leftcert", KW_LEFTCERT,}, - {"interfaces", KW_INTERFACES}, - {"lifepackets", KW_LIFEPACKETS}, - {"leftsendcert", KW_LEFTSENDCERT}, - {"leftgroups", KW_LEFTGROUPS}, - {"eap", KW_EAP}, - {"rightprotoport", KW_RIGHTPROTOPORT}, - {"leftnatip", KW_LEFTNATIP}, + {"leftcert", KW_LEFTCERT}, {"keyingtries", KW_KEYINGTRIES}, - {"type", KW_TYPE}, {"keylife", KW_KEYLIFE}, - {"mark_in", KW_MARK_IN}, + {"leftsendcert", KW_LEFTSENDCERT}, {"lifebytes", KW_LIFEBYTES}, - {"leftca", KW_LEFTCA}, - {"margintime", KW_REKEYMARGIN}, - {"marginbytes", KW_MARGINBYTES}, + {"keep_alive", KW_KEEP_ALIVE}, + {"leftgroups", KW_LEFTGROUPS}, {"leftrsasigkey", KW_LEFTRSASIGKEY}, - {"marginpackets", KW_MARGINPACKETS}, + {"leftcertpolicy", KW_LEFTCERTPOLICY}, {"certuribase", KW_CERTURIBASE}, - {"virtual_private", KW_VIRTUAL_PRIVATE}, - {"rightid", KW_RIGHTID}, - {"rightupdown", KW_RIGHTUPDOWN}, - {"compress", KW_COMPRESS}, + {"lifepackets", KW_LIFEPACKETS}, + {"rightrsasigkey", KW_RIGHTRSASIGKEY}, {"leftprotoport", KW_LEFTPROTOPORT}, - {"overridemtu", KW_OVERRIDEMTU}, + {"uniqueids", KW_UNIQUEIDS}, + {"rightallowany", KW_RIGHTALLOWANY}, + {"virtual_private", KW_VIRTUAL_PRIVATE}, + {"leftca", KW_LEFTCA}, + {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, + {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {"type", KW_TYPE}, + {"interfaces", KW_INTERFACES}, + {"rightsourceip", KW_RIGHTSOURCEIP}, + {"leftnexthop", KW_LEFTNEXTHOP}, + {"rightprotoport", KW_RIGHTPROTOPORT}, + {"mark_in", KW_MARK_IN}, {"reqid", KW_REQID}, {"inactivity", KW_INACTIVITY}, + {"margintime", KW_REKEYMARGIN}, + {"marginbytes", KW_MARGINBYTES}, + {"rightid", KW_RIGHTID}, + {"marginpackets", KW_MARGINPACKETS}, + {"leftnatip", KW_LEFTNATIP}, + {"rightcert", KW_RIGHTCERT}, + {"ocspuri", KW_OCSPURI}, + {"esp", KW_ESP}, + {"rightnatip", KW_RIGHTNATIP}, + {"keyexchange", KW_KEYEXCHANGE}, + {"rightnexthop", KW_RIGHTNEXTHOP}, + {"rightca", KW_RIGHTCA}, + {"rightcertpolicy", KW_RIGHTCERTPOLICY}, + {"leftupdown", KW_LEFTUPDOWN}, + {"ocspuri1", KW_OCSPURI}, + {"mediated_by", KW_MEDIATED_BY}, + {"me_peerid", KW_ME_PEERID}, + {"cacert", KW_CACERT}, + {"crluri", KW_CRLURI}, + {"eap", KW_EAP}, {"leftfirewall", KW_LEFTFIREWALL}, {"rightfirewall", KW_RIGHTFIREWALL}, - {"rightallowany", KW_RIGHTALLOWANY}, + {"overridemtu", KW_OVERRIDEMTU}, {"mobike", KW_MOBIKE}, - {"lefthostaccess", KW_LEFTHOSTACCESS}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, - {"rightrsasigkey", KW_RIGHTRSASIGKEY}, - {"pfsgroup", KW_PFSGROUP}, - {"me_peerid", KW_ME_PEERID}, - {"crluri", KW_CRLURI}, - {"leftsourceip", KW_LEFTSOURCEIP}, + {"packetdefault", KW_PACKETDEFAULT}, {"crluri1", KW_CRLURI}, + {"ldapbase", KW_LDAPBASE}, + {"leftallowany", KW_LEFTALLOWANY}, {"mediation", KW_MEDIATION}, - {"dumpdir", KW_DUMPDIR}, - {"forceencaps", KW_FORCEENCAPS}, + {"compress", KW_COMPRESS}, {"leftsubnet", KW_LEFTSUBNET}, - {"rightca", KW_RIGHTCA}, - {"rightcert", KW_RIGHTCERT}, - {"ocspuri", KW_OCSPURI}, - {"dpdaction", KW_DPDACTION}, - {"ocspuri1", KW_OCSPURI}, + {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"forceencaps", KW_FORCEENCAPS}, + {"dumpdir", KW_DUMPDIR}, + {"righthostaccess", KW_RIGHTHOSTACCESS}, + {"authby", KW_AUTHBY}, + {"aaa_identity", KW_AAA_IDENTITY}, + {"tfc", KW_TFC}, + {"nat_traversal", KW_NAT_TRAVERSAL}, + {"rightauth", KW_RIGHTAUTH}, + {"rightupdown", KW_RIGHTUPDOWN}, {"dpdtimeout", KW_DPDTIMEOUT}, {"installpolicy", KW_INSTALLPOLICY}, - {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"ldapbase", KW_LDAPBASE}, - {"also", KW_ALSO}, - {"leftallowany", KW_LEFTALLOWANY}, + {"mark_out", KW_MARK_OUT}, + {"fragicmp", KW_FRAGICMP}, {"force_keepalive", KW_FORCE_KEEPALIVE}, - {"keyexchange", KW_KEYEXCHANGE}, - {"hidetos", KW_HIDETOS}, - {"klipsdebug", KW_KLIPSDEBUG}, - {"plutostderrlog", KW_PLUTOSTDERRLOG}, - {"rightauth", KW_RIGHTAUTH}, - {"strictcrlpolicy", KW_STRICTCRLPOLICY}, - {"charondebug", KW_CHARONDEBUG}, - {"rightid2", KW_RIGHTID2}, {"leftid", KW_LEFTID}, - {"mediated_by", KW_MEDIATED_BY}, - {"fragicmp", KW_FRAGICMP}, - {"mark_out", KW_MARK_OUT}, - {"auto", KW_AUTO}, - {"leftcert2", KW_LEFTCERT2,}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"cacert", KW_CACERT}, - {"plutostart", KW_PLUTOSTART}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, {"eap_identity", KW_EAP_IDENTITY}, - {"prepluto", KW_PREPLUTO}, - {"packetdefault", KW_PACKETDEFAULT}, + {"cachecrls", KW_CACHECRLS}, + {"pfsgroup", KW_PFSGROUP}, + {"rightid2", KW_RIGHTID2}, + {"dpdaction", KW_DPDACTION}, {"xauth_identity", KW_XAUTH_IDENTITY}, + {"leftsourceip", KW_LEFTSOURCEIP}, + {"klipsdebug", KW_KLIPSDEBUG}, + {"leftcert2", KW_LEFTCERT2}, + {"charondebug", KW_CHARONDEBUG}, + {"hidetos", KW_HIDETOS}, + {"ike", KW_IKE}, {"charonstart", KW_CHARONSTART}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, {"rightauth2", KW_RIGHTAUTH2}, - {"ike", KW_IKE}, - {"aaa_identity", KW_AAA_IDENTITY}, + {"also", KW_ALSO}, {"leftca2", KW_LEFTCA2}, - {"authby", KW_AUTHBY}, - {"leftauth", KW_LEFTAUTH}, - {"cachecrls", KW_CACHECRLS}, + {"rekey", KW_REKEY}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, + {"plutostart", KW_PLUTOSTART}, + {"ikelifetime", KW_IKELIFETIME}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, + {"auto", KW_AUTO}, {"ldaphost", KW_LDAPHOST}, - {"rekeymargin", KW_REKEYMARGIN}, {"rekeyfuzz", KW_REKEYFUZZ}, - {"dpddelay", KW_DPDDELAY}, - {"ikelifetime", KW_IKELIFETIME}, - {"auth", KW_AUTH}, - {"xauth", KW_XAUTH}, - {"postpluto", KW_POSTPLUTO}, - {"plutodebug", KW_PLUTODEBUG}, - {"modeconfig", KW_MODECONFIG}, - {"nocrsend", KW_NOCRSEND}, - {"leftauth2", KW_LEFTAUTH2}, - {"leftid2", KW_LEFTID2}, {"leftikeport", KW_LEFTIKEPORT}, + {"mark", KW_MARK}, + {"auth", KW_AUTH}, + {"prepluto", KW_PREPLUTO}, + {"dpddelay", KW_DPDDELAY}, + {"leftauth", KW_LEFTAUTH}, {"rightca2", KW_RIGHTCA2}, - {"rekey", KW_REKEY}, + {"xauth", KW_XAUTH}, {"rightcert2", KW_RIGHTCERT2}, - {"mark", KW_MARK}, - {"crluri2", KW_CRLURI2}, - {"reauth", KW_REAUTH}, + {"rekeymargin", KW_REKEYMARGIN}, + {"leftid2", KW_LEFTID2}, {"ocspuri2", KW_OCSPURI2}, + {"nocrsend", KW_NOCRSEND}, + {"reauth", KW_REAUTH}, + {"crluri2", KW_CRLURI2}, + {"plutodebug", KW_PLUTODEBUG}, + {"leftauth2", KW_LEFTAUTH2}, {"pkcs11module", KW_PKCS11MODULE}, {"pkcs11initargs", KW_PKCS11INITARGS}, {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"pkcs11proxy", KW_PKCS11PROXY} + {"pkcs11proxy", KW_PKCS11PROXY}, + {"modeconfig", KW_MODECONFIG}, + {"postpluto", KW_POSTPLUTO} }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, 0, 1, -1, 2, -1, -1, 3, -1, - -1, 4, -1, 5, 6, 7, 8, 9, -1, 10, - 11, -1, 12, 13, 14, 15, 16, 17, -1, 18, - 19, 20, 21, 22, -1, -1, 23, 24, -1, 25, - 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, - 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, - 46, 47, 48, 49, 50, 51, -1, 52, 53, 54, - 55, -1, 56, 57, -1, 58, 59, 60, -1, 61, - 62, 63, 64, -1, -1, 65, -1, 66, -1, 67, - 68, 69, 70, 71, -1, -1, 72, -1, -1, 73, - 74, 75, 76, 77, 78, 79, 80, -1, 81, 82, - 83, 84, 85, 86, 87, -1, 88, -1, 89, 90, - -1, 91, 92, 93, 94, -1, 95, 96, 97, 98, - -1, -1, -1, -1, 99, 100, 101, -1, 102, 103, - 104, 105, 106, 107, 108, 109, -1, 110, -1, -1, - 111, -1, -1, -1, -1, -1, -1, 112, -1, 113, - 114, 115, 116, 117, 118, -1, -1, -1, -1, 119, - -1, -1, 120, -1, -1, -1, -1, -1, -1, 121, - -1, -1, -1, -1, 122, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, 123, -1, 124, 125, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, 126 + -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, + -1, -1, -1, 2, 3, -1, 4, -1, 5, 6, + 7, 8, 9, -1, 10, 11, 12, 13, 14, -1, + 15, 16, -1, 17, 18, 19, 20, 21, -1, 22, + -1, -1, 23, -1, 24, 25, 26, 27, -1, 28, + 29, -1, -1, -1, 30, -1, 31, -1, -1, -1, + 32, 33, 34, 35, 36, 37, 38, 39, 40, -1, + -1, 41, 42, 43, 44, 45, 46, -1, 47, 48, + 49, -1, -1, 50, 51, 52, 53, 54, 55, 56, + 57, 58, 59, -1, -1, 60, 61, 62, 63, 64, + 65, -1, 66, 67, -1, 68, 69, -1, 70, 71, + -1, -1, 72, 73, -1, 74, 75, 76, 77, -1, + 78, -1, 79, -1, 80, -1, 81, 82, -1, 83, + 84, 85, 86, 87, 88, 89, 90, -1, -1, 91, + -1, -1, -1, 92, -1, 93, 94, -1, 95, 96, + -1, 97, 98, -1, -1, -1, -1, 99, -1, -1, + -1, 100, 101, 102, 103, 104, 105, 106, 107, -1, + -1, -1, 108, -1, 109, -1, -1, 110, 111, -1, + -1, -1, 112, -1, 113, 114, 115, -1, -1, -1, + -1, -1, 116, 117, 118, -1, -1, -1, 119, -1, + -1, 120, -1, -1, -1, -1, -1, -1, -1, 121, + -1, -1, -1, 122, -1, -1, 123, -1, 124, -1, + 125, 126, -1, -1, -1, -1, 127, -1, 128, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, 129 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 1dae65a99..9f46a8b4b 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -102,9 +102,10 @@ typedef enum { KW_MARK, KW_MARK_IN, KW_MARK_OUT, + KW_TFC, #define KW_CONN_FIRST KW_CONN_SETUP -#define KW_CONN_LAST KW_MARK_OUT +#define KW_CONN_LAST KW_TFC /* ca section keywords */ KW_CA_NAME, @@ -141,6 +142,7 @@ typedef enum { KW_RSASIGKEY, KW_CERT, KW_CERT2, + KW_CERTPOLICY, KW_SENDCERT, KW_CA, KW_CA2, @@ -170,6 +172,7 @@ typedef enum { KW_LEFTRSASIGKEY, KW_LEFTCERT, KW_LEFTCERT2, + KW_LEFTCERTPOLICY, KW_LEFTSENDCERT, KW_LEFTCA, KW_LEFTCA2, @@ -198,6 +201,7 @@ typedef enum { KW_RIGHTRSASIGKEY, KW_RIGHTCERT, KW_RIGHTCERT2, + KW_RIGHTCERTPOLICY, KW_RIGHTSENDCERT, KW_RIGHTCA, KW_RIGHTCA2, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 06705635a..2c0e5de3d 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -93,6 +93,7 @@ reqid, KW_REQID mark, KW_MARK mark_in, KW_MARK_IN mark_out, KW_MARK_OUT +tfc, KW_TFC cacert, KW_CACERT ldaphost, KW_LDAPHOST ldapbase, KW_LDAPBASE @@ -120,8 +121,9 @@ leftid2, KW_LEFTID2 leftauth, KW_LEFTAUTH leftauth2, KW_LEFTAUTH2 leftrsasigkey, KW_LEFTRSASIGKEY -leftcert, KW_LEFTCERT, -leftcert2, KW_LEFTCERT2, +leftcert, KW_LEFTCERT +leftcert2, KW_LEFTCERT2 +leftcertpolicy, KW_LEFTCERTPOLICY leftsendcert, KW_LEFTSENDCERT leftca, KW_LEFTCA leftca2, KW_LEFTCA2 @@ -145,6 +147,7 @@ rightauth2, KW_RIGHTAUTH2 rightrsasigkey, KW_RIGHTRSASIGKEY rightcert, KW_RIGHTCERT rightcert2, KW_RIGHTCERT2 +rightcertpolicy, KW_RIGHTCERTPOLICY rightsendcert, KW_RIGHTSENDCERT rightca, KW_RIGHTCA rightca2, KW_RIGHTCA2 diff --git a/src/starter/starter.8 b/src/starter/starter.8 deleted file mode 100644 index e69de29bb..000000000 diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 9ba569d47..f251667c7 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -171,6 +171,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->id2 = push_string(msg, conn_end->id2); msg_end->cert = push_string(msg, conn_end->cert); msg_end->cert2 = push_string(msg, conn_end->cert2); + msg_end->cert_policy = push_string(msg, conn_end->cert_policy); msg_end->ca = push_string(msg, conn_end->ca); msg_end->ca2 = push_string(msg, conn_end->ca2); msg_end->groups = push_string(msg, conn_end->groups); @@ -266,6 +267,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.mark_in.mask = conn->mark_in.mask; msg.add_conn.mark_out.value = conn->mark_out.value; msg.add_conn.mark_out.mask = conn->mark_out.mask; + msg.add_conn.tfc = conn->tfc; starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index c490be114..d621f21ca 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -197,9 +197,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -238,6 +236,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index 103617f08..a88fa10d7 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -197,6 +197,16 @@ static int terminate_connection_srcip(char *start, char *end) return send_stroke_msg(&msg); } +static int rekey_connection(char *name) +{ + stroke_msg_t msg; + + msg.type = STR_REKEY; + msg.length = offsetof(stroke_msg_t, buffer); + msg.rekey.name = push_string(&msg, name); + return send_stroke_msg(&msg); +} + static int route_connection(char *name) { stroke_msg_t msg; @@ -276,6 +286,8 @@ static int reread(stroke_keyword_t kw) static int purge_flags[] = { PURGE_OCSP, PURGE_IKE, + PURGE_CRLS, + PURGE_CERTS, }; static int purge(stroke_keyword_t kw) @@ -373,6 +385,10 @@ static void exit_usage(char *error) printf(" stroke rereadsecrets|rereadcrls|rereadall\n"); printf(" Purge ocsp cache entries:\n"); printf(" stroke purgeocsp\n"); + printf(" Purge CRL cache entries:\n"); + printf(" stroke purgecrls\n"); + printf(" Purge X509 cache entries:\n"); + printf(" stroke purgecerts\n"); printf(" Purge IKE_SAs without a CHILD_SA:\n"); printf(" stroke purgeike\n"); printf(" Export credentials to the console:\n"); @@ -443,6 +459,13 @@ int main(int argc, char *argv[]) } res = terminate_connection_srcip(argv[2], argc > 3 ? argv[3] : NULL); break; + case STROKE_REKEY: + if (argc < 3) + { + exit_usage("\"rekey\" needs a connection name"); + } + res = rekey_connection(argv[2]); + break; case STROKE_ROUTE: if (argc < 3) { @@ -491,6 +514,8 @@ int main(int argc, char *argv[]) res = reread(token->kw); break; case STROKE_PURGE_OCSP: + case STROKE_PURGE_CRLS: + case STROKE_PURGE_CERTS: case STROKE_PURGE_IKE: res = purge(token->kw); break; diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c index c2d79176e..b43f4b475 100644 --- a/src/stroke/stroke_keywords.c +++ b/src/stroke/stroke_keywords.c @@ -54,12 +54,12 @@ struct stroke_token { stroke_keyword_t kw; }; -#define TOTAL_KEYWORDS 34 +#define TOTAL_KEYWORDS 37 #define MIN_WORD_LENGTH 2 #define MAX_WORD_LENGTH 15 -#define MIN_HASH_VALUE 3 -#define MAX_HASH_VALUE 39 -/* maximum key range = 37, duplicates = 0 */ +#define MIN_HASH_VALUE 2 +#define MAX_HASH_VALUE 42 +/* maximum key range = 41, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 18, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 0, 4, 1, - 1, 0, 40, 17, 40, 20, 40, 3, 0, 40, - 40, 12, 19, 40, 6, 3, 20, 12, 40, 40, - 10, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40 + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 20, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 0, 23, 1, + 1, 15, 43, 21, 43, 23, 43, 9, 0, 43, + 43, 10, 2, 43, 6, 5, 1, 0, 43, 43, + 2, 19, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43 }; register int hval = len; @@ -125,47 +125,51 @@ hash (str, len) static const struct stroke_token wordlist[] = { + {"up", STROKE_UP}, {"add", STROKE_ADD}, {"del", STROKE_DEL}, {"down", STROKE_DOWN}, - {"leases", STROKE_LEASES}, {"listall", STROKE_LIST_ALL}, - {"loglevel", STROKE_LOGLEVEL}, + {"delete", STROKE_DELETE}, {"listcrls", STROKE_LIST_CRLS}, - {"listacerts", STROKE_LIST_ACERTS}, - {"route", STROKE_ROUTE}, + {"status", STROKE_STATUS}, {"listaacerts", STROKE_LIST_AACERTS}, {"listcacerts", STROKE_LIST_CACERTS}, - {"up", STROKE_UP}, + {"statusall", STROKE_STATUSALL}, {"rereadall", STROKE_REREAD_ALL}, {"listcerts", STROKE_LIST_CERTS}, {"rereadcrls", STROKE_REREAD_CRLS}, {"rereadacerts", STROKE_REREAD_ACERTS}, {"rereadaacerts", STROKE_REREAD_AACERTS}, {"rereadcacerts", STROKE_REREAD_CACERTS}, - {"status", STROKE_STATUS}, - {"rereadsecrets", STROKE_REREAD_SECRETS}, + {"leases", STROKE_LEASES}, + {"unroute", STROKE_UNROUTE}, {"listocsp", STROKE_LIST_OCSP}, - {"statusall", STROKE_STATUSALL}, + {"rereadsecrets", STROKE_REREAD_SECRETS}, + {"listacerts", STROKE_LIST_ACERTS}, + {"route", STROKE_ROUTE}, + {"purgeocsp", STROKE_PURGE_OCSP}, + {"listocspcerts", STROKE_LIST_OCSPCERTS}, {"listalgs", STROKE_LIST_ALGS}, + {"rekey", STROKE_REKEY}, + {"rereadocspcerts", STROKE_REREAD_OCSPCERTS}, + {"purgecrls", STROKE_PURGE_CRLS}, {"exportx509", STROKE_EXPORT_X509}, - {"delete", STROKE_DELETE}, - {"listocspcerts", STROKE_LIST_OCSPCERTS}, - {"purgeocsp", STROKE_PURGE_OCSP}, {"purgeike", STROKE_PURGE_IKE}, - {"unroute", STROKE_UNROUTE}, {"listcainfos", STROKE_LIST_CAINFOS}, - {"rereadocspcerts", STROKE_REREAD_OCSPCERTS}, {"listpubkeys", STROKE_LIST_PUBKEYS}, {"down-srcip", STROKE_DOWN_SRCIP}, - {"listgroups", STROKE_LIST_GROUPS} + {"loglevel", STROKE_LOGLEVEL}, + {"listgroups", STROKE_LIST_GROUPS}, + {"purgecerts", STROKE_PURGE_CERTS} }; static const short lookup[] = { - -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, - 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, - 25, 26, 27, 28, 29, 30, 31, 32, -1, -1, -1, 33 + -1, -1, 0, 1, 2, 3, -1, 4, 5, 6, -1, 7, 8, 9, + 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, + 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, -1, -1, 35, + 36 }; #ifdef __GNUC__ diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h index 4a3826536..ff2ba36ef 100644 --- a/src/stroke/stroke_keywords.h +++ b/src/stroke/stroke_keywords.h @@ -25,6 +25,7 @@ typedef enum { STROKE_UP, STROKE_DOWN, STROKE_DOWN_SRCIP, + STROKE_REKEY, STROKE_LOGLEVEL, STROKE_STATUS, STROKE_STATUSALL, @@ -48,6 +49,8 @@ typedef enum { STROKE_REREAD_CRLS, STROKE_REREAD_ALL, STROKE_PURGE_OCSP, + STROKE_PURGE_CRLS, + STROKE_PURGE_CERTS, STROKE_PURGE_IKE, STROKE_EXPORT_X509, STROKE_LEASES, diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt index 0b8092985..dafd1ab08 100644 --- a/src/stroke/stroke_keywords.txt +++ b/src/stroke/stroke_keywords.txt @@ -32,6 +32,7 @@ unroute, STROKE_UNROUTE up, STROKE_UP down, STROKE_DOWN down-srcip, STROKE_DOWN_SRCIP +rekey, STROKE_REKEY loglevel, STROKE_LOGLEVEL status, STROKE_STATUS statusall, STROKE_STATUSALL @@ -55,6 +56,8 @@ rereadacerts, STROKE_REREAD_ACERTS rereadcrls, STROKE_REREAD_CRLS rereadall, STROKE_REREAD_ALL purgeocsp, STROKE_PURGE_OCSP +purgecrls, STROKE_PURGE_CRLS +purgecerts, STROKE_PURGE_CERTS purgeike, STROKE_PURGE_IKE exportx509, STROKE_EXPORT_X509 leases, STROKE_LEASES diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index 9466cf0b0..3af2b7042 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -107,6 +107,10 @@ enum purge_flag_t { PURGE_OCSP = 0x0001, /** purge IKE_SAs without a CHILD_SA */ PURGE_IKE = 0x0002, + /** purge CRL cache entries */ + PURGE_CRLS = 0x0004, + /** purge X509 cache entries */ + PURGE_CERTS = 0x0008, }; typedef enum export_flag_t export_flag_t; @@ -145,6 +149,7 @@ struct stroke_end_t { char *ca; char *ca2; char *groups; + char *cert_policy; char *updown; char *address; u_int16_t ikeport; @@ -183,6 +188,8 @@ struct stroke_msg_t { STR_TERMINATE, /* terminate connection by peers srcip/virtual ip */ STR_TERMINATE_SRCIP, + /* rekey a connection */ + STR_REKEY, /* show connection status */ STR_STATUS, /* show verbose connection status */ @@ -215,7 +222,7 @@ struct stroke_msg_t { /* data for STR_INITIATE, STR_ROUTE, STR_UP, STR_DOWN, ... */ struct { char *name; - } initiate, route, unroute, terminate, status, del_conn, del_ca; + } initiate, route, unroute, terminate, rekey, status, del_conn, del_ca; /* data for STR_TERMINATE_SRCIP */ struct { @@ -241,6 +248,7 @@ struct stroke_msg_t { int proxy_mode; int install_policy; u_int32_t reqid; + u_int32_t tfc; crl_policy_t crl_policy; int unique; diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in index 270e8fe50..b51056a38 100644 --- a/src/whack/Makefile.in +++ b/src/whack/Makefile.in @@ -196,9 +196,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -237,6 +235,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/testing/INSTALL b/testing/INSTALL index 5e42925f7..bb4272eaf 100644 --- a/testing/INSTALL +++ b/testing/INSTALL @@ -53,23 +53,22 @@ are required for the strongSwan testing environment: * A vanilla Linux kernel on which the UML kernel will be based on. We recommend the use of - http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.34.1.tar.bz2 + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.36.tar.bz2 - * The Linux kernel 2.6.34.1 does not require any patches for the uml guest kernel - to successfully start up but the xfrm_mark patch must be applied for - XFRM MARK support. + * The Linux kernel 2.6.36 does not require any patches for the uml guest kernel + to successfully start up. * The matching .config file required to compile the UML kernel: - http://download.strongswan.org/uml/.config-2.6.34 + http://download.strongswan.org/uml/.config-2.6.36 * A gentoo-based UML file system (compressed size 130 MBytes) found at - http://download.strongswan.org/uml/gentoo-fs-20100703.tar.bz2 + http://download.strongswan.org/uml/gentoo-fs-20100830.tar.bz2 * The latest strongSwan distribution - http://download.strongswan.org/strongswan-4.4.2.tar.bz2 + http://download.strongswan.org/strongswan-4.5.1.tar.bz2 3. Creating the environment diff --git a/testing/Makefile.in b/testing/Makefile.in index 82b751fd2..cbb7555f0 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -175,9 +175,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -216,6 +214,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/testing/do-tests.in b/testing/do-tests.in index 2e67e9367..27ad200fb 100755 --- a/testing/do-tests.in +++ b/testing/do-tests.in @@ -343,6 +343,7 @@ do # $DIR/scripts/load-testconfig $testname + unset RADIUSHOSTS source $TESTDIR/test.conf diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts index fb07a2f6e..0931f450e 100644 --- a/testing/hosts/default/etc/hosts +++ b/testing/hosts/default/etc/hosts @@ -18,8 +18,10 @@ 10.1.0.40 dave2.strongswan.org dave2 10.1.0.50 carol3.strongswan.org carol3 10.1.0.51 dave3.strongswan.org dave3 +10.1.0.5 mars1.strongswan.org mars1 # virtual gateway 10.1.0.1 moon1.strongswan.org moon1 192.168.0.1 moon.strongswan.org moon +192.168.0.5 mars.strongswan.org mars # virtual gateway 192.168.0.50 alice1.strongswan.org alice1 192.168.0.100 carol.strongswan.org carol 10.3.0.1 carol1.strongswan.org carol1 diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql index eb41533cb..2917fc3fc 100644 --- a/testing/hosts/default/etc/ipsec.d/tables.sql +++ b/testing/hosts/default/etc/ipsec.d/tables.sql @@ -18,9 +18,11 @@ CREATE TABLE child_configs ( updown TEXT DEFAULT NULL, hostaccess INTEGER NOT NULL DEFAULT '0', mode INTEGER NOT NULL DEFAULT '2', + start_action INTEGER NOT NULL DEFAULT '0', dpd_action INTEGER NOT NULL DEFAULT '0', close_action INTEGER NOT NULL DEFAULT '0', - ipcomp INTEGER NOT NULL DEFAULT '0' + ipcomp INTEGER NOT NULL DEFAULT '0', + reqid INTEGER NOT NULL DEFAULT '0' ); DROP INDEX IF EXISTS child_configs_name; CREATE INDEX child_configs_name ON child_configs ( @@ -38,6 +40,19 @@ CREATE INDEX child_config_traffic_selector_all ON child_config_traffic_selector child_cfg, traffic_selector ); +DROP TABLE IF EXISTS proposals; +CREATE TABLE proposals ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + proposal TEXT NOT NULL +); + +DROP TABLE IF EXISTS child_config_proposal; +CREATE TABLE child_config_proposal ( + child_cfg INTEGER NOT NULL, + prio INTEGER NOT NULL, + prop INTEGER NOT NULL +); + DROP TABLE IF EXISTS ike_configs; CREATE TABLE ike_configs ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -47,6 +62,13 @@ CREATE TABLE ike_configs ( remote TEXT NOT NULL ); +DROP TABLE IF EXISTS ike_config_proposal; +CREATE TABLE ike_config_proposal ( + ike_cfg INTEGER NOT NULL, + prio INTEGER NOT NULL, + prop INTEGER NOT NULL +); + DROP TABLE IF EXISTS peer_configs; CREATE TABLE peer_configs ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -139,6 +161,20 @@ CREATE TABLE shared_secret_identity ( PRIMARY KEY (shared_secret, identity) ); +DROP TABLE IF EXISTS certificate_authorities; +CREATE TABLE certificate_authorities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + certificate INTEGER NOT NULL +); + +DROP TABLE IF EXISTS certificate_distribution_points; +CREATE TABLE certificate_distribution_points ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + ca INTEGER NOT NULL, + type INTEGER NOT NULL, + uri TEXT NOT NULL +); + DROP TABLE IF EXISTS pools; CREATE TABLE pools ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt index dd69a793f..246f2d5b7 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt +++ b/testing/hosts/winnetou/etc/openssl/index.txt @@ -32,3 +32,4 @@ V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/ V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 150803083841Z 22 unknown /C=CH/O=Linux strongSwan/CN=aaa.strongswan.org +V 151119165922Z 23 unknown /C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=mars.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old index 58a88a3cb..dd69a793f 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/index.txt.old @@ -31,3 +31,4 @@ V 141123125153Z 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/C V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +V 150803083841Z 22 unknown /C=CH/O=Linux strongSwan/CN=aaa.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/23.pem b/testing/hosts/winnetou/etc/openssl/newcerts/23.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/23.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial index 409940768..a45fd52cc 100644 --- a/testing/hosts/winnetou/etc/openssl/serial +++ b/testing/hosts/winnetou/etc/openssl/serial @@ -1 +1 @@ -23 +24 diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old index 2bd5a0a98..409940768 100644 --- a/testing/hosts/winnetou/etc/openssl/serial.old +++ b/testing/hosts/winnetou/etc/openssl/serial.old @@ -1 +1 @@ -22 +23 diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs index e22b65cf4..023b71750 100755 --- a/testing/scripts/build-umlrootfs +++ b/testing/scripts/build-umlrootfs @@ -202,6 +202,16 @@ then echo -n " --enable-tnccs-11" >> $INSTALLSHELL fi +if [ "$USE_TNCCS_20" = "yes" ] +then + echo -n " --enable-tnccs-20" >> $INSTALLSHELL +fi + +if [ "$USE_TNCCS_DYNAMIC" = "yes" ] +then + echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL +fi + if [ "$USE_SQL" = "yes" ] then echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL @@ -292,6 +302,16 @@ then echo -n " --enable-gcm" >> $INSTALLSHELL fi +if [ "$USE_HA" = "yes" ] +then + echo -n " --enable-ha" >> $INSTALLSHELL +fi + +if [ "$USE_CISCO_QUIRKS" = "yes" ] +then + echo -n " --enable-cisco-quirks" >> $INSTALLSHELL +fi + echo "" >> $INSTALLSHELL echo "make -j" >> $INSTALLSHELL echo "make install" >> $INSTALLSHELL diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls index 486955a69..18dc64a9d 100755 --- a/testing/scripts/kstart-umls +++ b/testing/scripts/kstart-umls @@ -67,10 +67,10 @@ do \$SWITCH_${host} \ mem=${MEM}M con=pty con0=fd:0,fd:1" & cgecho "done" + sleep 15 fi let "x0+=dx" let "y0+=dy" - sleep 15 done if [ -z "$BOOTING_HOSTS" ] diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls index 717199606..ed2662b6c 100755 --- a/testing/scripts/xstart-umls +++ b/testing/scripts/xstart-umls @@ -67,10 +67,10 @@ do \$SWITCH_${host} \ mem=${MEM}M con=pty con0=fd:0,fd:1" & cgecho "done" + sleep 15 fi let "x0+=dx" let "y0+=dy" - sleep 15 done if [ -z "$BOOTING_HOSTS" ] diff --git a/testing/testing.conf b/testing/testing.conf index b9cb4bb30..b078ab2c0 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing # Bzipped kernel sources # (file extension .tar.bz2 required) -KERNEL=$UMLTESTDIR/linux-2.6.35.2.tar.bz2 +KERNEL=$UMLTESTDIR/linux-2.6.36.2.tar.bz2 # Extract kernel version KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` # Kernel configuration file -KERNELCONFIG=$UMLTESTDIR/.config-2.6.35 +KERNELCONFIG=$UMLTESTDIR/.config-2.6.36 # Bzipped uml patch for kernel -#UMLPATCH=$UMLTESTDIR/xfrm_mark.patch.bz2 +UMLPATCH=$UMLTESTDIR/ha-2.6.36.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.4.2.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.5.1.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" @@ -48,13 +48,15 @@ USE_EAP_TNC="yes" USE_TNC_IMC="yes" USE_TNC_IMV="yes" USE_TNCCS_11="yes" +USE_TNCCS_20="yes" +USE_TNCCS_DYNAMIC="yes" USE_SQL="yes" USE_MEDIATION="yes" USE_OPENSSL="yes" USE_BLOWFISH="yes" USE_KERNEL_PFKEY="yes" USE_INTEGRITY_TEST="yes" -USE_LEAK_DETECTIVE="yes" +USE_LEAK_DETECTIVE="no" USE_LOAD_TESTER="yes" USE_TEST_VECTORS="yes" USE_GCRYPT="yes" @@ -66,12 +68,14 @@ USE_ADDRBLOCK="yes" USE_CTR="yes" USE_CCM="yes" USE_GCM="yes" +USE_HA="yes" +USE_CISCO_QUIRKS="no" # Gentoo linux root filesystem -ROOTFS=$UMLTESTDIR/gentoo-fs-20100805.tar.bz2 +ROOTFS=$UMLTESTDIR/gentoo-fs-20101120.tar.bz2 # Size of the finished root filesystem in MB -ROOTFSSIZE=700 +ROOTFSSIZE=800 # Amount of Memory to use per UML [MB]. # If "auto" is stated 1/12 of total host ram will be used. diff --git a/testing/tests/ha/both-active/description.txt b/testing/tests/ha/both-active/description.txt new file mode 100644 index 000000000..4c64fff97 --- /dev/null +++ b/testing/tests/ha/both-active/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each +to the virtual gateway mars implemented by the two real gateways +alice and moon in a High Availability (HA) setup +based on ClusterIP. Depending on the hash of the IP addresses of the peers +and the SPIs, the inbound and outbound CHILD_SAs are either assigned to +segment 1 managed by alice or segment 2 handled by moon. +The IKEv2 protocol is managed by moon exclusively with passive +IKE_SAs installed on the backup gateway alice. diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat new file mode 100644 index 000000000..7256743ac --- /dev/null +++ b/testing/tests/ha/both-active/evaltest.dat @@ -0,0 +1,20 @@ +moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES +alice::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES +alice::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +alice::cat /var/log/daemon.log::HA segment 1 activated::YES +moon::cat /var/log/daemon.log::HA segment 2 activated::YES +alice::cat /var/log/daemon.log::installed HA CHILD_SA::YES +moon::cat /var/log/daemon.log::handling HA CHILD_SA::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES +carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES +dave::tcpdump::IP mars.strongswan.org > dave.strongswan.org: ESP::YES +venus::tcpdump::IP carol.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > carol.strongswan.org: ICMP echo reply::YES +venus::tcpdump::IP dave.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > dave.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..95d3b8828 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables @@ -0,0 +1,104 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # forward ESP-tunneled traffic + iptables -A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT + iptables -A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT + iptables -A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT + + # clusterip rules + iptables -A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 + iptables -A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 + + # allow esp + iptables -A INPUT -p 50 -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # allow heartbeat + iptables -A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT + iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT + + # allow ICMP type 3 + iptables -A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT + iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT + + # allow IGMP multicasts + iptables -A INPUT -d 224.0.0.1 -p igmp -j ACCEPT + iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..09a5364f4 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=192.168.0.5 + leftcert=marsCert.pem + leftid=@mars.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem new file mode 100644 index 000000000..9196315a3 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE +UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl +sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w +YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j +ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g +cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D +bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS +AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD +5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u +DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km +KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB +UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK +QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt +AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG +3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b +M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv +2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9 +4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO +KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd +D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU +nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe +bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD +7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa +qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX +onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..d65b96e34 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA marsKey.pem diff --git a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..c1745ec29 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha + plugins { + ha { + local = PH_IP_ALICE + remote = PH_IP_MOON1 + segment_count = 2 + fifo_interface = yes + monitor = yes + } + } +} + diff --git a/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..79e06d4de --- /dev/null +++ b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=192.168.0.5 + rightid=@mars.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..af91a172a --- /dev/null +++ b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..f75e13d2e --- /dev/null +++ b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=192.168.0.5 + rightid=@mars.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..60dbb5ba2 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + diff --git a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..6f7a0316b --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables @@ -0,0 +1,104 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # forward ESP-tunneled traffic + iptables -A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT + iptables -A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT + iptables -A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT + + # clusterip rules + iptables -A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1 + iptables -A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1 + + # allow esp + iptables -A INPUT -p 50 -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # allow heartbeat + iptables -A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT + iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT + + # allow ICMP type 3 + iptables -A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT + iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT + + # allow IGMP multicasts + iptables -A INPUT -d 224.0.0.1 -p igmp -j ACCEPT + iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..09a5364f4 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=192.168.0.5 + leftcert=marsCert.pem + leftid=@mars.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem new file mode 100644 index 000000000..9196315a3 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE +UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl +sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w +YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j +ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g +cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D +bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS +AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD +5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u +DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km +KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB +UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK +QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt +AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG +3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b +M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv +2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9 +4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO +KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd +D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU +nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe +bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD +7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa +qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX +onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..d65b96e34 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA marsKey.pem diff --git a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1cece26d2 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha + plugins { + ha { + local = PH_IP_MOON1 + remote = PH_IP_ALICE + segment_count = 2 + fifo_interface = yes + monitor = yes + } + } +} + diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat new file mode 100644 index 000000000..49bf76055 --- /dev/null +++ b/testing/tests/ha/both-active/posttest.dat @@ -0,0 +1,17 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +alice::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +alice::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::ip addr del 192.168.0.5/24 dev eth0 +moon::ip addr del 10.1.0.5/16 dev eth1 +alice::ip addr del 192.168.0.5/24 dev eth1 +alice::ip addr del 10.1.0.5/16 dev eth0 +alice::/etc/init.d/net.eth1 stop +venus::ip route del default via 10.1.0.5 dev eth0 +venus::ip route add default via 10.1.0.1 dev eth0 +moon::conntrack -F +alice::conntrack -F diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat new file mode 100644 index 000000000..e2e509855 --- /dev/null +++ b/testing/tests/ha/both-active/pretest.dat @@ -0,0 +1,18 @@ +moon::ip addr add 192.168.0.5/24 dev eth0 +moon::ip addr add 10.1.0.5/16 dev eth1 +alice::/etc/init.d/net.eth1 start +alice::ip addr add 192.168.0.5/24 dev eth1 +alice::ip addr add 10.1.0.5/16 dev eth0 +venus::ip route del default via 10.1.0.1 dev eth0 +venus::ip route add default via 10.1.0.5 dev eth0 +moon::/etc/init.d/iptables start 2> /dev/null +alice::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +alice::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ha/both-active/test.conf b/testing/tests/ha/both-active/test.conf new file mode 100644 index 000000000..0473013e1 --- /dev/null +++ b/testing/tests/ha/both-active/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="venus carol dave" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice moon carol dave" diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index c35a8019e..8bc2e8688 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -1,7 +1,7 @@ moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon::sleep 35::no output expected::NO -carol::iptables -D INPUT 1::no output expected::NO +carol::sleep 35::no output expected::NO +carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat index acb432172..92681011f 100644 --- a/testing/tests/ikev1/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat @@ -10,4 +10,4 @@ carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon -dave::sleep 1 +dave::sleep 2 diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat index a330b1074..c0f166ff4 100644 --- a/testing/tests/ikev1/dynamic-responder/pretest.dat +++ b/testing/tests/ikev1/dynamic-responder/pretest.dat @@ -10,4 +10,4 @@ moon::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon -dave::sleep 1 +dave::sleep 2 diff --git a/testing/tests/ikev1/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat index ed8f39316..f0c5bcec6 100644 --- a/testing/tests/ikev1/net2net-start/pretest.dat +++ b/testing/tests/ikev1/net2net-start/pretest.dat @@ -2,4 +2,4 @@ moon::/etc/init.d/iptables start 2> /dev/null sun::/etc/init.d/iptables start 2> /dev/null moon::ipsec start sun::ipsec start -alice::sleep 12 +alice::sleep 20 diff --git a/testing/tests/ikev1/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt index 83e9d2726..98d85f30b 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/description.txt +++ b/testing/tests/ikev1/xauth-rsa-fail/description.txt @@ -2,4 +2,4 @@ The roadwarrior carol sets up a connection to gateway moon. The authentication is based on RSA signatures (RSASIG) using X.509 certificates followed by extended authentication (XAUTH) based on user name and password. Because user carol presents a wrong -XAUTH password the IKE negotation is aborted and the ISAKMP SA is deleted. +XAUTH password the IKE negotiation is aborted and the ISAKMP SA is deleted. diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt index ffbb47c04..a6fe82330 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt +++ b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt @@ -2,5 +2,5 @@ The roadwarrior carol sets up a connection to gateway moon. The authentication is based on RSA signatures (RSASIG) using X.509 certificates followed by extended authentication (XAUTH) based on user name and password. Because user carol cannot find her -XAUTH credentials in ipsec.secrets, the IKE negotation is aborted and the +XAUTH credentials in ipsec.secrets, the IKE negotiation is aborted and the ISAKMP SA is deleted. diff --git a/testing/tests/ikev2/critical-extension/description.txt b/testing/tests/ikev2/critical-extension/description.txt new file mode 100644 index 000000000..8c0d37c88 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates which contain a critical but +unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical +extensions by setting libstrongswan.x509.enforce_critical = no in strongswan.conf, +sun discards such certificates and aborts the connection setup. diff --git a/testing/tests/ikev2/critical-extension/evaltest.dat b/testing/tests/ikev2/critical-extension/evaltest.dat new file mode 100644 index 000000000..8c2f8ec9d --- /dev/null +++ b/testing/tests/ikev2/critical-extension/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/daemon.log::sending end entity cert::YES +moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +sun::cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES +sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e3c9dde4 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.der + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der new file mode 100644 index 000000000..7f78d5820 Binary files /dev/null and b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der differ diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bfc83ab4d --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} + +libstrongswan { + x509 { + enforce_critical = no + } +} diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..19e197131 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.der + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der new file mode 100644 index 000000000..c1efb6719 Binary files /dev/null and b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der differ diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..cb17a9e07 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat new file mode 100644 index 000000000..a4c96e10f --- /dev/null +++ b/testing/tests/ikev2/critical-extension/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null + diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat new file mode 100644 index 000000000..2d7a78acb --- /dev/null +++ b/testing/tests/ikev2/critical-extension/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf new file mode 100644 index 000000000..41ee3037e --- /dev/null +++ b/testing/tests/ikev2/critical-extension/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf index 88f162098..47dab951f 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf index 88f162098..8335e51f6 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt new file mode 100644 index 000000000..350aefc60 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. +carol and dave then set up an EAP-TTLS tunnel each via moon to +the FreeRADIUS server alice authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 1.1 client-server interface. +carol passes the health test and dave fails. Based on these measurements carol +is authenticated successfully and is granted access to the subnet behind moon whereas +dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat new file mode 100644 index 000000000..517ea9ab2 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary new file mode 100644 index 000000000..1a27a02fc --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary @@ -0,0 +1,2 @@ +$INCLUDE /usr/share/freeradius/dictionary +$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc new file mode 100644 index 000000000..f295467a9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc @@ -0,0 +1,5 @@ +ATTRIBUTE TNC-Status 3001 integer + +VALUE TNC-Status Access 0 +VALUE TNC-Status Isolate 1 +VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second new file mode 100644 index 000000000..2d4961288 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second @@ -0,0 +1,23 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..a9509a716 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for TNC@FHH-TNC-Server + +IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9cf2b43c4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..998e6c2e5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..621e94f0e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +none diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..fc8f84638 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4d2d3058d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat new file mode 100644 index 000000000..132752119 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +alice::rm /etc/raddb/sites-enabled/inner-tunnel-second +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat new file mode 100644 index 000000000..dc7d5934e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second +alice::cat /etc/raddb/sites-enabled/inner-tunnel-second +alice::/etc/init.d/radiusd start +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf new file mode 100644 index 000000000..bb6b68687 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt new file mode 100644 index 000000000..7eebd3d4d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. +carol and dave then set up an EAP-TTLS tunnel each via moon to +the FreeRADIUS server alice authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 1.1 client-server interface. +carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat new file mode 100644 index 000000000..d0ea22ba9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary new file mode 100644 index 000000000..1a27a02fc --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary @@ -0,0 +1,2 @@ +$INCLUDE /usr/share/freeradius/dictionary +$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc new file mode 100644 index 000000000..f295467a9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc @@ -0,0 +1,5 @@ +ATTRIBUTE TNC-Status 3001 integer + +VALUE TNC-Status Access 0 +VALUE TNC-Status Isolate 1 +VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second new file mode 100644 index 000000000..f91bccc72 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second @@ -0,0 +1,36 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + if (control:TNC-Status == "Access") { + update reply { + Tunnel-Type := ESP + Filter-Id := "allow" + } + } + elsif (control:TNC-Status == "Isolate") { + update reply { + Tunnel-Type := ESP + Filter-Id := "isolate" + } + } + + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..a9509a716 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for TNC@FHH-TNC-Server + +IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9cf2b43c4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..998e6c2e5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..33dcdcfb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f4e456bbe --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat new file mode 100644 index 000000000..132752119 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +alice::rm /etc/raddb/sites-enabled/inner-tunnel-second +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat new file mode 100644 index 000000000..8dd865819 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat @@ -0,0 +1,18 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second +alice::cat /etc/raddb/sites-enabled/inner-tunnel-second +alice::/etc/init.d/radiusd start +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf new file mode 100644 index 000000000..2a52df203 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/description.txt b/testing/tests/ikev2/rw-eap-tnc-11/description.txt new file mode 100644 index 000000000..4b4808c94 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 1.1 client-server interface. +carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat new file mode 100644 index 000000000..a02755148 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f8700d3c5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11/test.conf b/testing/tests/ikev2/rw-eap-tnc-11/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt new file mode 100644 index 000000000..c7422aa46 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

+carol passes the health test and dave fails. Based on these measurements +carol is authenticated successfully and is granted access to the subnet behind +moon whereas dave fails the layered EAP authentication and is rejected. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat new file mode 100644 index 000000000..f1753c208 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1a39b8c57 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imc { + preferred_language = de, en + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..eb7007726 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imc { + preferred_language = ru, fr, en + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..621e94f0e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +none diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..6747b4a4a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..20caf8e84 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf @@ -0,0 +1,19 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imv { + recommendation_policy = all + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt new file mode 100644 index 000000000..54590a951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon, +both ends doing certificate-based EAP-TLS authentication only. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

+carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat new file mode 100644 index 000000000..bbc0603b6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..1b6274215 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..54c06b12e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..04a243cad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + request_peer_auth = yes + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-20/description.txt b/testing/tests/ikev2/rw-eap-tnc-20/description.txt new file mode 100644 index 000000000..6a9c5dde8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

+carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat new file mode 100644 index 000000000..737c9b9ef --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b76c1cd55 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..67896d543 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so +IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20/test.conf b/testing/tests/ikev2/rw-eap-tnc-20/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-block/description.txt deleted file mode 100644 index 51423177a..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -using EAP-TTLS authentication only with the gateway presenting a server certificate and -the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements -carol is authenticated successfully and is granted access to the subnet behind -moon whereas dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat deleted file mode 100644 index 2304df23e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf deleted file mode 100755 index c19192dae..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 7d5ea8b83..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index 621e94f0e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -none diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 6747b4a4a..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f8700d3c5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown - multiple_authentication=no - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config deleted file mode 100644 index ac436a344..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat deleted file mode 100644 index ce897d181..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-block/test.conf deleted file mode 100644 index e28b8259b..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt b/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt new file mode 100644 index 000000000..21e9bc675 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt @@ -0,0 +1,12 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of TNC client carol via the TNCCS 1.1 client-server interface and of +TNC client dave via the TNCCS 2.0 client-server interface. TNC server +moon dynamically detects which version of the IF-TNCCS protocol is used. +

+carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat new file mode 100644 index 000000000..2c7a2dbd7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat @@ -0,0 +1,27 @@ +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES +moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES +moon::cat /var/log/daemon.log::Final recommendation is 'allow' and evaluation is 'compliant'::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES +moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES +moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES +moon::cat /var/log/daemon.log::Final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..6a12318db --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..33945dc1e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..a1a4a4747 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnccs-20 tnccs-dynamic tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-dynamic + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..67896d543 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so +IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt deleted file mode 100644 index 350aefc60..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to -the FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements carol -is authenticated successfully and is granted access to the subnet behind moon whereas -dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat deleted file mode 100644 index 517ea9ab2..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary deleted file mode 100644 index 1a27a02fc..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary +++ /dev/null @@ -1,2 +0,0 @@ -$INCLUDE /usr/share/freeradius/dictionary -$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc deleted file mode 100644 index f295467a9..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc +++ /dev/null @@ -1,5 +0,0 @@ -ATTRIBUTE TNC-Status 3001 integer - -VALUE TNC-Status Access 0 -VALUE TNC-Status Isolate 1 -VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default deleted file mode 100644 index 802fcfd8d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default +++ /dev/null @@ -1,44 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second deleted file mode 100644 index 2d4961288..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second +++ /dev/null @@ -1,23 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config deleted file mode 100644 index a9509a716..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for TNC@FHH-TNC-Server - -IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 9cf2b43c4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 998e6c2e5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index 621e94f0e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -none diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf deleted file mode 100755 index fc8f84638..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightid=*@strongswan.org - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4d2d3058d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown - multiple_authentication=no - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat deleted file mode 100644 index 132752119..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -alice::/etc/init.d/radiusd stop -alice::rm /etc/raddb/sites-enabled/inner-tunnel-second -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat deleted file mode 100644 index dc7d5934e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second -alice::cat /etc/raddb/sites-enabled/inner-tunnel-second -alice::/etc/init.d/radiusd start -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf deleted file mode 100644 index bb6b68687..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt deleted file mode 100644 index 7eebd3d4d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to -the FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat deleted file mode 100644 index d0ea22ba9..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary deleted file mode 100644 index 1a27a02fc..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary +++ /dev/null @@ -1,2 +0,0 @@ -$INCLUDE /usr/share/freeradius/dictionary -$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc deleted file mode 100644 index f295467a9..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc +++ /dev/null @@ -1,5 +0,0 @@ -ATTRIBUTE TNC-Status 3001 integer - -VALUE TNC-Status Access 0 -VALUE TNC-Status Isolate 1 -VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default deleted file mode 100644 index 802fcfd8d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default +++ /dev/null @@ -1,44 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second deleted file mode 100644 index f91bccc72..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config deleted file mode 100644 index a9509a716..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for TNC@FHH-TNC-Server - -IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 9cf2b43c4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 998e6c2e5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 33dcdcfb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,35 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f4e456bbe..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown - multiple_authentication=no - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - filter_id = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat deleted file mode 100644 index 132752119..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -alice::/etc/init.d/radiusd stop -alice::rm /etc/raddb/sites-enabled/inner-tunnel-second -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat deleted file mode 100644 index 8dd865819..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat +++ /dev/null @@ -1,18 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second -alice::cat /etc/raddb/sites-enabled/inner-tunnel-second -alice::/etc/init.d/radiusd start -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf deleted file mode 100644 index 2a52df203..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt deleted file mode 100644 index 762b839ee..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon, -bothe ends doing certificate-based EAP-TLS authentication only. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, -respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat deleted file mode 100644 index cebfff25f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 1b6274215..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 54c06b12e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 50514c99f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,36 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 8898a63ba..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown - multiple_authentication=no - plugins { - eap-ttls { - request_peer_auth = yes - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config deleted file mode 100644 index ac436a344..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat deleted file mode 100644 index ce897d181..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf deleted file mode 100644 index e28b8259b..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/ikev2/rw-eap-tnc/description.txt b/testing/tests/ikev2/rw-eap-tnc/description.txt deleted file mode 100644 index 4b4808c94..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -using EAP-TTLS authentication only with the gateway presenting a server certificate and -the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, -respectively. - diff --git a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat deleted file mode 100644 index a02755148..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf deleted file mode 100755 index c19192dae..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 7d5ea8b83..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 50514c99f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,36 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f8700d3c5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown - multiple_authentication=no - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config deleted file mode 100644 index ac436a344..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc/posttest.dat b/testing/tests/ikev2/rw-eap-tnc/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc/pretest.dat b/testing/tests/ikev2/rw-eap-tnc/pretest.dat deleted file mode 100644 index ce897d181..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc/test.conf b/testing/tests/ikev2/rw-eap-tnc/test.conf deleted file mode 100644 index e28b8259b..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf index 9129f160b..08b95659f 100755 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf @@ -2,6 +2,7 @@ config setup crlcheckinterval=180 + uniqueids=no strictcrlpolicy=yes plutostart=no diff --git a/testing/tests/openssl-ikev2/critical-extension/description.txt b/testing/tests/openssl-ikev2/critical-extension/description.txt new file mode 100644 index 000000000..8c0d37c88 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates which contain a critical but +unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical +extensions by setting libstrongswan.x509.enforce_critical = no in strongswan.conf, +sun discards such certificates and aborts the connection setup. diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat new file mode 100644 index 000000000..1c23dcad6 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/daemon.log::sending end entity cert::YES +moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +sun::cat /var/log/daemon.log::found unsupported critical X.509 extension::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES +sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e3c9dde4 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.der + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der new file mode 100644 index 000000000..7f78d5820 Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f4ab41f2c --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} + +libstrongswan { + x509 { + enforce_critical = no + } +} diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..19e197131 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.der + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der new file mode 100644 index 000000000..c1efb6719 Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..c45805ca6 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat new file mode 100644 index 000000000..a4c96e10f --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null + diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat new file mode 100644 index 000000000..2d7a78acb --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf new file mode 100644 index 000000000..41ee3037e --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat index 912222eef..f1e33dc39 100644 --- a/testing/tests/p2pnat/behind-same-nat/pretest.dat +++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat @@ -11,4 +11,4 @@ carol::sleep 1 alice::ipsec start alice::sleep 1 venus::ipsec start -venus::sleep 2 +venus::sleep 4 diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat index a5c9a2fbb..fba7be01d 100644 --- a/testing/tests/p2pnat/medsrv-psk/pretest.dat +++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat @@ -16,4 +16,4 @@ carol::sleep 1 bob::ipsec start bob::sleep 1 alice::ipsec start -alice::sleep 2 +alice::sleep 4 diff --git a/testing/tests/sql/multi-level-ca/description.txt b/testing/tests/sql/multi-level-ca/description.txt new file mode 100644 index 000000000..123ab06b3 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/description.txt @@ -0,0 +1,6 @@ +The VPN gateway moon grants access to the subnet behind it to anyone presenting +a certificate belonging to a trust chain anchored in the strongSwan Root CA. +The hosts carol and dave have certificates from the intermediate +Research CA and Sales CA, respectively. Responder moon does not possess +copies of the Research and Sales CA certificates and must therefore request them from +the initiators carol and dave, respectively. diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat new file mode 100644 index 000000000..91113ce11 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/evaltest.dat @@ -0,0 +1,18 @@ +carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES +dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..96eb832ae --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf @@ -0,0 +1,7 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..66b1473f1 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,192 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=Research CA */ + 9, X'3051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=Research CA' */ + 11, X'e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420'); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, OU=Research, CN=Research CA' */ + 11, X'c71449851517718914a496532a1ee801b21c6aa5'); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */ + 11, X'c400ef96d95d5ebb4b2309071f7a6cf3f65491bd' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=Research CA */ + 1, 1, X'308203c1308202a9a003020102020120300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3130303430363039353335305a170d3139303430343039353335305a3051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b526573656172636820434130820122300d06092a864886f70d01010105000382010f003082010a0282010100b639b23aa6e0075b58a73f4fb25a856a72f71b5d3db1e780137a95b9e961a1dfaf19c6b2f9831421591c277b7a046a43f02e2471dc12fdc351d7c9596032a559d4bdd95ca79f21063a717d33d73fd203071cd0690c94cec13120658e5546367bbc49e412819d7564a24de1b58e07af519da8d87edcb1266de809067813452471e0f289e7814efdbefc2d4cc1fab331af3c70fe59c8f2312602d2a5ba043b73d6ae31e142cfe3669527e74a85a11cde6a9bed2234acb40bedb922e13c36afa2de3b41888f01c01a87637bb622e7e5521f4d73d77f47abc6b113cc1ecdf45f51dafe6d14838f78fb0c2ac1f1016518f3c4c98c17fd521b82351374c3389decae390203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e04160414e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b050003820101008d6da16d1b2dcc815c0a3215e2ca1b2e1289b70d059b3fae80a173051abf47e8c8b74260c60528478738bbc8b1322389fa58e0c3f2dd20604395e972ce6f385c16f7b8cce987c1caa8f1e3eeea4c1a8e68b31705b789dcb230432262ae9a8767396c3ac71c8710a370c00c3ce0469968e974ea942e82e5c17f44161040dab11907589a9a06d4279339791344b9b9bcc51e816b0ff4391cffb6dfadc42f63c5c8c7a099ce155d2cb3b5ecddddf63ea86f286801c6354b672ab7cc3feb306db15d5c8a3d4e3acde94c08fd5476c33adad2f5730022e2ca246b4d8642b3ffaf00611eddb66c930de2036ce4d4af8537638e0c156332eeeb7205601bd6f2c1668992' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org */ + 1, 1, X'3082042c30820314a003020102020106300d06092a864886f70d01010b05003051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341301e170d3130303430373039323035375a170d3135303430363039323035375a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e8a8f6d28e9044a366e993843bedd5a17274f0cf34084dac8a27f1a0af64cc454015ec6a6b352ce2f8ed429011e389703510d6cf743f4e6f0305fe4f0380da70438605417bc73e46c0517c4466c5cb332bb7608f9cab8f06c916b5093de9b4e0a10f9eb47b2e94f9b3bfb3d67fa9658afd1f2253bd825dddcf7af1fae8c105bdf26804246f71b362df6aa4d5dd1112d41f6f21e4065a1eb80d2ac5e97cbf1d8fa7dcc792306677509a174ba619231bc635dee1781ff6c71bf756fd133721a29263fc67989b80de639fb990914f5233d43341bd996359b70e7f7771b279c37017782961261a337ba52f855b387bf012b896fa6fd34b30be1e07404c0990fae98f0203010001a38201043082010030090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414c400ef96d95d5ebb4b2309071f7a6cf3f65491bd306d0603551d23046630648014e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820120301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730370603551d1f0430302e302ca02aa0288626687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f72657365617263682e63726c300d06092a864886f70d01010b050003820101006a380523c2b3eb5d62d0886ef3e3350b65b59056cbe04a18ca89f7b6b8d167722acfa92c7fd2922824ba162ca5ab80c68a5d26b4cb653fe1ca717cd181263de8ce023bbdf0dba962c2666c14135a64a23fe6f2913cf2f253dada1ac85fa417820b2c19e2f71bf8456220fb2dcce6222b9cbfd6d486b0c11d9e55f6259b0900a85b2d14e60b4d8edcc6c6181410ab57949f5c6447ca67753593266159eb57d9954312c0b80b17dfd572101aedc21d100d38e0e0ad4dd69b898a322c59aa0eeb6af0662f58eccb7f6a8e29c471907c4f7de243ad638b78f1189da324481914280508908f8b6896d61770124c6807aa1dbfa70535d80dc1a2f24a51a47407b532d8' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 7 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 8 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */ + 1, X'308204a50201000282010100e8a8f6d28e9044a366e993843bedd5a17274f0cf34084dac8a27f1a0af64cc454015ec6a6b352ce2f8ed429011e389703510d6cf743f4e6f0305fe4f0380da70438605417bc73e46c0517c4466c5cb332bb7608f9cab8f06c916b5093de9b4e0a10f9eb47b2e94f9b3bfb3d67fa9658afd1f2253bd825dddcf7af1fae8c105bdf26804246f71b362df6aa4d5dd1112d41f6f21e4065a1eb80d2ac5e97cbf1d8fa7dcc792306677509a174ba619231bc635dee1781ff6c71bf756fd133721a29263fc67989b80de639fb990914f5233d43341bd996359b70e7f7771b279c37017782961261a337ba52f855b387bf012b896fa6fd34b30be1e07404c0990fae98f0203010001028201010086869c20e739d7d63b7d3744b07a369a215a289b4654bec4d325817b0daf54c57de6af4a612ee00365379ad33ee4b7e55f699b2b5ce5f5ee0e6b7abe29226a2b9b7f74ae86699042cc94d12ba3d91e433a35cfe97a0760ade5bbf175a48ceb7f2ee19f3c7035610278c291b3a721458b760c7886beff10535ed291f4287ce359f4b860c5176456044775be950ebc8f753f885742b0c74006b2d50672a8cc050e5931de65cfbc09ad0c1560a1ae3f5bd830acd8cd004a0031e6cf42368d5d21bab02666fb38b9709b71be5f1d09ccdede38e65d88548f73236847013aacabebb361ad43d2ea59d92f544b858f222497dedc9e83a44488f96c0bcd0df8df8e678102818100ff6b7443e3a6b55b11e012f9a70b73fea85a51aaa36de73b7d48b945874f5d32c5fd04e45229c1a2c9721a93fa30f9b587a17d9d7e395b5889658a0492179d52be6b8adcfc6211597fc144732d59e7a7bfbc11ef6a6dd46471a7bc9366d8f501e261b977121e99ed028d241ba8070bff85bdbacd832b92627f6c8886be0b946102818100e930460397ee15d8cce4804db29972734574f10261a0438d757f45c83deba360e147315a5def25161fdc0e797a199cd89766092aade82aec47f4712ab963b027bb803fc618492d57b7e49e75c2e417f1de1517438ac04cbc7cc7095a7bec1cf8034c79a6351c1d0a3861861f6913e25e141428609dfa5937ebe97a5fdc1643ef0281810093ea65955f43cee8e38c3150f4a5145298aa5d7b055403421746c34c7994c37340e74b2af24e0e3e388ce4c9676d6f5eea21e27e0f7825e73b025b90540e6ae45d342861dba2eb4b3a49f15b061b77a554cb1453e2fda1af5d867715a1cce8ee636c969c5718f3a926fe17b81071ac4818ea8c40b1c2ccee4fbec9bdc6572c6102818100c2ba953d1afaaf33c4a66c9e75aebe6c946bfb77499f53ca257c8b0194f3da13650cd6a1e81f7490ed3a0ebc52c260c05e6dcee9dd202bf7f47ea4a250fe76743797f9a9ab4e309737f1aa821ca5ed790544079157a50e6fb8a35da43a280a68f21842de112bd0f45ff0d0d81a1f88c19772dde51107a6c9942ffd095ff917f102818004145ff4373203f45d993b33a9e6df3cf366c7b88768d6eb6775dbbf2bf73f92e4cd79452d3bc0843cff52a9d533b0707b53867896245df9a28d18e927e53c76d79bd98cd9ded9e5ccac227f3fb4e75fcb7236af5fd5f6e4fb8407663ae55d0e58898815594b9e9dcc4721386c89af7819625ab4d141456cc50b765880e04e1c' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 7 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 8 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 7, 9 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..96eb832ae --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf @@ -0,0 +1,7 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..b8780e56e --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,194 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA */ + 9, X'304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA' */ + 11, X'5f9b1346f92072c800d588b5a74c2e97ea0b9328' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA' */ + 11, X'c9ca6b980be96d5f210d7fed1529eb6c567ec26c' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */ + 11, X'671081ec8703e10c31abdf12d53275046eba1522' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales CN=Sales CA */ + 1, 1, X'308203bb308202a3a003020102020121300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3130303430363039353433335a170d3139303430343039353433335a304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c657320434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c24e4d26998c37b9511fa125ba1d704e34581c569beaf41620fe14b736734847fd07169b55dfaa773da9a3cf1a8c4ed817f05e01441df39d4331c6bad861b2f74c3e49963f5677b83af0b1caab98bcaae0923cedec527a7d608260951226f9e53e1f371ad320625aa1ee899fdbfd6701b607e52bde7140ff075c91276a27173a5cbf4329c464dd3c59b6ff52b837ed13d1bbf3b3ba3c94b27f2518865773d4465ee4f4ec52801b049d030d7271df9eb6903b5f41dc1ecdab742c0c8eb1569b62aff41bf7c16702cb7abe2a185dbedc2b2f3fb8cd5e785161e4afdbee22da602381b0512350378aaa14dcdab5bcf02aceb7a4388fd157d1eb7bd2f5afc5f574810203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145f9b1346f92072c800d588b5a74c2e97ea0b9328306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b0500038201010024654ea5cc8c7cbbafbad69eaff4f721674dde9dfb2e8a9078fd92f612039abbc587663f7238f983f6aa93e762349ec9f302978648c8c5e77d46f3e4ebee5e9e12092d2021427a98aebee5fd5add449d07809ed0e7789a45084262f32850914aa7615a8573349ae5f814f56b977df9a2d600be52da9a94a103e01bae0c3e0872dd2c946f8a817a9964dc9751ffa3a00392d078db4b888ed8fdd6cc33646f9f6f38448231a764ea3761eea7a04d2c7bfa7cb8b1749a4cfa71bb6631987feedd9ee63a64386f22dd7ccebff69f510b0503e13394a3621190219566373343aca19500ab5ae4b1bc0700468b4b9773d7c15d645c7df237375fc8663fe86f9b775828' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org */ + 1, 1, X'3082041c30820304a003020102020105300d06092a864886f70d01010b0500304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341301e170d3130303430373039343234315a170d3135303430363039343234315a3056310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c6573311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ceda8649bdc7f5787a238c620e49ac3795918ca9c441f49166c4a2d2e991edad63cac56f3202ca9e69368403099034e30579dd11e9a72e25de9b136ae16a77c74660a4d582eb2d6495963a27b4fbebfe18869208b3c1c0d7e66220012160291eab2fd42cf934a9aeb22ba31ad8528b102e30cfa3816e385cb6a2f356cc7128390b6a2be7275e9b5fc08236c0aaf3a05aeb89ba2b5329b1ebf944a9cecf4132d56c018602e68a96518003072bac8f4d168e71cbc556b3a98b56dfa6b29792b098b7ab10a038db7e1799fed2b25b6889f966c7d25b00e0d6cf8b5b3fe7face207fb5e8219f6a75e266f67b35bc4bc9bf1f7cf2171710d3aa24bcc05ade45947ce70203010001a381ff3081fc30090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414671081ec8703e10c31abdf12d53275046eba1522306d0603551d230466306480145f9b1346f92072c800d588b5a74c2e97ea0b9328a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820121301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f73616c65732e63726c300d06092a864886f70d01010b05000382010100791f98e3a7d2ef103c89a7fdf1ec26aa3a12014a5e67de0ece8b58174f91872c187dfe5e62e92c24d5e7b2da8333a4782c743a202f2b65bf344a5eea49019b79c5669be48ec17e27214425786cebad37f17c0e2342846d129d81018b3462e4ad3a2c069db434f434bbfb884fc8e3d35b13c39daa7113d731eaf3699bb556421339917be726941ec47840840fe1b14ce9d82d159e2a0f80588138fdf2cdeecd1eabde25494b729bbd4b67d92630c007908c846db96f5486bb9398f84fa8f45f03cf71854c4a3a20a9ecdefaa6dfdc443e26446519dccbff5ed3a0b5989d5c242ea4039fa07e45fc273e4d845e776eb4facdcfa0b75b2ef334d9e272202d5c0abe' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 7 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 8 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */ + 1, X'308204a50201000282010100ceda8649bdc7f5787a238c620e49ac3795918ca9c441f49166c4a2d2e991edad63cac56f3202ca9e69368403099034e30579dd11e9a72e25de9b136ae16a77c74660a4d582eb2d6495963a27b4fbebfe18869208b3c1c0d7e66220012160291eab2fd42cf934a9aeb22ba31ad8528b102e30cfa3816e385cb6a2f356cc7128390b6a2be7275e9b5fc08236c0aaf3a05aeb89ba2b5329b1ebf944a9cecf4132d56c018602e68a96518003072bac8f4d168e71cbc556b3a98b56dfa6b29792b098b7ab10a038db7e1799fed2b25b6889f966c7d25b00e0d6cf8b5b3fe7face207fb5e8219f6a75e266f67b35bc4bc9bf1f7cf2171710d3aa24bcc05ade45947ce702030100010282010100994a9a0fd5c37466f6e49729277b7353b1d4ae10352fc785654a3d7bddb9d610138ef62744418b543f9635d86662e6be82955fbde190920360673dc98c0931808ce81bdf5a68dc37d91efe33e4cc7883d23b0fc7c126c9b975b2ac130a5fcfb9399575406ae19b09aa61ea3a7fab140146a9c7865ce9887d349fa78360784f1c3a051defaf19b9e35b324ab2fb3a119897a5f27f58a7757906a1b0617b83ef6a579c6ac2c84204a7f6e4b6765e376f643b7bf074b886c49a4ad9de99eb4af4d549189aa62f37a1435ea645702bf186e4f60eff312161a7018f1a372a9b6fecccbe02b3d20cb584b18aba18dd02fe0d9c9d1bdf8af60e4d17b95795b117f475d102818100e76e0922daa0426c8196ad867cbd912b01b4399302e89566e92a45d3230cdd88d243ac46c2300841750c8bc5b17ee77c790abdef3e5f24dcd39cbb2d35e65f50048cc83315e97bbb2e478d2ec0b096604e2a690bc83f9768c6abeb39f73013359d9e97d43d75b78ada505dad5cbe8ea3484dd4207bd0628057e159b90018544f02818100e4d089fdbe62b874cc33cee7723a91285e85a66f36d3e64319a686f1f81c6318f04c916a314e48ca55d70dd5603b93038eefca897ef74056318f19b25ad7abe066c31da87127367dec9461c2683a844bfdbf9bd65636567a20dc7b390502ec50bcc7770904b8af308e3c3583892cb8831b5ff5fd9c4bc9b34c5e9b387b26efe902818008d236e2ef366091c636ba12803ab187d41ecc7b0007617a74b4b9c89c73671649fd6e599c193c975220d24b0cc2eb8be10939c81eb67daf3519aa40c4e72d06ddc587f3fa87d5c182b813778ebcac5eab5c0e78f67f0604665e332f186eeaac867f7f0605f9b0af4836fbfb19a7e1c3f38393ec510bd655520432e94c49a11d02818100c9b9988e5e34c68e222162bde59500b8686cc7c8b0bbabfb6837ca2cb522c1b310d7503420f7f5707cb135fef1f253b0056a1e538dde099873e4c730d8a9df5bdcfd13be96d38d550327e5eff0d7f61ed0bd0674b658fd707a5c273ea3ce69ecdc21b62dfb3d9f25dd9ff345ddbfd183b4b4ab38457d037bd14e6ee6229cb75102818100991ff421b606875609ed9f629b8e0c4d2cfa1fb6d39e62038ccdfff8857275256015bcdca151bae2c4397c856230bb73f4f1c345129bb3c4c1ce9cbb0bfc02d6a46aa6af48d7b20d490cef9b70e96763e547449e3767407cef57b6413bddc11f7ff808ec958ea2ecbfbdcce2cdf45e9a75a534ae548b6f457b4425182f53c97d' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 7 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 8 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 7, 9 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..96eb832ae --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -0,0 +1,7 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..71141db03 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,164 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +INSERT INTO certificate_authorities ( + certificate +) VALUES ( + 1 +); + +INSERT INTO certificate_distribution_points ( + ca, type, uri +) VALUES ( + 1, 1, 'http://crl.strongswan.org/strongswan.crl' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'rw', 1, 4, 6 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/multi-level-ca/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/sql/multi-level-ca/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql index 54086643f..ef6849c11 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql @@ -109,9 +109,9 @@ INSERT INTO ike_configs ( ); INSERT INTO peer_configs ( - name, ike_cfg, local_id, remote_id, mobike + name, ike_cfg, local_id, remote_id, mobike, dpd_delay ) VALUES ( - 'net-net', 1, 4, 5, 0 + 'net-net', 1, 4, 5, 0, 0 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql index 2bc8b34c8..79a35ef68 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql @@ -109,9 +109,9 @@ INSERT INTO ike_configs ( ); INSERT INTO peer_configs ( - name, ike_cfg, local_id, remote_id, mobike + name, ike_cfg, local_id, remote_id, mobike, dpd_delay ) VALUES ( - 'net-net', 1, 5, 4, 0 + 'net-net', 1, 5, 4, 0, 0 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-route-pem/description.txt b/testing/tests/sql/net2net-route-pem/description.txt new file mode 100644 index 000000000..5a6681f6e --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/description.txt @@ -0,0 +1,10 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and RSA private keys stored +in PEM format in an SQLite database. The IKE_SA configuration details and the +traffic selectors of three CHILD_SAs are also stored in the database and the first two of +them are marked to be automatically routed by gateway moon via the start_action +field in the child_configs table. +

+In order to trigger the IKE connection setup and subsequently test both tunnel and firewall, client +alice behind gateway moon pings client bob located behind gateway sun +and bob in turn ping client venus behind gateway moon. diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat new file mode 100644 index 000000000..eaca715d5 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/evaltest.dat @@ -0,0 +1,16 @@ +moon::ipsec statusall::net-1.*ROUTED::YES +sun::ipsec statusall::net-1.*ROUTED::YES +moon::ipsec statusall::net-2.*ROUTED::YES +sun::ipsec statusall::net-2.*ROUTED::YES +moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp\] with reqid {1}::YES +moon::ipsec statusall::net-1.*INSTALLED::YES +sun::ipsec statusall::net-1.*INSTALLED::YES +sun::cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp\] with reqid {2}::YES +moon::ipsec statusall::net-2.*INSTALLED::YES +sun::ipsec statusall::net-2.*INSTALLED::YES +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..a35643454 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,249 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494945496a4343417771674177494241674942467a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a45774d444d7a4d6c6f58445445304d4467794e6a45774d444d7a4d6c6f77526a454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e33595734784844416142674e5642414d5445323176623234750a633352796232356e6333646862693576636d6377676745694d4130474353714753496233445145424151554141344942447741776767454b416f49424151444b0a4c324d39314c753642595968577857674d53397a39544d535477737a6d3572684f375a497343744d526f3450416559772b2b2b5347587433435058622f2b702b0a53574b476c6d313172504537316551336568676832433368417572666d574f306951516143772b6664726565495643714f51494f503655715a333237683579590a5970486b385651763476424a547078636c553150716e5768657165315a6c4c7873573737334c526d6c2f6651742f5567764a6b4342545a5a4f4e4c4e4d664b2b0a3754446e5961567341746e636776444e37386e554e456532715939324b4b375372424a36537055456734396d3531462b586773476373675756485338356f6e330a4f6d2f47343863724c45564a6a6475384378657753525667622b6c504a577a4864385173553056672f37766c7173335a524d794e744e4b7272346f70537656620a41366167476c5458684443726544695855384b4841674d424141476a676745614d494942466a414a42674e5648524d45416a41414d41734741315564447751450a417749447144416442674e564851344546675155617078303066694a65596e325770547069664836773253644b533477625159445652306a424759775a4941550a5861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b77467759445651514b0a4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a7662335167513047430a4151417748675944565230524242637746594954625739766269357a64484a76626d647a643246754c6d39795a7a415442674e56485355454444414b426767720a42674546425163444154413542674e56485238454d6a41774d4336674c4b41716869686f644852774f69387659334a734c6e4e30636d39755a334e33595734750a62334a6e4c334e30636d39755a334e335957347559334a734d4130474353714753496233445145424377554141344942415143637458673278654d6f7a6154560a6a69424c3150384d5939754548354a7455304563655131526249352f32764752646e45434e44396f4144593576616d616145324d64713251682f766c586e4d4c0a6f33696935454c6a73516c596454595a4f634d4f6463555558597662624658316377706b426879426c314832354b7074486367512f486e63654b70336b4f75710a77594f596a6777655058756c6370575878304532517451434651515a4650794557654e4a7848306f676c6735335150586648593949322f47756b6a355630627a0a70374d45304773384b646e59646d626244717a51675073746139362f6d2b486f4a6c737256462b34477169686a3642574d42513279626a50575a6447336f48390a32356345387636305279393844305a2f747967624155466e68356f4f766166363432706156676333616f4137374938552b555a6a45437849536f6948756c74590a37515475664f77500a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949456f77494241414b43415145417969396a5064533775675747495673566f444576632f557a456b384c4d35756134547532534c41725445614f4477486d0a4d5076766b686c3764776a31322f2f71666b6c6968705a7464617a784f39586b4e336f594964677434514c7133356c6a74496b45476773506e3361336e6946510a716a6b43446a2b6c4b6d6439753465636d474b52355046554c2b4c7753553663584a564e543670316f58716e74575a53386246752b3979305a706633304c66310a494c795a4167553257546a537a544879767530773532476c62414c5a33494c777a652f4a3144524874716d506469697530717753656b715642494f505a7564520a666c344c426e4c49466c5230764f614a397a7076787550484b797846535933627641735873456b5659472f7054795673783366454c464e4659502b373561724e0a3255544d6a62545371362b4b4b55723157774f6d6f42705531345177713367346c3150436877494441514142416f494241434246422f5871616a763666626e390a4b367078727a3032755877476d61635841745649446f507a656a576d5853345141346c313748724a446d656c536e68656c444b7279386e6e59486b5472547a370a6d6e307751344844577938366f2f6f6b4a55472f544b524c64366266373961525171716f6871643369516b486b343347797a7558482b6f47696f564b463066630a41434457773477666a4c37464d4e6448435a34427a394472484f2f79734865394236727653596d33565a52685378616e65496b614c6b6b4461644b70567833660a584e466c4d785934714b504a5959536f4a5a3631694d71724f372b726e413933746d7944447338504b553342746e70664e72646550676c654a48686b385a71790a4576322f4e4f43535578624b45384e43744c704754732b5430716a6a6e75346b33575064335a4f4241616e30755044656b485a6548422f6158474c68596378780a4a35537572714543675945412b46316770706b4552354a746f617564742f43557064513173523977786637355642714a34466959414247517a39786c47346f6a0a7a4c2f6f3537327330695633627746706e51612b5775577278476b50365a75422f5a38326e7063304e2f764c6f752f623464787667346e374b2b654f4f4566300a38464d6a7373653274715449584b4371636d516e52304e5051316a777576454b73585035772f4a4f6c6e525841586e64346a78734a49304367594541304761540a3631795374745557396a43336d787559366a6b5179385445517152336e4f467657776d435849574f704e2f4d54545075732b54656c78702f70644b68552b6d6f0a506d5833556e796e65355076776c6557447133597a6c7458355a445a474a35554a6c4b754e6e6647497a51364f6348526262377a4270514736715352507575670a62676f36383868546e62314c35396e4b38387a57564b3435657566367079756f492b537749474d436759454137797645386b6e7968425876657a7576307a31620a6547486d4870352f564477593044514b5345416f6942426957726b4c714c7962677758662f4b4a38645a5a6338456e303861465832474c4a7959652f4b6942310a797333797045424a716776526179502b6f2f394b5a2b714e4e5264307271416b735058764c3741424e4e74306b7a617054535644616533597536732f6a31616d0a44494c35714165455249446564473575445070517a645543675942374d746a705036334142684c76385862706242516e43787442797733573839462b586372740a7635356751646845346353754d7a412f43754d4834764e7050533641493961424a4e686a3343744b6f2f634f4a616368414762312f77766b4f35414c764c57300a66685a6450737455546e444a61696e377666462f68777a62732f506c685867753954394b6c4c665276584664472b53643467386d756d52696f7a634c6b6f52770a7936585054774b4267444a502b733977586d644739304853542f61714337464b7256584c7042363364593573774e556651503673613070466e4f4e3072304a430a682f594373474646494165625132754f6b4d33673366396e6b775470373931306f762b2f3575546876524932773242425079306d5675414c506a797946315a320a6362397a70794b694975586f585243663473643872316c5239626e304678783053767078662b66704d475349357175484e424b590a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-aes192-aes256-sha256-sha384-sha512-modp3072-modp4096-modp8192' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', 'PH_IP_SUN' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 4, 5, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 1 +); diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..97c482e05 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,249 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494549444343417769674177494241674942466a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a41354e546b774e466f58445445304d4467794e6a41354e546b774e466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e316269357a0a64484a76626d647a643246754c6d39795a7a4343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414e2b560a5649706e3651356a61552f2f454e3670364135635366556668424b306d4661326c6146465a682f593068363641587171725133583931376837594e73536b36380a6f6f77593968394933674f7837684e5642734a7232566a6459432b623071354e54686130392f41356d696d762f7072596a366f30796177786f506a6f447339590a683744374b662b4638666b676b3073746c484a5a5836364a37644e72465862673178426c642b4570354f72324662455a3951575570525154756864704e742f340a3959757851353944656d59394952627773724b434848306d47724a7344647165623061702b3851765358486a4374316672394d4e4b5761414641514c4b5149340a65306461316e74504345514c65453833332b4e4e5242674775666b304b714754336541587172786139414549554a6e5663506578516471554d6a6355705846620a38574e7a525742384567683342444b36467345434177454141614f4341526b77676745564d416b4741315564457751434d4141774377594456523050424151440a41674f6f4d42304741315564446751574242525731703476327169687a526c634931506e78625a776c754d4c2b7a427442674e5648534d455a6a426b674252640a70393177426c45796675653262624f31356542673669354e3736464a704563775254454c4d416b474131554542684d43513067784754415842674e5642416f540a45457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39755a314e3359573467556d397664434244515949420a4144416442674e5648524545466a415567684a7a64573475633352796232356e6333646862693576636d6377457759445652306c42417777436759494b7759420a42515548417745774f51594456523066424449774d4441756f4379674b6f596f6148523063446f764c324e796243357a64484a76626d647a643246754c6d39790a5a79397a64484a76626d647a643246754c6d4e796244414e42676b71686b6947397730424151734641414f43415145416f33374c595439417778304d4b2f6e410a465a70504a7155723045792b4f35556b63736478376e643030536c6d7069515259384b6d7552584342516e444567644c73746433736c516a5430704a456757460a30707a7879626e4936654f7a5941684c66686172742b5831685552694e4762586a67676d32733449352b4b33326256496b4e45716c73596e642f3646396f6f350a5a4e4f302f65545472754c5a666b4e652f7a636842474b652f5a374d616356776c59575743624d744256344b316435644763525267705139576976446c6d61740a4e6839776c736344536753476b33484a6b62786e71363935564e377a5562445741557657576856356249446a6c41522f7879543941707149786979565652756c0a665972453755303548627436476741726f414b4c7036714a7570392b547851414b536a4b49774a306866374f7559795138545a7456485337414f686d2b542f350a472f6a4747413d3d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949457041494241414b434151454133355655696d6670446d4e70542f385133716e6f446c784a39522b4545725359567261566f55566d48396a5348726f420a6571717444646633587548746732784b547279696a426a3248306a654137487545315547776d765a574e31674c357653726b314f4672543338446d614b612f2b0a6d746950716a544a724447672b4f674f7a316948735073702f3458782b53435453793255636c6c66726f6e7430327356647544584547563334536e6b367659560a73526e31425a536c46424f3646326b32332f6a31693746446e304e365a6a306846764379736f496366535961736d774e3270357652716e377843394a63654d4b0a33562b76307730705a6f415542417370416a6837523172576530384952417434547a666634303145474161352b5451716f5a50643442657176467230415168510a6d64567739374642327051794e78536c6356767859334e4659487753434863454d726f577751494441514142416f49424144483531686a4e327a6b394856676c0a516d635441577a6355696535634c4d6872502b4d396d7443384f336a634377774659364f77666e624d553844487930474d714867356c423862393955555650770a484c417a6a44772f45536b633670675a73344545684a5473784a4c7376546e655067487373456779586e58663767525645714a6b506f6866792b5a79305543480a6549555158694d6c4f513778673769444d68774e612b5564575374353339447a74534b696c516e327864505a6a466e4d54302f7072766c344e412f385a6e35340a2f5364574471357952644c576236454b315637794a33363837475852316a7a47746779375458756e63554a56545967583752645031546e36675744385941512f0a52665430446457596d34574853675362392f4e57386c425a483279793368672b6c4e676f665845765466426b4f3551795733314c497230744356367a684a49630a59394d78614b55436759454139736b7461586668504c653045436a646551454f7135454b754472437669534b434f754156344244534f736477362b354c5766590a56622f6f6b65384e37306c4c335243626c636a31704f4b575569324f2f5370454a6444526475697732674d39635874332f624368535448433454734978784e2f0a4462394f476737326b5a347352593541752b7a794141515942775868465775783139344a6b35714b304a626c4e47394a35514d715a44634367594541352b35680a426748554d454f2b70644d45356c416953633550634e54656a7041366a2b4f696b4368342f4846587933432f644c782b4373312b6567773634633869566149760a4e456f376e374539493065335871616e505258684d6e425272502b33394f567357506d5a31384c6932486938344b774a7969385931316c33584a4f71615970460a774d5655755a70785230646647356b2f354777542f74456b6d5142676c4f6747336d327a554d634367594541346d335664396168563564703541584b707a4b630a4a6a69504d466668784a6f372b46457a305a554370303371596c6a42752f4a79344d4b532f677272717969434c645147484e6c6b34534e784c766455496437380a356747426e757544454a5532644141494b554539797132596c42555a5361634f7853744932736e7432382f583650334c5557486d374c4c55354f5331443356660a6d4b50462f364d6c534a75617335434571565a4e4e2b4d436759424839516837496151676d565155424b565867334d76374f647576557954644b4947744878690a4e33785a376878734450344a6a4e57614b6d6c63476d4647583870715152686549383364334e4a34474b38476d6250335773743070363566657a4d71737564720a723330516d5046696367732f745943514477366f2b61507a77416932462b564f5371726672744149616c64537137684c2b56413231644b422b63443955674f580a6a50642b54774b42675143624b656732514e53327168504947396561714a44524f75786d78622f303764374f426374674d677856764b687157396857343253790a674a353966797a35516a4642615366634f646634676b4b79456177566f34352f7136796d495155333752347646344357395a334366614962774a70374c6348560a7a483037736f2f484e735a75613647574353434c4a55354d654352695a7a6b3252466953394b49614c5034675a6e6476346c584f69513d3d0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-sha256-modp3072' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', 'PH_IP_MOON' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 5, 4, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 0 +); diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat new file mode 100644 index 000000000..13f7ede0a --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat new file mode 100644 index 000000000..5a537e15b --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/pretest.dat @@ -0,0 +1,13 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +sun::ipsec start +moon::ipsec start +moon::sleep 1 +alice::ping -c 1 PH_IP_BOB +bob::ping -c 1 PH_IP_VENUS diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf new file mode 100644 index 000000000..13a8a2a48 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/sql/net2net-start-pem/description.txt b/testing/tests/sql/net2net-start-pem/description.txt new file mode 100644 index 000000000..ff83304e8 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/description.txt @@ -0,0 +1,10 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and RSA private keys stored +in PEM format in an SQLite database. The IKE_SA configuration details and the +traffic selectors of three CHILD_SAs are also stored in the database and are marked to be +automatically started by gateway moon via the start_action field in the +child_configs table. +

+In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun and +bob in turn ping client venus behind gateway moon. diff --git a/testing/tests/sql/net2net-start-pem/evaltest.dat b/testing/tests/sql/net2net-start-pem/evaltest.dat new file mode 100644 index 000000000..eaacd0133 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/evaltest.dat @@ -0,0 +1,12 @@ +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +moon::ipsec statusall::net-1.*INSTALLED::YES +sun::ipsec statusall::net-1.*INSTALLED::YES +moon::ipsec statusall::net-2.*INSTALLED::YES +sun::ipsec statusall::net-2.*INSTALLED::YES +moon::ipsec statusall::net-3.*INSTALLED::YES +sun::ipsec statusall::net-3.*INSTALLED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..e828f8902 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,279 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494945496a4343417771674177494241674942467a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a45774d444d7a4d6c6f58445445304d4467794e6a45774d444d7a4d6c6f77526a454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e33595734784844416142674e5642414d5445323176623234750a633352796232356e6333646862693576636d6377676745694d4130474353714753496233445145424151554141344942447741776767454b416f49424151444b0a4c324d39314c753642595968577857674d53397a39544d535477737a6d3572684f375a497343744d526f3450416559772b2b2b5347587433435058622f2b702b0a53574b476c6d313172504537316551336568676832433368417572666d574f306951516143772b6664726565495643714f51494f503655715a333237683579590a5970486b385651763476424a547078636c553150716e5768657165315a6c4c7873573737334c526d6c2f6651742f5567764a6b4342545a5a4f4e4c4e4d664b2b0a3754446e5961567341746e636776444e37386e554e456532715939324b4b375372424a36537055456734396d3531462b586773476373675756485338356f6e330a4f6d2f47343863724c45564a6a6475384378657753525667622b6c504a577a4864385173553056672f37766c7173335a524d794e744e4b7272346f70537656620a41366167476c5458684443726544695855384b4841674d424141476a676745614d494942466a414a42674e5648524d45416a41414d41734741315564447751450a417749447144416442674e564851344546675155617078303066694a65596e325770547069664836773253644b533477625159445652306a424759775a4941550a5861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b77467759445651514b0a4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a7662335167513047430a4151417748675944565230524242637746594954625739766269357a64484a76626d647a643246754c6d39795a7a415442674e56485355454444414b426767720a42674546425163444154413542674e56485238454d6a41774d4336674c4b41716869686f644852774f69387659334a734c6e4e30636d39755a334e33595734750a62334a6e4c334e30636d39755a334e335957347559334a734d4130474353714753496233445145424377554141344942415143637458673278654d6f7a6154560a6a69424c3150384d5939754548354a7455304563655131526249352f32764752646e45434e44396f4144593576616d616145324d64713251682f766c586e4d4c0a6f33696935454c6a73516c596454595a4f634d4f6463555558597662624658316377706b426879426c314832354b7074486367512f486e63654b70336b4f75710a77594f596a6777655058756c6370575878304532517451434651515a4650794557654e4a7848306f676c6735335150586648593949322f47756b6a355630627a0a70374d45304773384b646e59646d626244717a51675073746139362f6d2b486f4a6c737256462b34477169686a3642574d42513279626a50575a6447336f48390a32356345387636305279393844305a2f747967624155466e68356f4f766166363432706156676333616f4137374938552b555a6a45437849536f6948756c74590a37515475664f77500a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949456f77494241414b43415145417969396a5064533775675747495673566f444576632f557a456b384c4d35756134547532534c41725445614f4477486d0a4d5076766b686c3764776a31322f2f71666b6c6968705a7464617a784f39586b4e336f594964677434514c7133356c6a74496b45476773506e3361336e6946510a716a6b43446a2b6c4b6d6439753465636d474b52355046554c2b4c7753553663584a564e543670316f58716e74575a53386246752b3979305a706633304c66310a494c795a4167553257546a537a544879767530773532476c62414c5a33494c777a652f4a3144524874716d506469697530717753656b715642494f505a7564520a666c344c426e4c49466c5230764f614a397a7076787550484b797846535933627641735873456b5659472f7054795673783366454c464e4659502b373561724e0a3255544d6a62545371362b4b4b55723157774f6d6f42705531345177713367346c3150436877494441514142416f494241434246422f5871616a763666626e390a4b367078727a3032755877476d61635841745649446f507a656a576d5853345141346c313748724a446d656c536e68656c444b7279386e6e59486b5472547a370a6d6e307751344844577938366f2f6f6b4a55472f544b524c64366266373961525171716f6871643369516b486b343347797a7558482b6f47696f564b463066630a41434457773477666a4c37464d4e6448435a34427a394472484f2f79734865394236727653596d33565a52685378616e65496b614c6b6b4461644b70567833660a584e466c4d785934714b504a5959536f4a5a3631694d71724f372b726e413933746d7944447338504b553342746e70664e72646550676c654a48686b385a71790a4576322f4e4f43535578624b45384e43744c704754732b5430716a6a6e75346b33575064335a4f4241616e30755044656b485a6548422f6158474c68596378780a4a35537572714543675945412b46316770706b4552354a746f617564742f43557064513173523977786637355642714a34466959414247517a39786c47346f6a0a7a4c2f6f3537327330695633627746706e51612b5775577278476b50365a75422f5a38326e7063304e2f764c6f752f623464787667346e374b2b654f4f4566300a38464d6a7373653274715449584b4371636d516e52304e5051316a777576454b73585035772f4a4f6c6e525841586e64346a78734a49304367594541304761540a3631795374745557396a43336d787559366a6b5179385445517152336e4f467657776d435849574f704e2f4d54545075732b54656c78702f70644b68552b6d6f0a506d5833556e796e65355076776c6557447133597a6c7458355a445a474a35554a6c4b754e6e6647497a51364f6348526262377a4270514736715352507575670a62676f36383868546e62314c35396e4b38387a57564b3435657566367079756f492b537749474d436759454137797645386b6e7968425876657a7576307a31620a6547486d4870352f564477593044514b5345416f6942426957726b4c714c7962677758662f4b4a38645a5a6338456e303861465832474c4a7959652f4b6942310a797333797045424a716776526179502b6f2f394b5a2b714e4e5264307271416b735058764c3741424e4e74306b7a617054535644616533597536732f6a31616d0a44494c35714165455249446564473575445070517a645543675942374d746a705036334142684c76385862706242516e43787442797733573839462b586372740a7635356751646845346353754d7a412f43754d4834764e7050533641493961424a4e686a3343744b6f2f634f4a616368414762312f77766b4f35414c764c57300a66685a6450737455546e444a61696e377666462f68777a62732f506c685867753954394b6c4c665276584664472b53643467386d756d52696f7a634c6b6f52770a7936585054774b4267444a502b733977586d644739304853542f61714337464b7256584c7042363364593573774e556651503673613070466e4f4e3072304a430a682f594373474646494165625132754f6b4d33673366396e6b775470373931306f762b2f3575546876524932773242425079306d5675414c506a797946315a320a6362397a70794b694975586f585243663473643872316c5239626e304678783053767078662b66704d475349357175484e424b590a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-sha256-modp2048' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192-sha384-modp3072' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128gcm128' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192gcm128' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', 'PH_IP_SUN' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 2, 2 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 4, 5, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 2, 2 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 2, 2 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 2, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 4 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 2, 4 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 1 +); diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..c5676b749 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,273 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494549444343417769674177494241674942466a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a41354e546b774e466f58445445304d4467794e6a41354e546b774e466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e316269357a0a64484a76626d647a643246754c6d39795a7a4343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414e2b560a5649706e3651356a61552f2f454e3670364135635366556668424b306d4661326c6146465a682f593068363641587171725133583931376837594e73536b36380a6f6f77593968394933674f7837684e5642734a7232566a6459432b623071354e54686130392f41356d696d762f7072596a366f30796177786f506a6f447339590a683744374b662b4638666b676b3073746c484a5a5836364a37644e72465862673178426c642b4570354f72324662455a3951575570525154756864704e742f340a3959757851353944656d59394952627773724b434848306d47724a7344647165623061702b3851765358486a4374316672394d4e4b5761414641514c4b5149340a65306461316e74504345514c65453833332b4e4e5242674775666b304b714754336541587172786139414549554a6e5663506578516471554d6a6355705846620a38574e7a525742384567683342444b36467345434177454141614f4341526b77676745564d416b4741315564457751434d4141774377594456523050424151440a41674f6f4d42304741315564446751574242525731703476327169687a526c634931506e78625a776c754d4c2b7a427442674e5648534d455a6a426b674252640a70393177426c45796675653262624f31356542673669354e3736464a704563775254454c4d416b474131554542684d43513067784754415842674e5642416f540a45457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39755a314e3359573467556d397664434244515949420a4144416442674e5648524545466a415567684a7a64573475633352796232356e6333646862693576636d6377457759445652306c42417777436759494b7759420a42515548417745774f51594456523066424449774d4441756f4379674b6f596f6148523063446f764c324e796243357a64484a76626d647a643246754c6d39790a5a79397a64484a76626d647a643246754c6d4e796244414e42676b71686b6947397730424151734641414f43415145416f33374c595439417778304d4b2f6e410a465a70504a7155723045792b4f35556b63736478376e643030536c6d7069515259384b6d7552584342516e444567644c73746433736c516a5430704a456757460a30707a7879626e4936654f7a5941684c66686172742b5831685552694e4762586a67676d32733449352b4b33326256496b4e45716c73596e642f3646396f6f350a5a4e4f302f65545472754c5a666b4e652f7a636842474b652f5a374d616356776c59575743624d744256344b316435644763525267705139576976446c6d61740a4e6839776c736344536753476b33484a6b62786e71363935564e377a5562445741557657576856356249446a6c41522f7879543941707149786979565652756c0a665972453755303548627436476741726f414b4c7036714a7570392b547851414b536a4b49774a306866374f7559795138545a7456485337414f686d2b542f350a472f6a4747413d3d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949457041494241414b434151454133355655696d6670446d4e70542f385133716e6f446c784a39522b4545725359567261566f55566d48396a5348726f420a6571717444646633587548746732784b547279696a426a3248306a654137487545315547776d765a574e31674c357653726b314f4672543338446d614b612f2b0a6d746950716a544a724447672b4f674f7a316948735073702f3458782b53435453793255636c6c66726f6e7430327356647544584547563334536e6b367659560a73526e31425a536c46424f3646326b32332f6a31693746446e304e365a6a306846764379736f496366535961736d774e3270357652716e377843394a63654d4b0a33562b76307730705a6f415542417370416a6837523172576530384952417434547a666634303145474161352b5451716f5a50643442657176467230415168510a6d64567739374642327051794e78536c6356767859334e4659487753434863454d726f577751494441514142416f49424144483531686a4e327a6b394856676c0a516d635441577a6355696535634c4d6872502b4d396d7443384f336a634377774659364f77666e624d553844487930474d714867356c423862393955555650770a484c417a6a44772f45536b633670675a73344545684a5473784a4c7376546e655067487373456779586e58663767525645714a6b506f6866792b5a79305543480a6549555158694d6c4f513778673769444d68774e612b5564575374353339447a74534b696c516e327864505a6a466e4d54302f7072766c344e412f385a6e35340a2f5364574471357952644c576236454b315637794a33363837475852316a7a47746779375458756e63554a56545967583752645031546e36675744385941512f0a52665430446457596d34574853675362392f4e57386c425a483279793368672b6c4e676f665845765466426b4f3551795733314c497230744356367a684a49630a59394d78614b55436759454139736b7461586668504c653045436a646551454f7135454b754472437669534b434f754156344244534f736477362b354c5766590a56622f6f6b65384e37306c4c335243626c636a31704f4b575569324f2f5370454a6444526475697732674d39635874332f624368535448433454734978784e2f0a4462394f476737326b5a347352593541752b7a794141515942775868465775783139344a6b35714b304a626c4e47394a35514d715a44634367594541352b35680a426748554d454f2b70644d45356c416953633550634e54656a7041366a2b4f696b4368342f4846587933432f644c782b4373312b6567773634633869566149760a4e456f376e374539493065335871616e505258684d6e425272502b33394f567357506d5a31384c6932486938344b774a7969385931316c33584a4f71615970460a774d5655755a70785230646647356b2f354777542f74456b6d5142676c4f6747336d327a554d634367594541346d335664396168563564703541584b707a4b630a4a6a69504d466668784a6f372b46457a305a554370303371596c6a42752f4a79344d4b532f677272717969434c645147484e6c6b34534e784c766455496437380a356747426e757544454a5532644141494b554539797132596c42555a5361634f7853744932736e7432382f583650334c5557486d374c4c55354f5331443356660a6d4b50462f364d6c534a75617335434571565a4e4e2b4d436759424839516837496151676d565155424b565867334d76374f647576557954644b4947744878690a4e33785a376878734450344a6a4e57614b6d6c63476d4647583870715152686549383364334e4a34474b38476d6250335773743070363566657a4d71737564720a723330516d5046696367732f745943514477366f2b61507a77416932462b564f5371726672744149616c64537137684c2b56413231644b422b63443955674f580a6a50642b54774b42675143624b656732514e53327168504947396561714a44524f75786d78622f303764374f426374674d677856764b687157396857343253790a674a353966797a35516a4642615366634f646634676b4b79456177566f34352f7136796d495155333752347646344357395a334366614962774a70374c6348560a7a483037736f2f484e735a75613647574353434c4a55354d654352695a7a6b3252466953394b49614c5034675a6e6476346c584f69513d3d0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-sha256-modp2048' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192-sha384-modp3072' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128gcm128' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192gcm128' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', 'PH_IP_MOON' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 2, 2 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 5, 4, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 4 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 4 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 0 +); diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat new file mode 100644 index 000000000..13f7ede0a --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat new file mode 100644 index 000000000..3e168960d --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/pretest.dat @@ -0,0 +1,11 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +sun::ipsec start +moon::ipsec start +moon::sleep 2 diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf new file mode 100644 index 000000000..13a8a2a48 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" -- cgit v1.2.3